Mac Flashback trojan manual clean-up detailed

Apr 5, 2012
16
Mac Flashback trojan manual clean-up detailed

Detailed instructions on how to figure out if your Mac is one of the 600,000+ to have been infected by the Flashback trojan have been released, allowing cautious users to check their systems. The guide, published by security firm F-Secure, details not only how to identify a compromised machine, but how to remove manually remove the trojan from OS X. More details after the cut.

The instructions may look a little intimidating to some, but basically require loading up Terminal (which you'll find in the Applications folder) and then copying and pasting in the commands from the following list. If you see the relevant "does not exist" errors then you know your system isn't infected.

Manual Removal Instructions

1. Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

4. Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%

5. Take note of the value after "__ldpath__"
6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

7. Delete the files obtained in steps 2 and 5
8. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

10. Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%

11. Take note of the value after "__ldpath__"
12. Run the following commands in Terminal:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

13. Finally, delete the files obtained in steps 9 and 11.

F-Secure also recommends running checks for a second variant of the trojan, Flashback.K, which can also be inadvertently installed onto compromised systems.

Although Apple has patched the loophole taken advantage of by the trojan, with a recent Java update, the number of infected systems continues to grow. In general, it's best not to enter your administrator password to any pop-up dialog box that you're not expecting to see.


Must Read Bits & Bytes