OSX Flashback Trojan (OSX/Flashback.I) Botnet infects 500,000 Apple Computers

Posted by on Apr 7, 2012 in Apple, Facebook Featured Posts | 0 comments

OSX Flashback Trojan (OSX/Flashback.I) Botnet infects 500,000 Apple Computers

Apple users have been lucky so far, with virus, trojans and botnets focusing on the Microsoft platform. But it looks like they’ve recently been hit with a rather large infection called the Flashback trojan which has infected half a million apple desktops and laptops according to Russian anti-virus vendor Dr Web.

Exploit:Java/Flashback.I, Trojan-Downloader:OSX/Flashback.I, Trojan:OSX/Flashback.I, Backdoor:OSX/Flashback.I

Once infected the machine connects to a remote site to download its payload; on successful infection, the malware modifies targeted webpages displayed in the web browser.

According to the BBC Dr Web also notes that 274 of the infected computers it detected appeared to be located in Cupertino, California – home to Apple’s headquarters.

OSX/Flashback.I Apple Patch

Apple Macintosh owners are advised to download and install a security update released by Apple from support.apple.com/kb/HT5228 to prevent infection of their systems.

Manual removal of OSX/Flashback.I from an Apple Computer

If you are looking to manually remove this infection from your machine, f-secure.com recommend the following steps:

  • 1. Run the following command in Terminal:defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • 2. Take note of the value, DYLD_INSERT_LIBRARIES
  • 3. Proceed to step 8 if you got the following error message:”The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
  • 4. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
  • 5. Take note of the value after “__ldpath__”
  • 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironmentsudo chmod 644 /Applications/Safari.app/Contents/Info.plist
  • 7. Delete the files obtained in steps 2 and 5
  • 8. Run the following command in Terminal:defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:”The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
  • 10. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
  • 11. Take note of the value after “__ldpath__”
  • 12. Run the following commands in Terminal:defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIESlaunchctl unsetenv DYLD_INSERT_LIBRARIES
  • 13. Finally, delete the files obtained in steps 9 and 11.

GiraffeDog.net Anti-Virus Recommendations

GiraffeDog.net recommend that Apple OSX users download some form of anti-virus software. This is especially true if you are using virtualised environments such as VMWare or Parallels. There are several anti-virus options available for the Mac, and if you are looking to install something now we recommend:

http://www.intego.com/virusbarrier – £45.00

http://www.clamxav.com/ – £free

If you are concerned with your laptop’s security or think you have a virus and would like some help with this then please call us.

References

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

http://news.drweb.com/show/?i=2341&lng=en&c=14

http://www.bbc.co.uk/news/science-environment-17623422

 

Comments are closed.