What you need to know about the Flashback Trojan for Mac



Recently, an article on Arstechnica stated that a Russian Antivirus company believes over 500,000 Macs have been infected with a Trojan known as Flashback. I can see the panic growing in the eyes of many Mac users. Especially those who have switched from PCs because they believe Macs are impervious to Viruses.

The first thing you need to know is that Flashback is not a Virus. It’s a Trojan. Let me explain.

To help, here are the four most commonly discussed forms of Malware. This is needed to explain. (Definitions from Wikipedia)

1. Virus: A computer program that can replicate itself and spread from one computer to another. Some are malicious, some aren’t. However, the user is generally not in control of the installation or operation of the Virus.

2. Worm: A malicious computer program that replicates itself in order to spread to other computers using a network. Unlike a virus, it does not need to attach itself to an existing program.

3. Trojan: A standalone malicious program which may give full control of an infected computer to another computer or simply corrupt data similarly to a virus. Trojans present themselves to a user as harmless or useful in order to persuade victims to install them on their computers.

4. Spyware: A type of Malware installed on computers that collects information about users without their knowledge. The presence of spyware is generally hidden from the user.

Ok, so now that we’ve covered some of the differences, let’s talk about how they relate to Mac users. The vast majority of what’s out there is designed and written for PCs. (Windows machines) That being said, there are a small number of these that have been created for Mac computers. The number is so small that most users, including myself, don’t use any form of antivirus or malware protection software. At this point it’s still unnecessary but we’re getting closer to that point each year.

For a better understanding of Macs vs PCs when it comes to viruses, click here to read my blog “The Truth about Macs and Viruses”

So the real question is… Do you need to be worried? Probably not. Just be careful when typing in your password. If you don’t know who’s asking for it, you probably wouldn’t want to share it. If you go to a website and it downloads something automatically and then asks for your information, those are huge red flags. Only when you’ve intentionally requested to download something and you’re well aware of what you’re getting into should you hand over that information.

If you’re still worried that you may have downloaded and activated the Flashback Trogan, (remember you haven’t been infected, it would have been an intentional act by you even if you weren’t sure what you were doing) you can run a simple test to find out if your computer is one of the 500,000 (in truth, a very small percentage) that this Russian company few have ever heard of is talking about. (Everyone loves a big story no matter where it comes from.)

The Test (and/or fix) uses Terminal which is in your Applications>Utilities folder. Open that Application and then follow these instructions provided by F-Secure. If you run Software Update and find that you don’t have any you need to install, you’ve already patched the vulnerability.

Manual Removal Instructions

1. Run the following command in Terminal by copying & pasting the red text:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:

“The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”

4. Otherwise, run the following command in Terminal:

grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%

5. Take note of the value after “__ldpath__”
6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

7. Delete the files obtained in steps 2 and 5
8. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

“The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”

10. Otherwise, run the following command in Terminal:

grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%

11. Take note of the value after “__ldpath__”
12. Run the following commands in Terminal:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

13. Finally, delete the files obtained in steps 9 and 11.

So there you have it. Everything you need to know about the Flashback Trojan that will be on everyone’s mind for the next week or so. Try not to let the hype worry you and if you have friends or family who you feel would be worried, please share this article with them on Facebook, Twitter, Email, or however else you feel would be best to reach those who will be nervous hearing about this.

If you have other questions, don’t hesitate to reach out or leave comments below. I try to answer all of them personally.

I hope this article has eased your mind and given you the tools you need to move forward.

Until next time…

3 comments

  1. Excellent article! I would like to add for those who are new to using the Terminal that you should copy and paste the commands shown in red above to make it much easier than trying to type all those characters perfectly.

  2. Thanks for the info! I had no idea there was such a thing as a flashback trojan. I’ll have to share this.

Leave a Reply