“Russian security firm Dr Web warns that at least 600,000 Macs are infected and part of a growing bonnet,” Ed Oswald reports for ExtremeTech. “76% of these Macs are located in the US and Canada, with another 13% in the UK.”
“Possibly more embarrassing for Apple is the fact that 274 infected computers are located in Cupertino, California, which may indicate Macs belonging to Apple employees or even on the company’s campus might be infected,” Oswald reports. “Mac users are advised to ensure their Macs are up-to-date to prevent infection, and some four million compromised web pages are believed to exist, including portions of DLink’s website, Dr Web claims.”
Oswald reports, “The Flashback Trojan is the culprit here, but is nothing new. The Trojan first appeared disguised as a Flash installer last September, and disabled Mac OS X’s built in malware protections. This version makes its way into Macs through a Java vulnerability, and is loaded onto unpatched Macs without interaction from the user.”
MacDailyNews Note: Apple on Tuesday released Java for OS X 2012-001. It is available via Software Update and also via standalone installers for Mac OS X 10.6 Snow Leopard (more info here) and OS X 10.7 Lion (more info here).
Read more in the full article here.
To check your Mac (a clean Mac will deliver the message “does not exist”) follow F-Secure’s instructions here.
Related articles:
OS X trojan variant preys on Mac users with unpatched Java – February 27, 2012
Warning: Flashback Trojan horse spreading; Mac users should be wary of Flash installers – September 28, 2011
Apple updates OS X Lion, Snow Leopard malware definitions to address new trojan – September 26, 2011
Hence Apple’s reason for removing all plug-ins from the default Lion install.
By the way:
For those who want to check if mac is infected (from F-Secure instructions):
Run the following command in terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
If you get “The domain/default pair … does not exist” for both – you are clean
Note to terminal noobs: paste one command at a time. 🙂
The above is correct (in case you were suspicious).
^ Thanks for the support 🙂
Wait a minute.
A Russian site called Dr. Web is considered legit???
The same question might have been asked about a company that named itself after a fruit.
Well… They do have accurate instructions on how to remove the infection. Whether they created the virus to begin with or not, we will never know, but those instructions work.
PS: for terminal super noobs…. Cmd+Spacebar. then type “terminal” then press return.
😉
Thanks. First time in Terminal. Never had the need…
Clean. Whew.
There are lots of reasons to check out Terminal. Get a decent Unix handbook and have at it.
My this old Macbook 5.1 now automatically boots into 64 bit mode and is ready for Mountain Lion, thanks to resetting a few items in the OS using Terminal. Pine with Procmail on your remote mail server is an excellent way to filter mail too.
Twenty three years on Mac and I’ve never gone to terminal. I believe I could qualify as a super super noob!
Thank you dinjin201
Seriously? I’ve been on Macs for only 16 years, but I learned to love the Terminal while running OS X 10.0. It was really pretty necessary to use it while running that beta-quality version of the Mac OS.
🙂 haha well, now you’ve learned something new 😀
you’re very welcome.
‘Whether they created the virus to begin with or not, we will never know, but those instructions work.’
dinjin201: It’s NOT a virus. – repeat – It’s NOT a virus.
*whoops* slip of the tongue, there. Sorry. Trojan. I meant trojan 😛
Well, so maybe did the NYT, but it’s too late after the fact.
🙁 you have a good point there 🙁
Thanks dinjin201.
What other way can people scan for this trojan?
If so what to use? I believe Dr. Web is the culprit here posting baloney information. I have tried in the past the software and since installing it has found many things no other app found, yet never completed its task – freezing the machine and forcing me to restore from time machine. Not once has the software ever made a complete scan job.
I don’t know of any other ways to scan for this trojan, sorry 🙁
I should also mention, most antivirus softwares for mac just scan for windows viruses. It’s a total waste of your CPU cycles, time, and money.
It’s really EASY to do, even for a noob. Just follow the instructions and copy and paste the commands. No need to be concerned that you don’t know what you are doing. Just follow the steps.
I had followed the instructions – I was asking for another way just to verify if this procedure was valid – Dates of these steps pre-date the threat and are not targeting Java directly but focus on Safari. Sure Safari uses Java however one just wishes to confirm that their is no threat – thx. Sorry if that makes me a noob, by your definition.
Re-visited this article today Apr 10th, because of this news,
Thanks, dinjin201!
Ran the commands, and I’m clear (just like I was 99.98% certain was the case).
Thanks dinjin201 for the post. I never needed to use terminal, and your instructions were right on. And as I suspected, nothing was found.
You’re very welcome. Yes, the original instructions are in the article, but they don’t tell you how to use terminal, and I figured why not throw a few tips in there 🙂
you can also just right-click and choose “show package contents”
I haven’t tried this. Remember if there is no infection, those locations may not even exist. and I’m not sure if they would be hidden or not… so terminal is the safest way to go with this one…
Thanks… The link from the article WAS BAD… classic.
It happens. I don’t know what it is but that seems to happen a lot… 😛
So I figured why not post and help everyone out 🙂
ahem! Right above the “Related Articles” section above is MDN’s recommendations:
To check your Mac (a clean Mac will deliver the message “does not exist”) follow F-Secure’s instructions here.
Jeff, if you click on links when a new article is posted, sometimes they don’t work. I’m sorry if you think my comment was redundant, but I was just helping people out here, without them having to go to an external link, and provided a few tips on how to use terminal because not everyone knows.
If helping others bothers you that much, and if other people thanking me for making things simple for them makes you feel unhappy somehow, you have my sympathy, because jealousy must be a hard thing to live with.
Thanks again dinjin201!
didjin201 – I appreciated you posting the info.
Thanks!
oops – dinjin201
Sorry ’bout that.
You’re welcome. It’s okay, I feel like he was just trolling… and I was irked enough by his trolling that I had to go off on him a bit 😛
If you follow the link and go look at the instructions, they just don’t explain *anything* about terminal. They literally say “run the following commands” and give a a whole list…. (including the removal commands)
What if you get a file for the first one but not the second?
You may be infected. Instructions on how to remove the infection are found on the Dr. Web site that MDN linked to at the bottom of the article.
Are you really “infected” by a Trojan? There must be a better word … how ’bout “afflicted”???
plagued? 😉
How about a word that reflects the level of difficulty of finding and eliminating the threat – pestered.
Hahahaha Touché 🙂
If anyone wants a simpler (non-command line) way to check for the Trojan, you can use this free tool: http://rsdeveloper.com/downloads/test4flashback.zip
anyone checked the validity of these claims/numbers. They are after all coming from an Antivirus software company.
correction “security firm” who are generally in cahoots with the AV companies.
Correction: Anti-malware firm in RUSSIA.
Therefore, I treat this figure with suitable skepticism. But we know the Drive-By, no password required Java infection of Macs is entirely real and dangerous.
My recommendation is to turn Java OFF. I provide how-to instructions in my Mac-Security article HERE:
CRITICAL Java Updates: Mac OS X 10.6 Update 7 and 10.7 Update 2012-002 (formerly 001)
I am trojan free…phew
How did you come to this conclusion?
I would like a simple way to check – thx.
be careful not to make babies lol
and always do the balloon test first
Hahahahahahaha
Was that comment a Fluke?
(no, wait, that was free Trojans…)
😉
First you find the vulnerability.
Then you create and release the Trojan.
Then you create the almost benign Bot-net.
Then you sell the anti-virus software.
5. Profit!
Hahah yeah…
of course, you can also release totally accurate info regarding how many are infected, what IP the infections are coming from, etc… 🙂 LOLOLOLOL
and of course: “here’s how you get rid of it”
Sounds like a conspiracy to me.
Dr. Web is the only free Mac app on the AppStore that sees all .exe files as a threat. The other apps that I have bothered to play with (manual apps) see my machine as clean.
I’m also thinking the culprit may in fact be the Dr. himself.
I don’t buy the numbers. Off to do some digging.
appreciated
My MBP is clean
same…Went through the checking process anyway as I was curious to see what else I might find…nothing! 🙂 So disappointed 😉
I believe I am clean also. Never miss an update from Apple. Do not have or run Flash browser plugin. Whats is the simplest way to scan for this?
I figure my Mac is clean – however just like a simple way to check if this trojan is nested in my machine?
F-Secure terminal procedure is beyond my skills.
And updating Java does not remove the trojan.
Dr. Web free app – it takes forever and thinks every .exe is a threat quarantines all. Bitdefender and VirusBarrier both see nothing.
On f-secure’s webpage the firs step is to copy paste the terminal command into the the terminal app. Just open the terminal app and copy past the text they have in red under step 1, then hit return.
Thank you, yes – read and did all that.
F-Secure is targeting Safari. Not Java or Flash plugin.
Thinking this is so Oscar Myers – baloney – a trojan article.
STEP 1 RETURNS: does not exist.
instructed to go to step 4.
STEP 4 RETURNS: No such file or directory
—
Plus ran all anti-virus apps I have – just to see the results.
Now installing Sophos in addition to Dr. Web, BitDefender, Claim and Virus Barrier.
The Dr.Web is the only app that sees any .exe as a threat.
Feeling this a scam scare.
And you fell for it by installing every Mac AV software out there. Then, you’ll feel unsafe if you get rid of all the AV software because you’re scared of what could happen in the future. And that’s the beginning of the end.
Ha ha – no – I uninstalled every anti-virus app and bought a book to learn Terminal.
Question, should I even be worried if I don’t have Java installed on my iMac?
Nope. You’re completely safe. Having Java disabled saves you as well. This is why Apple no longer includes any plugins, including Java and Flash, in its default Lion install.
Anyway you look at it, this should not have happened the OS is not supposed to install anything that has not been approved by the user even Apples own updates can not be installed without Admin approval. Some one at Apple needs to do some splainin. Installed is different than running. I can see an app in a WEB page running without approval but as soon as it tries to install something then it should be sttopped.
The Flashback trojan DOES require a novice user to INSTALL a fake Flash player installer, and in some cases, even accept a falsely signed certificate that the OS actually warns is not valid.
The OS is in no way responsible for a user’s own lack of knowledge/awareness/stupidity.
Ok, reading up on the latest version, and in some places it claims no interaction, but others say that a certificate prompt comes up. I’m not going to test it myself. 🙂
But, either way, this is a Java vulnerability and not the OS.
Whenever some builds a fool-proof system, someone else builds a better fool…
It gets better. Apple continues to hide more and more of the file system with every release unless you use the terminal or 3rd party software like Rixstep x-File.
One of the really nasty things about this is it faked Apple’s Software Update and if you had automatic updates on would not tell you what you were signing off on. I’m really tired of the endless dumbing down of the Mac OS.
Interesting point – however – I would believe the Apple Software update check – directly connects to truly Apple.
Also, please note that once you run Software update check, you can enter the preferences to (disable) check weekly and (disable) download automatically.
Quite a few corporations and universities remap the Apple Software Update address to local servers in their Mac OS authorized builds so they can check the updates for compatibility with home grown software and systems. The people with those Macs are always behind the curve on updates until the IT people push updates out locally.
Relax, Jeff. The sun will rise tomorrow.
Culling the gene pool, that’s all. Those who get lax with their own security measures, and more importantly, become lulled into a false sense of security because they use Macintosh, get pulled down by the short hairs.
Vigilence is paramount. I learned that just by watching the Windows Wars and the massive virus storms that scorched a billion machines every year throughout the Nineties.
The blame for much of it is lost on the billions of users who are too stupid to own a computer. Ninety-percent of them chose the wrong platform in the first place, and then failed to develop a healthy respect for a computer capable of destroying your life, and those around you. Imagine the cost of just the collateral damage alone?!
The disease will find you by following your trail of breadcrumbs! You are being studied, get it? You are a creature of habit and unfortunately, the one you turn to for permission to act on your impulses, is asleep at the wheel.
So long, it was nice to kmow you.
Tremble. Drool. Gibber. Cringe.
Where is the download??
… are not entirely correct. No mention is made of “run this from an Admin account” – quite a few Windows users are running ALL their admin AND user jobs from admin accounts already without being aware of the danger in that. Also, why continue to Step 2 if “The domain/default pair … does not exist”?
also F-Secure instructions are old and targets Safari
as stated in the article, “This version makes its way into Macs through a Java vulnerability.” so one would figure even if the Java update has been done that F-Secure terminal instructions would target Java and the Flash plugin.
Clean also, I don’t buy these numbers too – MDN how about putting a quick survey up to see how many Mac’s are clean/infected?
Clean as a whistle here! As I expected, since I have been cured of M$ for about 4 years now. Cured I tell ya!!
So this one site has these numbers, how? Because… who planted the trojan? And the “Cupertino” numbers – meaning to imply residents of Cupertino CA proper(?) or that someone got trojans past Apple’s firewall, us knowing that ‘Cupertino’ is often a left handed referral to Apple’s HQ. How come the usual chorus of anti-virus folks aren’t singing about it… I am always somewhat suspicious of anti-virus companies to begin with, who determines their ‘legitimacy’? Not to mention..(as a child of the Cold War) . a Russian security firm? If I knew little about command line use I would be somewhat dubious to run the command line prompts to ‘check for infection’. For all you know you are opening a way in for some future trojan when you run the test…
As Apple grows so do the threats, that much is a given. Compared to everyone else in the industry Apple stand head and shoulders above, no, maybe orbits above all others relative to security.
Apple’s customers expect a reasonable level of protection and security from Apple’s designs and they should. To me, Apple’s challenge is to do just that, at a reasonable level.
Defining the reasonable level will always stir the debate…
What the web articles I have read today have failed to say is this:
If you had proper AV software with up to date definitions this problem does not exist.
From the Intego Security Blog:
“Intego VirusBarrier X6 with current malware definitions protects against this new version of the Flashback malware; Intego did not need to update its malware definitions to detect this new variant.” March 7, 2011
“Intego VirusBarrier X6 protects against Flashback and all other Mac malware. The Intego Malware Research Center is ensuring that regular updates to the program’s threat filters include new malware definitions for the latest variants of the Flashback malware.” April 5, 2011
http://www.intego.com/mac-security-blog/
No, I do not work for Intego although I am a customer.
I’m just not buying this. 600K clueless Mac users who’ve given their password during a bogus ‘install’?
The install dialog box didn’t (and doesn’t) say “Enter administrator password to install bogus Java update.”
Buy it.
There are actually three commands you need to enter in Terminal.
Enter this command in terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
Result if not infected:
The domain/default pair of (/Users/gordon/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
Enter this command in terminal:
defaults read /Applications/Safari.app/Contents/Info DYLD_INSERT_LIBRARIES
Result if not infected:
The domain/default pair of (/Applications/Safari.app/Contents/Info, DYLD_INSERT_LIBRARIES) does not exist
Enter this command in terminal:
defaults read /Applications/Firefox.app/Contents/Info DYLD_INSERT_LIBRARIES
Result if not infected:
The domain/default pair of (/Applications/Firefox.app/Contents/Info, DYLD_INSERT_LIBRARIES) does not exist
Well, Gordon (your name is in the 5th line down), please explain why people should take your advise over the professional antivirus firm since only one of the three commands you say users should type is among the two the pros say should be typed.
I would also point out that very few users will see a response in Terminal that includes the word “gordon”.
Greg, you’re right in saying that very few will see the word Gordon… I should have explained that part. Regarding the three lines I simply read the instructions here:
http://reviews.cnet.com/8301-13727_7-57403430-263/detecting-and-removing-the-flashback-malware-in-os-x/
followed them and transcribed my results here to help those who seemed a bit confused above.
Thanks. I tried all three and am still clean.
BTW everyone, I am using avast! (avast! website HERE) It’s $25 and very nice. It runs continually in the background watching for suspicious behavior.
I also use ClamXav (ClamXav website, HERE) to scan volumes for infections.
I recommend both.
My Mac’s are all clean!!!!
Wolf!!!
Me too.
There are a couple of different simple and logical actions that will keep users completely safe from this Trojan. And basically only lazy and foolish people will get infected.
It’s like I told a friend recently – Apple makes great products, but using them cannot make a stupid person smart.
Maybe that will come in OS XIII. 😉
Didn’t find any Trojans but did find a few Durex.
Collect 365 of them, recycle them, and call the product a Goodyear!
Nothing to see here, move on!
The seven Macs in my house are all unaffected, but then none of them has Java active.
I’m calling bullshyt on those numbers!
My MBP IS CLEAN, too.
Clean here. Three Macs. More FUD.
I’m still a VIRGIN!