A Mac infected by a virus used to be something of a rarity, and it was the best argument you could bring to a Mac versus PC debate. But with Mac adoption surging in recent years, it was inevitable that Apple’s operating system would become a target for hackers.
Variations of one Flashback trojan, which first surfaced back in 2007, are now affecting more than 600,000 Macs around the world. Here’s how to find out whether your machine’s affected and kill the malware.
The Russian antivirus company Dr. Web announced yesterday that the Flashback trojan is now installed on over 550,000 Macs. Hours later, Dr. Web malware analyst Sorokin Ivan announced on Twitter that figure had risen to 600,000 Macs, 274 of which were infected in Apple’s hometown of Cupertino, California.
The most recent variant of the Flashback trojan targets Macs that have an older version of Java Runtime installed. Thankfully, Apple issues an update earlier this week patching the vulnerability, but for some machines it was just too late.
Ars Technica explains how the hack works:
Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them. Now that the fix for the Java vulnerability is out, however, there’s no excuse not to update—the malware installs itself after you visit a compromised or malicious webpage, so if you’re on the Internet, you’re potentially at risk.
You can find out whether your machine is affected by opening up the Terminal application and typing:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
If you get the message “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”, you must then enter:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
If you get the message “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”, then your Mac is safe. Basically, the “does not exist” message means you’re clean.
If you see anything other than those messages, you can check out F-Secure’s guide to removing the Flashback trojan.
[via Ars Technica]