There are two words, beautifully intentioned when used together, whose incantation unfortunately transforms the recipient into a raging anxiety attack: Don’t Panic.
Despite the propensity for causing discord, I use them now, right off the cuff, when addressing those of you who are using Macintosh computers. Don’t Panic.
We Mac users have been very complacent about our computers because, until recently, there really has not been reason to worry about viruses, trojans, exploits, etc. I have been using Macs for almost 30 years now, since the original was released in 1984, and it was only last year that I installed anti-virus software.
Times change.
By now many of you have read about the Flashback virus, which has infected over 600,000 computers, and are sufficiently, and rightly, scared. This is a particularly nefarious bit of code that, depending on it’s variant, can infect your computer without you doing anything or even knowing something has happened.
The upshot is, though bad, it is fairly easy to diagnose and repair your machine.
There is a lot of information out there, quite a bit of it gets heavy with jargon and looks technical, but I will present what I have researched (as of this writing) in as simple prose as possible (with links to the more technical information for those interested). I will lay it out in four sections: What is Flashback? How do you check for it? What do you do if you have it? What can you do in the future to protect yourself? I do so that all the information is in one place, but by all means, skip ahead to the section which is most important for you.
Most importantly, Don’t Panic.
What is Flashback?
Flashback is malware that first showed up towards the end of 2011, sometime in September. Originally it was a trojan (malicious code which is hidden within another software or file) that pretended to be an Adobe Flash installer, hence the name. This version required the user had to launch the installer and provide an administrative username and password.
The latest version is much more insidious in that the user does not have to click on anything, not even a link, and can be infected. This is achieved by exploiting a weakness in the Java software framework.
Oracle, Java’s developer, patched this flaw back in February, 2012. The reason Apple computers were still at risk was Apple develops its own version of Java, and does so at a slower pace. Apple has been repeatedly admonished for its slow response time. Likely because of this heat, Apple quickly released an update to its Java on Tuesday, April 3.
So, everything is under control (for the moment), right? The short answer is yes. The long answer is, before you run off to run Software Update, there’s a few steps you need to take first.
How Do You Check For It?
The first step is you need to check and see if your system is one of the 600,000 infected. More than half of those infected are in the United States and Canada, so if you are one of our readers in those countries, you really need to follow these steps. These steps were provided by the incredibly helpful and knowledgeable Jacqui Cheng at Ars Technica:
Launch Terminal from /Applications/Utilities on your Mac. Then individually type or paste these three lines into the Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
If the Terminal returns back to you lines that look like this:
The domain/default pair of (/Users/[yourusername]/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist
Then you’re home free and you’re not (yet) infected by Flashback.
If you are not infected with Flashback, run Software Update from Apple Menu/Software Update… There will be one of two updates for Java available, depending on which version of the OS you are running.
Java for Mac OS X 10.6 Update 7 (for Snow Leopard, 10.6)
Java for OS X Lion 2012-001 (for Lion, 10.7)
You may notice that this update is only for OS X 10.6 and 10.7. If you are running an earlier version of the operating system, then you are out of luck. Apple no longer supports those version of OS X. You do have options to protect yourself, which you can read in the section “What Can You Do in the Future to Protect Yourself?”
What Do You Do if You Have It?
Now, here’s the difficult part. What to do if your results from the previous section returned something like:
“DYLD_INSERT_LIBRARIES” = “/Applications/Safari.app/Contents/Resources/ .BananaSplittervxall.png”
This is far more technical, but the steps are very specific and easy to copy and paste. If you still find it too daunting, there is always the “computer guy” that you can bribe with pizza and beer. To her, or him, this will be quick and easy.
The steps were provided by F-Secure Trojan-Downloader:OSX/Flashback.k page:
- Run the following command in Terminal: defaults read /Applications/Safari.app/Contents/Info LSEnvironment
- Take note of the value, DYLD_INSERT_LIBRARIES
- Proceed to step 8 if you got the following error message: “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
- Otherwise, run the following command in Terminal: grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
- Take note of the value after “__ldpath__”
- Run the following commands in Terminal (first make sure there is only one entry, from step 2): sudo defaults delete /Applications/Safari.app/Contents/InfoLSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist- Delete the files obtained in steps 2 and 5
- Run the following command in Terminal: defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
- Take note of the result. Your system is already clean of this variant if you got an error message similar to the following: “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
- Otherwise, run the following command in Terminal: grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
- Take note of the value after “__ldpath__”
- Run the following commands in Terminal: defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES- Finally, delete the files obtained in steps 9 and 11.
- Run the following command in Terminal: ls -lA ~/Library/LaunchAgents/
- Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
- Run the following command in Terminal: defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments
- Take note of the path. If the filename does not start with a “.”, then you might not be infected with this variant.
- Delete the files obtained in steps 15 and 17.
What Can You Do in the Future to Protect Yourself?
Now that your system is clean and you are able to breathe without hyperventilating, the question becomes, what now?
First, get yourself an anti-virus software.
Paid
- Norton Antivirus $49 p/year (http://us.norton.com/)
- Virus Barrier X6 $49 p/year (http://www.intego.com/virusbarrier)
- Virus Barrier Plus $4.99 (App Store)
- iAntiVirus $29 for up to 3 computers (http://www.iantivirus.com/)
- Kapersky Virus Scanner $9.99 (App Store)
Free
- Dr. Web Lite (App Store)
- ClamXav (App Store)
- Virus Barrier Express (App Store)
- Sophos Anti-Virus Home Edition (http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx)
- Avast! (http://www.avast.com/en-us/free-antivirus-mac)
Second, invest in a Little Snitch $29.95 (http://www.obdev.at/products/littlesnitch/index.html). No one likes a tattle-tell, except when it’s a program that is watching for outgoing network traffic that you did not initiate, like viruses sending your sensitive information to malicious servers. One of the Flashback variants actually checks for Little Snitch application, and if it finds it, stops the installation process and deletes itself.
Third, and this one is difficult, turn off Java. Yes, I know that Apple has patched this problem (at least for OS X 10.6 and 10.7), but there are more problems waiting to be exploited, and Java is one of the places the bad guys like to hit. To turn off Java in Safari, go to Safari/Preferences/Security and uncheck “Enable Java”. This will break some of the functionality of the web. If there are sites you visit, and things you regularly do that are an absolute necessity, enable Java when you need it, but turn it off when you do not. While not the most convenient, it is the best for security. In the end, you have to ask yourself which is more important, convenience or security.
Flash is another black hole of despair for the security conscious, but that’s a whole article to itself.
Fourth, be hyper-aware of what is going on when you are on the interwebs. I know that the most recent version of this virus exploited a hole in some software which allowed it to compromise a system without the user being aware, but vigilance is ALWAYS the best advice. Speaking of advice, the best I have ever heard said, only install something that you went out looking for. That is, if you are just lazily surfing, and a pop up tells you to update your virus software, or install flash player, or what ever, ignore it. Close the window and go about your business. If you find that there is something you were going to do that does not work for some reason, e.g. a youtube video will not play, go to the website directly to download the necessary application.
And never, ever, blindly click links in email, even from friends or family. Most of the time viruses come from your friends’/family’s infected computers. If you do like to send links back and forth, be sure to add some kind of specific verbiage in the email that only you all know of, e.g. “This is actually from me, not some hacker.” While not perfect, it is another layer of security, and in the wild, wild web we need all the security we can get.
Want to write about the stuff you're passionate about and have your work read by an audience of over 10 million a month? Click here to become a contributor.
6 Comments
Awesome thanks, just done the test and im clean.
Thanks so much that was really helpful, I’m clean and norton anti-virus is being installed momentarily :-)
I’m one of those computer guys. And while the steps are “easy”, they aren’t so easy. They are time consuming and a pain even if they are easy to understand. The best thing you guys could do is not make it so “computer guys” have to keep up with two platforms to help friends. I’d recommend a windows 7 PC as windows is more hardened against malware and so are the scanners. Often the repair takes less work or time on a PC in-spite of the years apple pushers have spent to reprogram your mind to help apple profit. If you do that, you will not only help, but save your self a bundle of money and have a faster computer. Next run your updates and your scanners regularly. Hey, it’s time to face up. You’re now doing what you went to mac to escape. There is no escape other than to keep updated, make backups and have recent scanners. I’m a 30 year computer pro and can fix anything, mac or pc, so I do know what I’m talking about. Again, if you want to help follow this advise in the future. thanks. (and for those who will claim I’m a fanboy, why would I be? I get nothing for it, also it’s apple fans that usually need to be fanboys to insist on them. With PC’s you don’t need to be a fanboy because it’s cheaper and just makes sense. So no fanboy here. I will however fix windows pc’s first and put macs 2nd on my list)
@mooncraft999 I am not an Apple fanboy and support Windows, Mac and Linux for my job I would like to point out that you should not fill consumers with your opinion that Windows 7 is a hardened operating System. I fix a lot of Windows 7 pc that get infected all the time, any OS is just as susceptible as the next to infections. Some OS & software companies are just more quicker than others to patch security flaws and holes. Sadly consumers don’t keep up on patching their computer in a timely fashion and get infected. Who is to blame, software companies that make poorly written software. I could go on and on but consumers just need to make the decision on “What OS meets my needs and which one do I understand the best and can more easily use. Most of the new teachers and faculty that I give a new MacBook that came from a Windows environment say its so easy to use and more intuitive than Windows. Again that is not my opinion as I don’t care if you use Windows, Mac or Linux as they all have their flaws, just please don’t push your opinion as you sound like a Windows Fanboy!
This woudln’t be a Apple’ fault if they used the original Java repository, instead of being all “i do everything by myself” and make their own java (using “someone else’s” java)
Still, Windows is NOT a hardened system AT ALL. I’m a Linux fanboy, I admit, but I try my best to be the most neutral possible in my texts.
Imagine a car. You have it for 3 years, maintained it nicely and ONCE it gave you a headache. You spent $1200 on the shop, it had to stay there for a day and it went out well. You stay with him for another 2 years and then sell it. You sold it running pretty well.
And then you get this new car. Every 6 month, you have to go fix something, although you maintain it like the User Manual recommends.
But it’s a small problem and there’re fixes everywhere. 5 minutes and $50 bucks and it’s on the road again. Sometimes it’s a little bigger problem, and you spend $200 on it and few hours to fix it, but it ends up right. Maybe there will be some sequel, you might lose something, but even handicapped, it’ll be ready to fight again.
That’s Mac and Windows. Mac fixing may be more exhaustive for the not tech-savvy persons (and scary with all those terminals, words, letters, numbers and things), but it is more robust, indeed. Hell, I don’t remember last time I’ve heard a virus for Mac. Also, it is very uncommon for it to get a virus, so virus removal software is expected to be very rustic.
Windows may be “easier to fix” (because they’re used to it) and have pretty programs that fix it (because it’s a common thing). But robust? nah.
______
p.s.: I DON’T REMEMBER ANY LINUX VIRUSES BWAHAHAHAHAHAHAHAHAHAHAH
I’m a linux fanboy, I had to do it, otherwise I wouldn’t sleep at night, sorry.
Thank you so much for this, ran the test, easy peasy, and I’m clean too. Thank you thank you thank you!!