Thursday, April 5, 2012

Flashback - Detect and remove the uprising Mac OS X Trojan

A recent exploit in Java was used to infect many Mac users with a variant of the Flashback Trojan. 

First, in case you havent,  you should update your Java using the Apple Software Update.

If you got infected there are two possibilities, the malware was installed with admin privileges or with regular user privileges. In the first case the DYLD_INSERT_LIBRARIES environment variable is added to the context of the targeted Browsers, which are Safari and Firefox. 

You can find out if you are infected by starting a Terminal and running those commands:
  • defaults read /Applications/Safari.app/Contents/Info DYLD_INSERT_LIBRARIES
  • defaults read /Applications/Firefox.app/Contents/Info DYLD_INSERT_LIBRARIES
If those commands return 
  • The domain/default pair of (/Applications/Safari.app/Contents/Info, DYLD_INSERT_LIBRARIES) does not exist
  • The domain/default pair of (/Applications/Firefox.app/Contents/Info, DYLD_INSERT_LIBRARIES) does not exist
You are not infected.
My System is clean
If you get something like:
  • "DYLD_INSERT_LIBRARIES"  = "/Applications/Safari.app/Contents/Resources/.BananaSpittervxall.xsl";
bad news, you are infected. Removing the malware is pretty easy though.
Depending if you got this line for one or both Browsers (Firefox.app / Safari.app) you have to run:

For Safari:
  • sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
  • sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
And for Firefox:
  • sudo defaults delete /Applications/Firefox.app/Contents/Info LSEnvironment
  • sudo chmod 644 /Applications/Firefox.app/Contents/Info.plist
In case the malware got run with regular user privileges the DYLD_INSERT_LIBRARIES environment variable is added to the context of the infected user. In this case the malware will be loaded to all applications launched.

To check if you got infected simply run (again in Terminal):
  • defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
If this returns 
  • The domain/default pair of (/Users/YOURUSERNAME/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
You are clean.
Clean again.
If you get something like:
  • /Users/Shared/.ligmalloc.dylib
You are probably infected. To remove the malware just run:
  • defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • launchctl unsetenv DYLD_INSERT_LIBRARIES
If i have some free time (i am currently on a vacation) i provide a script for automatic detection and removal.

Hope your System is clean, and happy easter.

8 comments:

Fang said...

Not infected. Haven't used those browsers in a long time, anyway.

FuzzyPanda said...

nice to know thanks

Cheesecake said...

I don't use MAC but i will be sure to link this to my friends that use them just so they know what to look for and how to remove it.

Jujj1 said...

Hey thx for the info
A friend of mine has recently installed Mac OS so I am pretty sure he'll need this info as he's on the net 24/7

G said...

useful tip

MOANA said...

Thanks for that. But What if we use Chrome ?

MOANA said...

Thanks for that. But what if we use CHROME ?

Al V said...

You have left out some checks for the latest "K" variant of Flashback. Please take a look at this reference that has been out for almost two weeks now http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml