How To Remove The Mac Flashback Infection

If you are a Mac user then by now you should have heard the news that security experts believe that nearly half of all Macs have been infected by a new piece of malware called Mac Flashback trojan. If you haven't then you should take special care when reading this post and make sure you follow all the steps carefully!

The Mac Flashback trojan is the latest variant of a piece of malware that originally posed as a Flash Player installer. Instead of downloading and adding in the latest version of Flash the installer instead infected a user computer with a trojan capable of stealing an unsuspecting user personal information. This new variant, Trojan-Downloader:OSX/Flashback.I and Trojan-Downloader:OSX/Flashback.K, targeted an unpatched Java vulnerability within Mac OS X. That was at the time of discovery unpatched by Apple.

Apple has since distributed two Java updates that should remedy the vulnerability useless. It is highly recommended that user with Java installed on their Mac install these updates immediately but users should still check to make sure their machine aren't currently infected.

How to check your system for Mac Flashback infection

These Terminal commands will give you an easy way to find out whether or not you have a possible Flashback infection. First, launch Terminal from /Applications/Utilities on your Mac. Then individually type or paste these three lines into the Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

If the Terminal returns back to you lines that look like this:

The domain/default pair of (/Users/jacqui/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist

Then you're home free and you're not (yet) infected by Flashback.You can feel safe again and comfortably install the latest patches for Java, disable Java completely or live life on the edge and do nothing.

How to get rid of Mac Flashback

If the above shows anything but the intended results then life gets a bit more complicated. You'll need to remove the infection and apply the patches as needed. These removal instructions are from security research firm F-Secure's removal page.

1. Run the following command in Terminal: defaults read /Applications/Safari.app/Contents/Info LSEnvironment
   
2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message: "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
4. Otherwise, run the following command in Terminal: grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
   
5. Take note of the value after "__ldpath__"
6. Run the following commands in Terminal (first make sure there is only one entry, from step 2): sudo defaults delete /Applications/Safari.app/Contents/InfoLSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
   
7. Delete the files obtained in steps 2 and 5
8. Run the following command in Terminal: defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
   
9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following: "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
10. Otherwise, run the following command in Terminal: grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
    
11. Take note of the value after "__ldpath__"
12. Run the following commands in Terminal: defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
    
13. Finally, delete the files obtained in steps 9 and 11.
14. Run the following command in Terminal: ls -lA ~/Library/LaunchAgents/
    
15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
16. Run the following command in Terminal: defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments
    
17. Take note of the path. If the filename does not start with a ".", then you might not be infected with this variant.
18. Delete the files obtained in steps 15 and 17.

In addition to these steps, F-Secure recommends checking for another variant of Flashback, Flashback.K. The instructions can be found on another page on F-Secure's website.

How do I update Java on my Mac?

Now that you are presumably infection free the next step is to update Java on your Mac. Apple has pushed the Java updates to the Software Update channel so you would simply run the standard Mac OSX software update and you should see the patches. You can also manually download the update for Lion and Snow Leopard, respectively, from Apple's support site.

Conclusion - what you need to do now

If you've followed the above advice and performed these steps to update your system then you're inoculated against the current known version of the Flashback malware, but that doesn't mean the variant won't change again sometime in the future to exploit a different vulnerability on your Mac. This means you need to STAY VIGILANT!

Almost all malware needs user interaction to infect your machine but that doesn't mean there isn't a nasty piece of software out there that doesn't. You need to keep your software up to date. Don't just apply operating system patches, apply those third party application updates as well. You should also be open to the idea that your Mac is not as secure as you once thought it was. You might want to grab some security software. You might also want to pay closer attention to your system and how you use it. Don't blindly install files from strange sources, don't click to open those odd emails and definitely don't blindly click to install anything you are sure of or blindly enter your admin password for anything ever!