Sunday, November 4, 2012

Removing your Mac of the Flashback Trojan



how to check your mac/remove the Flashback Troja





How you get it:
Basically it is a Java drive by, and usually it pretends to be a new version of flashplayer

What it does:
-Sends screenshots of your personal information to a remote server
-Avoids detection by hiding from your AV
-Then it will eventually download the Malware its self

How many are infected?
Its estimated that 600,000+ machines have been infected

Now to see if you have it is simple
Go to Terminal and enter these in one at a time:

Code:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

defaults read /Applications/Safari.app/Contents/Info LSEnvironment  //Thats for Safari

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment  //Thats for firefox

defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
//Thats for Chrome

Now if it comes up: "The domain/default pair of (/Applications/Chrome.app/Contents/Info, LSEnvironment) does not exist"
Then you are clear
but if something comes up then you have the Trojan

To remove it, its simple
When these commands are run, make a note of the full file path that is output to the terminal window (it may be paired with the term "DYLD_INSERT_LIBRARIES"). For each of the commands that output a file path (and do not say the domain pair does not exist), copy the full file path section and the run the following command with the file path in place of FILEPATH in the command (copy and paste this command):
Code:
grep -a -o '__ldpath__[ -~]*' FILEPATH

Now you must ocate the files mentioned in the output of the above commands, and delete them. If you cannot locate them in the Finder, then for each first type "sudo rm" in the terminal followed by a single space, and then use your mouse cursor to select the full file path from the first command's output, and use Command-C followed by Command-V to copy and paste it back into the Terminal. Then press Enter to execute the command and remove this file.

Now you have more commands to run but then you will be safe!

Code:
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

sudo defaults delete /Applications/Firefox.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Firefox.app/Contents/Info.plist

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

There you go your directories are back to default and you no longer have a trojan!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)