Just reminding everyone that there are now two trojans out in the wild for the Mac OSX. The latest takes advantage of a Java Loophole that has been recently patched. So please make sure to patch your systems as soon as possible.
To see if you have contracted the flashback trojan (latest incarnation) :
1. In Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2. Take note of the value, DYLD_INSERT_LIBRARIES
3. if you got the following error message:
“The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
Skip to 7
if you don't, run the following in Terminal:
grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
4. note f the value after __ldpath__
5. in Terminal (first make sure there is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
(this allows you to change applications at the root level and adds additional permissions)
6. remove the files in steps 2 and 5
7. in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
8. Your system is clean of flashback if you get this message:
“The domain/default pair of (/Users/xyourusernamex/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
9. if not enter this in Terminal:
grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
10. note of the value after __ldpath__
11. then in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
12. Finally, delete the files obtained in steps 8 and 10.
Hope this helps. The flashback trojan installs when visiting an infected website or downloading an infected file. Although the trojan will prompt you for an admin password, it is in fact already installed.
For more information you can visit: http://www.pcmag.com/article2/0,2817,2402641,00.asp
Roagie
Apple Certified Support 10.6, 10.7
Apple Certified Tech. Coordinator 10.6., 10.7
To see if you have contracted the flashback trojan (latest incarnation) :
1. In Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2. Take note of the value, DYLD_INSERT_LIBRARIES
3. if you got the following error message:
“The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
Skip to 7
if you don't, run the following in Terminal:
grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
4. note f the value after __ldpath__
5. in Terminal (first make sure there is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
(this allows you to change applications at the root level and adds additional permissions)
6. remove the files in steps 2 and 5
7. in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
8. Your system is clean of flashback if you get this message:
“The domain/default pair of (/Users/xyourusernamex/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
9. if not enter this in Terminal:
grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
10. note of the value after __ldpath__
11. then in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
12. Finally, delete the files obtained in steps 8 and 10.
Hope this helps. The flashback trojan installs when visiting an infected website or downloading an infected file. Although the trojan will prompt you for an admin password, it is in fact already installed.
For more information you can visit: http://www.pcmag.com/article2/0,2817,2402641,00.asp
Roagie
Apple Certified Support 10.6, 10.7
Apple Certified Tech. Coordinator 10.6., 10.7