Some details about the FlashBack trojan here:
http://www.pcmag.com/article2/0,2817,2402685,00.asp
which claims about 550,000 macs were infected. Glad to see Apple put out
updates to get the latest Java installed which squashes the
vulnerability. Just a bit sad that Java had been fixed in February and
the patch for OSX didn't come out until this week. Maybe they didn't
realize the exploit was actually being used in the wild. This also gives
credence to why Apple doesn't allow 3rd party scripting and code
emulators on iOS. No flash, java etc. The recent exploits were both in
3rd party code executors (Java and previously Microsoft Office scripts).
It's hard to keep your platform secure when installed apps are able to
execute arbitrary code of unknown origins. Info about the Office script
exploit here:
http://reviews.cnet.com/8301-13727_7-57405503-263/new-exploit-uses-old-office-vulnerability-for-os-x-malware-delivery/
CB
On 4/6/12 12:44 AM, Charlie Doremus wrote:
I too was lucky to to avoid infection and found the process to check
very uncomplicated.
Here are the instructions:
Disinfection
*Manual Removal*
*Caution:* Manual disinfection is a risky process; it is recommended
only for advanced users. Otherwise, please seek professional technical
assistance. F-Secure customers may also contact our Support
<http://www.f-secure.com/en/web/home_global/support/contact>.
*Manual Removal Instructions*
* 1. Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
* 2. Take note of the value, DYLD_INSERT_LIBRARIES
* 3. Proceed to step *8* if you got the following error message:
"The domain/default pair of
(/Applications/Safari.app/Contents/Info, LSEnvironment) does not
exist"
* 4. Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' *%path_obtained_in_step2%*
* 5. Take note of the value after "__ldpath__"
* 6. Run the following commands in Terminal (first make sure there
is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/Info
LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
* 7. Delete the files obtained in steps 2 and 5
* 8. Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
* 9. Take note of the result. Your system is already clean of this
variant if you got an error message similar to the following:
"The domain/default pair of (/Users/joe/.MacOSX/environment,
DYLD_INSERT_LIBRARIES) does not exist"
* 10. Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' *%path_obtained_in_step9%*
* 11. Take note of the value after "__ldpath__"
* 12. Run the following commands in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
* 13. Finally, delete the files obtained in steps 9 and 11.
*Note:*
Some Flashback variants include additional components, which require
additional steps to remove. Please refer to
ourTrojan-Downloader:OSX/Flashback.K
<http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml> description
for additional information and removal instructions.
Aloha,
Charlie
Our new book "YOU MIGHT BE A MORON" is on sale at www.giantdolphin.com
<http://www.giantdolphin.com> click the off the bookshelf link
On Apr 5, 2012, at 6:14 PM, Eric Oyen <[email protected]
<mailto:[email protected]>> wrote:
complicated?
I found the directions over at F-Prot to be very uncomplicated. btw,
I was not infected, but a room mate was.
Sophos for OS X is pretty accessible (except for the system tray icon
that sits left of the apple scripts icon. I can't seem to gain access
to that (or soundflower for that matter).
-eric
On Apr 5, 2012, at 9:05 PM, Ray Foret Jr wrote:
Doubtless, by now, y'all have heard of the Flash Back Trojan and the
fact that 6000 Macs were most likely infected by this thing! I
found that the removal process for this bugger is quite complex and
is done mainly from terminal.
All I can tell you here is that you type in the following code in to
terminal to see if you're infected:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
IF you get back the message saying that the default pairs does not
exist or something like that, you are not infected. This nasty
virus desgizes itself in the form of an update to the Adobe flash
player. this hit me the other day and so I decided I'd better check
to see if I was infected. so far, I appear not to be. In light of
this, does anybody know of a good anti virus app for the Mac which
is very accessible?
Sincerely,
The Constantly Barefooted Ray!!!
Now a very proud and happy Mac user!!!
Skype name:
barefootedray
Facebook:
facebook.com/ray.foretjr.1 <http://facebook.com/ray.foretjr.1>
--
You received this message because you are subscribed to the Google
Groups "MacVisionaries" group.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
To unsubscribe from this group, send email to
[email protected]
<mailto:[email protected]>.
For more options, visit this group at
http://groups.google.com/group/macvisionaries?hl=en.
--
You received this message because you are subscribed to the Google
Groups "MacVisionaries" group.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
To unsubscribe from this group, send email to
[email protected]
<mailto:[email protected]>.
For more options, visit this group at
http://groups.google.com/group/macvisionaries?hl=en.
--
You received this message because you are subscribed to the Google
Groups "MacVisionaries" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/macvisionaries?hl=en.
--
You received this message because you are subscribed to the Google Groups
"MacVisionaries" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/macvisionaries?hl=en.
