600,000 Macs infected with Flashback trojan, 274 in Cupertino; how to check your Mac

“Russian security firm Dr Web warns that at least 600,000 Macs are infected and part of a growing bonnet,” Ed Oswald reports for ExtremeTech. “76% of these Macs are located in the US and Canada, with another 13% in the UK.”

“Possibly more embarrassing for Apple is the fact that 274 infected computers are located in Cupertino, California, which may indicate Macs belonging to Apple employees or even on the company’s campus might be infected,” Oswald reports. “Mac users are advised to ensure their Macs are up-to-date to prevent infection, and some four million compromised web pages are believed to exist, including portions of DLink’s website, Dr Web claims.”

Oswald reports, “The Flashback Trojan is the culprit here, but is nothing new. The Trojan first appeared disguised as a Flash installer last September, and disabled Mac OS X’s built in malware protections. This version makes its way into Macs through a Java vulnerability, and is loaded onto unpatched Macs without interaction from the user.”

MacDailyNews Note: Apple on Tuesday released Java for OS X 2012-001. It is available via Software Update and also via standalone installers for Mac OS X 10.6 Snow Leopard (more info here) and OS X 10.7 Lion (more info here).

Read more in the full article here.

To check your Mac (a clean Mac will deliver the message “does not exist”) follow F-Secure’s instructions here.

Related articles:
OS X trojan variant preys on Mac users with unpatched Java – February 27, 2012
Warning: Flashback Trojan horse spreading; Mac users should be wary of Flash installers – September 28, 2011
Apple updates OS X Lion, Snow Leopard malware definitions to address new trojan – September 26, 2011


    1. By the way:
      For those who want to check if mac is infected (from F-Secure instructions):
      Run the following command in terminal:

      defaults read /Applications/Safari.app/Contents/Info LSEnvironment

      defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

      If you get “The domain/default pair … does not exist” for both – you are clean

      Note to terminal noobs: paste one command at a time. 🙂

            1. Well… They do have accurate instructions on how to remove the infection. Whether they created the virus to begin with or not, we will never know, but those instructions work.

          1. There are lots of reasons to check out Terminal. Get a decent Unix handbook and have at it.

            My this old Macbook 5.1 now automatically boots into 64 bit mode and is ready for Mountain Lion, thanks to resetting a few items in the OS using Terminal. Pine with Procmail on your remote mail server is an excellent way to filter mail too.

          1. Seriously? I’ve been on Macs for only 16 years, but I learned to love the Terminal while running OS X 10.0. It was really pretty necessary to use it while running that beta-quality version of the Mac OS.

      1. Thanks dinjin201.

        What other way can people scan for this trojan?
        If so what to use? I believe Dr. Web is the culprit here posting baloney information. I have tried in the past the software and since installing it has found many things no other app found, yet never completed its task – freezing the machine and forcing me to restore from time machine. Not once has the software ever made a complete scan job.

        1. It’s really EASY to do, even for a noob. Just follow the instructions and copy and paste the commands. No need to be concerned that you don’t know what you are doing. Just follow the steps.

          1. I had followed the instructions – I was asking for another way just to verify if this procedure was valid – Dates of these steps pre-date the threat and are not targeting Java directly but focus on Safari. Sure Safari uses Java however one just wishes to confirm that their is no threat – thx. Sorry if that makes me a noob, by your definition.

        1. You’re very welcome. Yes, the original instructions are in the article, but they don’t tell you how to use terminal, and I figured why not throw a few tips in there 🙂

        1. I haven’t tried this. Remember if there is no infection, those locations may not even exist. and I’m not sure if they would be hidden or not… so terminal is the safest way to go with this one…

      2. ahem! Right above the “Related Articles” section above is MDN’s recommendations:

        To check your Mac (a clean Mac will deliver the message “does not exist”) follow F-Secure’s instructions here.

        1. Jeff, if you click on links when a new article is posted, sometimes they don’t work. I’m sorry if you think my comment was redundant, but I was just helping people out here, without them having to go to an external link, and provided a few tips on how to use terminal because not everyone knows.

          If helping others bothers you that much, and if other people thanking me for making things simple for them makes you feel unhappy somehow, you have my sympathy, because jealousy must be a hard thing to live with.

            1. You’re welcome. It’s okay, I feel like he was just trolling… and I was irked enough by his trolling that I had to go off on him a bit 😛

              If you follow the link and go look at the instructions, they just don’t explain *anything* about terminal. They literally say “run the following commands” and give a a whole list…. (including the removal commands)

      1. Hahah yeah…

        of course, you can also release totally accurate info regarding how many are infected, what IP the infections are coming from, etc… 🙂 LOLOLOLOL

        and of course: “here’s how you get rid of it”

        Sounds like a conspiracy to me.

    1. Dr. Web is the only free Mac app on the AppStore that sees all .exe files as a threat. The other apps that I have bothered to play with (manual apps) see my machine as clean.

      I’m also thinking the culprit may in fact be the Dr. himself.

  1. I figure my Mac is clean – however just like a simple way to check if this trojan is nested in my machine?

    F-Secure terminal procedure is beyond my skills.
    And updating Java does not remove the trojan.

    Dr. Web free app – it takes forever and thinks every .exe is a threat quarantines all. Bitdefender and VirusBarrier both see nothing.

    1. On f-secure’s webpage the firs step is to copy paste the terminal command into the the terminal app. Just open the terminal app and copy past the text they have in red under step 1, then hit return.

      1. Thank you, yes – read and did all that.
        F-Secure is targeting Safari. Not Java or Flash plugin.

        Thinking this is so Oscar Myers – baloney – a trojan article.

        STEP 1 RETURNS: does not exist.

        instructed to go to step 4.

        STEP 4 RETURNS: No such file or directory

        Plus ran all anti-virus apps I have – just to see the results.
        Now installing Sophos in addition to Dr. Web, BitDefender, Claim and Virus Barrier.

        The Dr.Web is the only app that sees any .exe as a threat.

        Feeling this a scam scare.

        1. And you fell for it by installing every Mac AV software out there. Then, you’ll feel unsafe if you get rid of all the AV software because you’re scared of what could happen in the future. And that’s the beginning of the end.

    1. Nope. You’re completely safe. Having Java disabled saves you as well. This is why Apple no longer includes any plugins, including Java and Flash, in its default Lion install.

  2. Anyway you look at it, this should not have happened the OS is not supposed to install anything that has not been approved by the user even Apples own updates can not be installed without Admin approval. Some one at Apple needs to do some splainin. Installed is different than running. I can see an app in a WEB page running without approval but as soon as it tries to install something then it should be sttopped.

    1. The Flashback trojan DOES require a novice user to INSTALL a fake Flash player installer, and in some cases, even accept a falsely signed certificate that the OS actually warns is not valid.

      The OS is in no way responsible for a user’s own lack of knowledge/awareness/stupidity.

      1. Ok, reading up on the latest version, and in some places it claims no interaction, but others say that a certificate prompt comes up. I’m not going to test it myself. 🙂

        But, either way, this is a Java vulnerability and not the OS.

    2. It gets better. Apple continues to hide more and more of the file system with every release unless you use the terminal or 3rd party software like Rixstep x-File.

      One of the really nasty things about this is it faked Apple’s Software Update and if you had automatic updates on would not tell you what you were signing off on. I’m really tired of the endless dumbing down of the Mac OS.

      1. Interesting point – however – I would believe the Apple Software update check – directly connects to truly Apple.

        Also, please note that once you run Software update check, you can enter the preferences to (disable) check weekly and (disable) download automatically.

        1. Quite a few corporations and universities remap the Apple Software Update address to local servers in their Mac OS authorized builds so they can check the updates for compatibility with home grown software and systems. The people with those Macs are always behind the curve on updates until the IT people push updates out locally.

    3. Relax, Jeff. The sun will rise tomorrow.

      Culling the gene pool, that’s all. Those who get lax with their own security measures, and more importantly, become lulled into a false sense of security because they use Macintosh, get pulled down by the short hairs.

      Vigilence is paramount. I learned that just by watching the Windows Wars and the massive virus storms that scorched a billion machines every year throughout the Nineties.

      The blame for much of it is lost on the billions of users who are too stupid to own a computer. Ninety-percent of them chose the wrong platform in the first place, and then failed to develop a healthy respect for a computer capable of destroying your life, and those around you. Imagine the cost of just the collateral damage alone?!

      The disease will find you by following your trail of breadcrumbs! You are being studied, get it? You are a creature of habit and unfortunately, the one you turn to for permission to act on your impulses, is asleep at the wheel.

      So long, it was nice to kmow you.

  3. … are not entirely correct. No mention is made of “run this from an Admin account” – quite a few Windows users are running ALL their admin AND user jobs from admin accounts already without being aware of the danger in that. Also, why continue to Step 2 if “The domain/default pair … does not exist”?

    1. also F-Secure instructions are old and targets Safari

      as stated in the article, “This version makes its way into Macs through a Java vulnerability.” so one would figure even if the Java update has been done that F-Secure terminal instructions would target Java and the Flash plugin.

  4. So this one site has these numbers, how? Because… who planted the trojan? And the “Cupertino” numbers – meaning to imply residents of Cupertino CA proper(?) or that someone got trojans past Apple’s firewall, us knowing that ‘Cupertino’ is often a left handed referral to Apple’s HQ. How come the usual chorus of anti-virus folks aren’t singing about it… I am always somewhat suspicious of anti-virus companies to begin with, who determines their ‘legitimacy’? Not to mention..(as a child of the Cold War) . a Russian security firm? If I knew little about command line use I would be somewhat dubious to run the command line prompts to ‘check for infection’. For all you know you are opening a way in for some future trojan when you run the test…

  5. As Apple grows so do the threats, that much is a given. Compared to everyone else in the industry Apple stand head and shoulders above, no, maybe orbits above all others relative to security.

    Apple’s customers expect a reasonable level of protection and security from Apple’s designs and they should. To me, Apple’s challenge is to do just that, at a reasonable level.

    Defining the reasonable level will always stir the debate…

  6. What the web articles I have read today have failed to say is this:
    If you had proper AV software with up to date definitions this problem does not exist.
    From the Intego Security Blog:
    “Intego VirusBarrier X6 with current malware definitions protects against this new version of the Flashback malware; Intego did not need to update its malware definitions to detect this new variant.” March 7, 2011
    “Intego VirusBarrier X6 protects against Flashback and all other Mac malware. The Intego Malware Research Center is ensuring that regular updates to the program’s threat filters include new malware definitions for the latest variants of the Flashback malware.” April 5, 2011


    No, I do not work for Intego although I am a customer.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.