Mac ‘Flashback’ Virus: What It Does And How To Remove It
We Mac users have been very complacent about our computers because, until recently, there really has not been reason to worry about viruses. Times change.
There are two words, beautifully intentioned when used together, whose incantation unfortunately transforms the recipient into a raging anxiety attack: Don’t Panic.
Despite the propensity for causing discord, I use them now, right off the cuff, when addressing those of you who are using Macintosh computers. Don’t Panic.
We Mac users have been very complacent about our computers because, until recently, there really has not been reason to worry about viruses, trojans, exploits, etc. I have been using Macs for almost 30 years now, since the original was released in 1984, and it was only last year that I installed anti-virus software.
By now many of you have read about the Flashback virus, which has infected over 600,000 computers, and are sufficiently, and rightly, scared. This is a particularly nefarious bit of code that, depending on it’s variant, can infect your computer without you doing anything or even knowing something has happened.
The upshot is, though bad, it is fairly easy to diagnose and repair your machine.
There is a lot of information out there, quite a bit of it gets heavy with jargon and looks technical, but I will present what I have researched (as of this writing) in as simple prose as possible (with links to the more technical information for those interested). I will lay it out in four sections: What is Flashback? How do you check for it? What do you do if you have it? What can you do in the future to protect yourself? I do so that all the information is in one place, but by all means, skip ahead to the section which is most important for you.
Most importantly, Don’t Panic.
What is Flashback?
Flashback is malware that first showed up towards the end of 2011, sometime in September. Originally it was a trojan (malicious code which is hidden within another software or file) that pretended to be an Adobe Flash installer, hence the name. This version required the user had to launch the installer and provide an administrative username and password.
The latest version is much more insidious in that the user does not have to click on anything, not even a link, and can be infected. This is achieved by exploiting a weakness in the Java software framework.
Oracle, Java’s developer, patched this flaw back in February, 2012. The reason Apple computers were still at risk was Apple develops its own version of Java, and does so at a slower pace. Apple has been repeatedly admonished for its slow response time. Likely because of this heat, Apple quickly released an update to its Java on Tuesday, April 3.
So, everything is under control (for the moment), right? The short answer is yes. The long answer is, before you run off to run Software Update, there’s a few steps you need to take first.
How Do You Check For It?
The first step is you need to check and see if your system is one of the 600,000 infected. More than half of those infected are in the United States and Canada, so if you are one of our readers in those countries, you really need to follow these steps. These steps were provided by the incredibly helpful and knowledgeable Jacqui Cheng at Ars Technica:
Launch Terminal from /Applications/Utilities on your Mac. Then individually type or paste these three lines into the Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
If the Terminal returns back to you lines that look like this:
The domain/default pair of (/Users/[yourusername]/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist
Then you’re home free and you’re not (yet) infected by Flashback.
If you are not infected with Flashback, run Software Update from Apple Menu/Software Update… There will be one of two updates for Java available, depending on which version of the OS you are running.
Java for Mac OS X 10.6 Update 7 (for Snow Leopard, 10.6)
Java for OS X Lion 2012-001 (for Lion, 10.7)
You may notice that this update is only for OS X 10.6 and 10.7. If you are running an earlier version of the operating system, then you are out of luck. Apple no longer supports those version of OS X. You do have options to protect yourself, which you can read in the section “What Can You Do in the Future to Protect Yourself?”
What Do You Do if You Have It?
Now, here’s the difficult part. What to do if your results from the previous section returned something like:
“DYLD_INSERT_LIBRARIES” = “/Applications/Safari.app/Contents/Resources/ .BananaSplittervxall.png”
This is far more technical, but the steps are very specific and easy to copy and paste. If you still find it too daunting, there is always the “computer guy” that you can bribe with pizza and beer. To her, or him, this will be quick and easy.
The steps were provided by F-Secure Trojan-Downloader:OSX/Flashback.k page:
- Run the following command in Terminal: defaults read /Applications/Safari.app/Contents/Info LSEnvironment
- Take note of the value, DYLD_INSERT_LIBRARIES
- Proceed to step 8 if you got the following error message: “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
- Otherwise, run the following command in Terminal: grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
- Take note of the value after “__ldpath__”
- Run the following commands in Terminal (first make sure there is only one entry, from step 2): sudo defaults delete /Applications/Safari.app/Contents/InfoLSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
- Delete the files obtained in steps 2 and 5
- Run the following command in Terminal: defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
- Take note of the result. Your system is already clean of this variant if you got an error message similar to the following: “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
- Otherwise, run the following command in Terminal: grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
- Take note of the value after “__ldpath__”
- Run the following commands in Terminal: defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
- Finally, delete the files obtained in steps 9 and 11.
- Run the following command in Terminal: ls -lA ~/Library/LaunchAgents/
- Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
- Run the following command in Terminal: defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments
- Take note of the path. If the filename does not start with a “.”, then you might not be infected with this variant.
- Delete the files obtained in steps 15 and 17.
What Can You Do in the Future to Protect Yourself?
Now that your system is clean and you are able to breathe without hyperventilating, the question becomes, what now?
First, get yourself an anti-virus software.
- Norton Antivirus $49 p/year (http://us.norton.com/)
- Virus Barrier X6 $49 p/year (http://www.intego.com/virusbarrier)
- Virus Barrier Plus $4.99 (App Store)
- iAntiVirus $29 for up to 3 computers (http://www.iantivirus.com/)
- Kapersky Virus Scanner $9.99 (App Store)
- Dr. Web Lite (App Store)
- ClamXav (App Store)
- Virus Barrier Express (App Store)
- Sophos Anti-Virus Home Edition (http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx)
- Avast! (http://www.avast.com/en-us/free-antivirus-mac)
Second, invest in a Little Snitch $29.95 (http://www.obdev.at/products/littlesnitch/index.html). No one likes a tattle-tell, except when it’s a program that is watching for outgoing network traffic that you did not initiate, like viruses sending your sensitive information to malicious servers. One of the Flashback variants actually checks for Little Snitch application, and if it finds it, stops the installation process and deletes itself.
Third, and this one is difficult, turn off Java. Yes, I know that Apple has patched this problem (at least for OS X 10.6 and 10.7), but there are more problems waiting to be exploited, and Java is one of the places the bad guys like to hit. To turn off Java in Safari, go to Safari/Preferences/Security and uncheck “Enable Java”. This will break some of the functionality of the web. If there are sites you visit, and things you regularly do that are an absolute necessity, enable Java when you need it, but turn it off when you do not. While not the most convenient, it is the best for security. In the end, you have to ask yourself which is more important, convenience or security.
Flash is another black hole of despair for the security conscious, but that’s a whole article to itself.
Fourth, be hyper-aware of what is going on when you are on the interwebs. I know that the most recent version of this virus exploited a hole in some software which allowed it to compromise a system without the user being aware, but vigilance is ALWAYS the best advice. Speaking of advice, the best I have ever heard said, only install something that you went out looking for. That is, if you are just lazily surfing, and a pop up tells you to update your virus software, or install flash player, or what ever, ignore it. Close the window and go about your business. If you find that there is something you were going to do that does not work for some reason, e.g. a youtube video will not play, go to the website directly to download the necessary application.
And never, ever, blindly click links in email, even from friends or family. Most of the time viruses come from your friends’/family’s infected computers. If you do like to send links back and forth, be sure to add some kind of specific verbiage in the email that only you all know of, e.g. “This is actually from me, not some hacker.” While not perfect, it is another layer of security, and in the wild, wild web we need all the security we can get.