Is Your Mac Infected By The Flashback Trojan Affecting 600,000 Macs?


This Apple's software is free from vulnerabilities? You couldn't be more wrong.
Your Mac could be one of the 600,000 infected by malware. Here's how to check.

A Mac infected by a virus used to be something of a rarity, and it was the best argument you could bring to a Mac versus PC debate. But with Mac adoption surging in recent years, it was inevitable that Apple’s operating system would become a target for hackers.

Variations of one Flashback trojan, which first surfaced back in 2007, are now affecting more than 600,000 Macs around the world. Here’s how to find out whether your machine’s affected and kill the malware.

The Russian antivirus company Dr. Web announced yesterday that the Flashback trojan is now installed on over 550,000 Macs. Hours later, Dr. Web malware analyst Sorokin Ivan announced on Twitter that figure had risen to 600,000 Macs, 274 of which were infected in Apple’s hometown of Cupertino, California.

The most recent variant of the Flashback trojan targets Macs that have an older version of Java Runtime installed. Thankfully, Apple issues an update earlier this week patching the vulnerability, but for some machines it was just too late.

Ars Technica explains how the hack works:

Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them. Now that the fix for the Java vulnerability is out, however, there’s no excuse not to update—the malware installs itself after you visit a compromised or malicious webpage, so if you’re on the Internet, you’re potentially at risk.

You can find out whether your machine is affected by opening up the Terminal application and typing:

defaults read /Applications/ LSEnvironment

If you get the message “The domain/default pair of (/Applications/, LSEnvironment) does not exist”, you must then enter:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get the message “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”, then your Mac is safe. Basically, the “does not exist” message means you’re clean.

If you see anything other than those messages, you can check out F-Secure’s guide to removing the Flashback trojan.

[via Ars Technica]

  • Aidan Taylor

    Haha so much for no viruses.

  • mr_bee

    Haha so much for no viruses.

    Not a Virus. Trojan.
    Trojans require massive amounts of human stupidity to propagate.

    I think perhaps you know a lot about this. ;)

  • Flyphoenix

    The age old argument “Macs can’t get viruses! Only PC can!” What is your Mac made of diamonds?! Of course it can get viruses.

  • Colin Fox

    Here is what I get:

    “DYLD_INSERT_LIBRARIES” = “/Applications/”;

  • TheKnightWhoSaysNi

    From the description, it is not clear if this malware really needs human intervention.
    Apparently it can infect the system even if the admin password is not entered, but must the user download the application first?

  • Barton Lynch

    I’m clean!

  • DucatiChap

    I’m clean too!
    Happy days!

  • Jkcollins01

    Really? , and where exactly would these Russians get this information from ?…….its just another company looking for press or trying to sell their solutions



  • Gregory Sargent

    Here is what I get:

    “DYLD_INSERT_LIBRARIES” = “/Applications/”;

    It means your infected…I believe. Read F-Secure’s guide for removal.

  • Pol Kan

    Easy way to know if “flashback Trojan” infected your mac (osx lion)

  • Maki

    Erm… While I’m glad to find out that my machine is clean, I’m a bit worried about the security update put out by Apple. Specifically, I’m worried that one wasn’t issued for my OS. (Go, go OSX Tiger!! My eight-year-old laptop needs love, too!!) Is there something I can do to keep my mac healthy, other than disabling Java in my web browsers?