'Flashback' trojan estimated to have infected 600K Macs worldwide

12357

Comments

  • thorinthorin Posts: 11member
    Hi. I've been a lurker here for a very long time. I really don't ever have anything to add to any discussions, I usually just like to read. Today, I am compelled to post because I think I screwed up. I have to get home and check this out later, but 2 or 3 days ago I authorized what I though were legitimate Flash and software updates on my Snow Leopard iMac, and I believe that I may have activated this malware. I have the manual removal procedure, which I will perform later. I have read about Little Snitch as well, and will probably get it today. But if I did activate this crap, is it too late? Is it now irrelevant whether I perform the removal or not? I realize my error, but I am pleading for advice here. Will someone please tell me what I should do in addition to the manual removal of this Trojan. I am not an advanced user. Please help in any way you can, and perhaps your responses will be helpful for others. Thank you very much!!
  • egraregrar Posts: 29member
    Quote:
    Originally Posted by Thorin View Post


    Hi. I've been a lurker here for a very long time. I really don't ever have anything to add to any discussions, I usually just like to read. Today, I am compelled to post bcause I think I screwed up. I have to get home and check this out later, but 2 or 3 days ago I authorized what I though were legitimate Flash and software updates on my Snow Leopard iMac, and I believe that I may have activated this malware. I have the manual removal procedure, which I will perform later. I have read about Little Snitch as well, and will probably get it today. But if I did activate this crap, is it too late? Is it now irrelevant whether I perform the removal or not? I realize my error, but I am pleading for advice here. Will someone please tell me what I should do in addition to the manual removal of this Trojan. I am not an advanced user. Please help in any way you can, and perhaps your responses will be helpful for others. Thank you very much!!



    Try here:

    http://www.f-secure.com/v-descs/troj...shback_i.shtml
  • thorinthorin Posts: 11member
    Quote:
    Originally Posted by egrar View Post


    Try here:

    http://www.f-secure.com/v-descs/troj...shback_i.shtml



    Thanks for the response. Yes, I have that link, and will perform that when I get home. My fear is that I already activated something evil by entering passwords, and that it's now too late. Am I off track here? I saw the news this morning, and before I left home, I unplugged the ethernet cable to isolate it and left a note to my wife to not use the machine for now. Thanks!
  • MarvinMarvin Posts: 13,629member, moderator
    Quote:
    Originally Posted by Thorin View Post


    Thanks for the response. Yes, I have that link, and will perform that when I get home. My fear is that I already activated something evil by entering passwords, and that it's now too late. Am I off track here? I saw the news this morning, and before I left home, I unplugged the ethernet cable to isolate it and left a note to my wife to not use the machine for now. Thanks!



    Yes, by now it is too late. Since it was installed, it will have logged all text entry in Safari and sent it to a remote server. It may take a while before someone chooses your details out of 600,000 to exploit but you need to fix it immediately. You need to remove the trojan first by following the instructions and after removal, reboot the machine to ensure it's not running and verify that it's gone. Then change passwords for all online accounts. You can change online passwords using another machine e.g iPhone or iPad.



    I wonder if this is how some iTunes accounts have been compromised, by people logging onto the Apple Store.
  • thorinthorin Posts: 11member
    Quote:
    Originally Posted by Marvin View Post


    Yes, by now it is too late. Since it was installed, it will have logged all text entry in Safari and sent it to a remote server. It may take a while before someone chooses your details out of 600,000 to exploit but you need to fix it immediately. You need to remove the trojan first by following the instructions and after removal, reboot the machine to ensure it's not running and verify that it's gone. Then change passwords for all online accounts. You can change online passwords using another machine e.g iPhone or iPad.



    I wonder if this is how some iTunes accounts have been compromised, by people logging onto the Apple Store.



    Will do ASAP. Thank you!!!
  • drblankdrblank Posts: 3,383member
    Well this example shows the vulnerability within Java and Flash, it was just done on the Mac platform for updates OUTSIDE of the Apple app store is how i look at it, but the media puts the vulnerability on Apple. Yeah, it is Apple's name on the front of the computer, but I see Apple doing their job in getting Sun to release a security update and Apple screens applications and updates on their own app store to prevent this from happening. This would have been prevented if Flash and Java didn't have THEIR respective vulnerabilities.
  • amcarter3amcarter3 Posts: 5member
    For those that discovers their computer was actually infected with this virus, HOW did you detect it? When I read the info on F-Secure's site about this virus, I did NOT see any instructions/guidance regarding how to detect it.
  • thorinthorin Posts: 11member
    Quote:
    Originally Posted by AMCarter3 View Post


    For those that discovers their computer was actually infected with this virus, HOW did you detect it? When I read the info on F-Secure's site about this virus, I did NOT see any instructions/guidance regarding how to detect it.



    I haven't gotten home to do it yet, but it appears to be a condition that it will tell you if you are NOT infected if you get the following message "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" .



    The reason I am fairly sure I have it is because just the other day I (like an idiot) authorized a Flash update. Earlier I went to Adobe's Flash update page, and it appears that they haven't put out an update for months.
  • amcarter3amcarter3 Posts: 5member
    I don't understand how to detect this virus. Could someone explain to me how to do it?
  • egraregrar Posts: 29member
    Quote:
    Originally Posted by Thorin View Post


    Will do ASAP. Thank you!!!



    Whats your default Web browser, try using Chrome, it uses its own java plugins not relying on

    Apple's Java updates.. when Chrome updates, it also updates its plugins.. This is based on my Linux experience.. I also use Firefox here in Mac OS lion but I prefer Chrome.. Installed Bitdefender (available in Apps Store) for quick system scan.. Load application monitor, find any processes that deals with Java and kill it. Ahhh missed my virus hunting days with M$ Windows...



    PS : Firefox for Mac looks for Mac OS X java plugins..
  • thorinthorin Posts: 11member
    Quote:
    Originally Posted by AMCarter3 View Post


    I don't understand how to detect this virus. Could someone explain to me how to do it?



    You'l have to perform the procedure in the terminal described here: http://www.f-secure.com/v-descs/troj...shback_i.shtml



    If you get the message I posted above, your system is clean.
  • egraregrar Posts: 29member
    Quote:
    Originally Posted by AMCarter3 View Post


    I don't understand how to detect this virus. Could someone explain to me how to do it?



    via Launchpad -> utilities-> Terminal; (you need to get those hands dirty!)



    but found an easy way!

    http://mashable.com/2012/04/05/mac-f...check/?cnn=yes



    Somebody already made a script here.



    Hope it helps.
  • thorinthorin Posts: 11member
    I have a Time Machine backup to an external USB drive that I did before any of this happened (this drive is only connected when doing a backup). If I did a restore from it, would it undo all of this madness?
  • thorinthorin Posts: 11member
    Quote:
    Originally Posted by egrar View Post


    Whats your default Web browser, try using Chrome, it uses its own java plugins not relying on

    Apple's Java updates.. when Chrome updates, it also updates its plugins.. This is based on my Linux experience.. I also use Firefox here in Mac OS lion but I prefer Chrome.. Installed Bitdefender (available in Apps Store) for quick system scan.. Load application monitor, find any processes that deals with Java and kill it. Ahhh missed my virus hunting days with M$ Windows...



    PS : Firefox for Mac looks for Mac OS X java plugins..



    I've been using Safari almost exclusively; looks like it's time to give Chrome a try. And thanks for that last link.
  • egraregrar Posts: 29member
    Quote:
    Originally Posted by Thorin View Post


    I have a Time Machine backup to an external USB drive that I did before any of this happened (this drive is only connected when doing a backup). If I did a restore from it, would it undo all of this madness?



    According to this



    http://arstechnica.com/apple/news/20...rotections.ars



    this trojan has been targeting Mac since 2009? check your system first before doing anything..
  • thorinthorin Posts: 11member
    Will do. Thanks again.
  • habihabi Posts: 317member
    Quote:
    Originally Posted by adamw View Post


    I WAS infected with this Trojan, until I saw this article and followed the uninstall instructions. The trojan installed without my permission ~ March 3rd according to the file date of the trojan that was installed.



    I had the variant that installed in my global preferences and intercepted my Safari screen characters and keystrokes. It got access to my Mac using Java, without me typing the Admin password or notifying me to install it. This stealth trojan had been running for about a month now, before I discovered it.



    I have now turned off Java, and updated to the latest Apple supplied version of Java which they just released a day or so ago. This exploit in Java has been known since February, and I am very annoyed with Apple for not fixing their version of Java, and notifying us of this earlier. It would have likely prevented the Java hole to exist that this trojan exploited to infect my Mac Pro without my knowledge.



    I was unhappy to find out today that I had this trojan installed on my Mac Pro, but I am relieved now that I was able to uninstall it. I changed my various online account passwords, to prevent the people who ran this botnet from using my personal account names and passwords.



    I thought my Mac was more secure than this. I appreciate the reports about this trojan, which caused me to check, and let me know my Mac had been compromised.





    Just out of curiosity, which os X version do you have on your apple mac pro?
  • habihabi Posts: 317member
    Quote:
    Originally Posted by audio_inside View Post


    Wow, so this is all I have to do to protect my Mac?



    Code:


    sudo touch "/Library/Little Snitch"





    Hell, that cracked me up!!
  • ahrubikahrubik Posts: 80member
    Anyone of you who think just because you use a Mac and are careful you're not going to get infected is playing Russian roulette with your data. It's your data to lose though so feel free.
  • thorinthorin Posts: 11member
    Quote:
    Originally Posted by AHrubik View Post


    Anyone of you who think just because you use a Mac and are careful you're not going to get infected is playing Russian roulette with your data. It's your data to lose though so feel free.









    Well, it looks like I'm clean after all. I was sure that I had allowed it to install itself though, because I am certain that I let it do a "Flash update" just a few days ago. So, I don't know WTF happened. Thanks for the tips. Also trying out the Little Snitch demo right now, pretty cool.
Sign In or Register to comment.