Hello all.

It would seem I need a bit of help. I have the Flashback trojan on my computer (Flashback-8 and Flashback-12) :(. ClamXav has discovered them, but I'm wondering if I should use Terminal to remove them instead. I'm not very familiar with this type of stuff (regrettably). If anyone could make a suggestion I'd really appreciate it.

Thanks.

I read some advice in this article today:

http://allthingsd.com/20120406/whats-this-a-mac-virus-no-actually-its-a-weakness-in-java/?reflink=ATD_yahoo_ticker

Hello again.

I always knew I would have to get cozy with Terminal, I just never knew it would be this type of situation. I followed the advice of the website you posted which suggested:

How to check for—and get rid of—a Mac Flashback infection (http://arstechnica.com/apple/news/2012/04/how-to-check-forand-get-rid-ofa-mac-flashback-infection.ars)

I got to Step 3 and got up to Step 12 before I started to have issues such as:

There is no (DYLD_INSERT_LIBRARIES) default for the (/Users/***/.MacOSX/Environment) domain.
Defaults have not been changed.

So since ClamXav had already discovered Flashback-8 and Flashback-12 I set the preferences to Quarantine to a folder on my desktop, rescanned and then trashed the folder. Then I tried to run the next step:

14. Run the following command in Terminal:
ls -lA ~/Library/LaunchAgents/

And got five files. According to the information I am supposed to only proceed if I have one file. So now I'm a bit lost.

Try some other sites and read the results carefully and it sounds like whatever you did, you're getting a false-positive.

IE: Bottom line, if no such file, you're NOT infected.

Check out:
Threat Description: Trojan-Downloader:OSX/Flashback.I (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml)
and
600,000 Mac Users Afflicted with Flashback Trojan -- Are You One of Them? | Mac|Life (http://www.maclife.com/article/news/600000_mac_users_afflicted_flashback_trojan_are_yo u_one_them?)

I don't know about the other stuff that your ClamXav is showing. But there have been various previous versions of the Flashback Trojan/malware with similar names but different versions.

Edit: And a PS: have a read at
http://www.ehmac.ca/mac-ipod-help-troubleshooting/90748-trojan-alert-9.html

Oh, I was definitely infected as I stated when I opened this post. An updated ClamXav found the two variants that I mentioned. This is the first time I've had to deal with such an issue and as such it has been a pain. I'm not familiar with Terminal even in the slightest and while my tinkering with Terminal showed some progress, I am initially ill-prepared to remove it. I've installed Sophos Antivirus hoping it will pick up anything I have missed but honestly I'm not even sure if Sophos has been updated to recognize the Flashback trojan. Worse case scenario I will have to re-install Lion, but I am hoping it doesn't come to that.

It's also interesting to add that I felt something was up with my Mac for a couple of days. While browsing a few days ago I had a pop-up that said "null" wanted to make a change and to input my password. Logically I did not. However, when following the directions to remove Flashback with Terminal it seemed I was in the further stages of infection. Funny also, is that Software Update is telling me there is a new Java update when I know that I installed that update via Software Update already a few days ago.

I should also add that I am persistent about keeping inline with checking updates often and scanning for viruses and spyware every so often, which is why this has been a surprise. I feel I made a mistake in not disabling Java in Safari. I actually forgot to do that after re-installing Lion after having reverted to Snow Leopard for a while.

Do yourself a quick Mac OS X fix assuming that you're using Mac OS X 10.6.x or 10.7.x :
Shut down your Mac and boot into 'Safe Boot Mode' by pushing/holding the shift key only and immediately when you hear the boot chime at least until you see the spinning gear.

When "booted" in the SBM window, select your admin user name, enter password and log in.

Then restart normally and if needed, run your *updated* ClamXav again if you want.

There's a good chance that ClamXav may be seeing a cache file of the Trogans that have actually and maybe deleted themselves from your Mac.

PS: If you are actually and truly infected, you're sure in the minority!!

I believe I've already deleted the two variants that I specified by having ClamXav isolate them to a folder on my desktop and then deleting the folder. I didn't just go by what ClamXav said -- I used Terminal to attempt to rectify the problem. I'm still running Sophos Anti-virus and have yet to see the results.

I maybe have succeeded in deleting Flashback, but I'm not familiar with how viruses work. Will it respawn when I restart? I've really no idea at this point since I was not able to complete the Terminal instructions. Don't get me wrong, this isn't a case of me having discovered about Flashback online and freaking out. There was a trojan alert last year and I couldn't have cared less. I checked with ClamXav partially in jest and partially because my Mac has seemed a bit odd lately.

UPDATE: Well here is a bit of news. I finished running Sophos and it has detected a threat even though I deleted Flashback-8 and Flashback-12. The file name is ".null" which doesn't surprise me in the slightest. ".null" asked me for my password a few days back and I declined. I saw this file while tinkering with Terminal but couldn't seem to delete it. I've just deleted it with Sophos. It must be connected to the other two files I deleted. Again, all this is bizarre to me because I'm careful with my Macintosh.

deleted

Yeah, tell me about it. I installed the second Java update last night before going to bed in Safe Mode. I rebooted today and noticed my Mac running much slower but that is probably due to Sophos Anti-Virus running in the background (I can hear my HDD doing a lot of thinking). This really sucks. Anti-Virus apps that run in the background hinder performance and I was quite happy to not have to run one of those in the past. It's possible there won't be another threat for a long time, but it's going to take me a while to wind down from this one. :(

There are a few things that don't make any sense.

For one, if one runs certain applications on the Mac including ClamXav which MacE obviously has, then this trojan automatically removes itself.
Point being that it tries to set up a BotNet with Macs, it's not trying to infect anything.
So based on that alone, I would say MacEnthusiast Mac is not infected with the Trojan.

But to make sure, run these three terminal commands listed on this website - run each one separately and check the response.
I don't like using the Terminal either, always thinking of typing an error and messing up my Mac, so I carefully copied and pasted each line.

How to check for—and get rid of—a Mac Flashback infection (http://arstechnica.com/apple/news/2012/04/how-to-check-forand-get-rid-ofa-mac-flashback-infection.ars)

I would also immediately get rid of Sophos and any other anti-virus software.
That type of software will just give you problems - believe me, I have had my experience that way. That software just screws up your Mac.
The only anti-virus software I would even consider is ClamXav but it looks as even that gave you false positives.

Maybe after you run these three terminal commands, you can report back here.

PS - I would delete Sophos completely before I run the terminal commands.

And I assume you have disabled Java now.....

I just came across this mini app to check for the trojan - it doesn't remove it, it just checks for it:

http://rsdeveloper.com/downloads/test4flashback.zip

There seem to be a couple of small programs to check whether you have this malware. This one is also available.

https://github.com/jils/FlashbackChecker/wiki

There are a few things that don't make any sense.

For one, if one runs certain applications on the Mac including ClamXav which MacE obviously has, then this trojan automatically removes itself.
Point being that it tries to set up a BotNet with Macs, it's not trying to infect anything.
So based on that alone, I would say MacEnthusiast Mac is not infected with the Trojan.

But to make sure, run these three terminal commands listed on this website - run each one separately and check the response.
I don't like using the Terminal either, always thinking of typing an error and messing up my Mac, so I carefully copied and pasted each line.

How to check for—and get rid of—a Mac Flashback infection (http://arstechnica.com/apple/news/2012/04/how-to-check-forand-get-rid-ofa-mac-flashback-infection.ars)

I would also immediately get rid of Sophos and any other anti-virus software.
That type of software will just give you problems - believe me, I have had my experience that way. That software just screws up your Mac.
The only anti-virus software I would even consider is ClamXav but it looks as even that gave you false positives.

Maybe after you run these three terminal commands, you can report back here.

PS - I would delete Sophos completely before I run the terminal commands.

And I assume you have disabled Java now.....

Hey krs! Thanks for the reply. After initially being told by ClamXav that Flashback-8 and Flashback-12 were found I searched the internet for more info. I came across the information on Threat Description: Trojan-Downloader:OSX/Flashback.K (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml) and proceeded with their Terminal commands. I got to step 3 and had to proceed to step 8 because I was told "the domain/default pair does not exist". Step 8 commands gave me 2 files when instead I should have got "the domain/default pair does not exist". Then I proceeded with steps 10 -14. After step 14 I was reacquainted with "null" which had asked me days prior to type in my administrator password because it wanted to make a change (I didn't). There were 5 files in total if my memory serves me correct: one for Facebook, one for Divx, one for Google, one for Valve and lastly null. I proceeded with the remaining steps but had a problem removing anything so I made a new folder on my desktop, changed the Preferences in ClamXav to drop Flashback-8 and Flashback-12 in the folder, rescanned, and then trashed the folder. After that I started the first few Terminal commands again and this time step 8 came up clean. Another scan with ClamXav was clean as well. I installed Sophos Anti-virus and it discovered "null" as a threat and I configured it to clean that up. I didn't attempt to get rid of the other 4 files. Should I have?

I'm not sure if everything is fine now or even if anything was harmed in any way. I've kept Sophos running in the background as a measure for a few days (but will be happy to remove it!). Java is deactivated in my browser. I'd like to format and re-install to be safe but am reluctant to do that for the amount of redownloading I will have to do. If anyone has any thoughts on this I'd love to hear from you as I know next to nothing about malicious code in general, except not to use my admin password for anything unknown.

There seem to be a couple of small programs to check whether you have this malware. This one is also available.

https://github.com/jils/FlashbackChecker/wiki

Thanks for the advice Voyager. However, I had already come across Flashback Checker and installed the app as a precautionary measure to assure myself that I had rid those Flashback "files". It came back clean.

MacE -

I'm pretty much convinced that Flashback-8 and Flashback-12 that ClamXav reports are false positives unless someone has some credible information to the contrary.
All I can find on those subjects is basically the same thing you found - ClamXav reports them but that is all.

Take a look at this post from the Apple forum for instance.
The user states he checked his Mac using the terminal commands (which to me is a valid check since so many different places verified that), but then after that check reports the Mac to be clean, ClamXav comes up with these -8 and -12 variants.


Hello,
I have 10.6.8. Like every other Mac user, I used suggested terminal commands to check if I have the files that would indicate flashbacks found their way to my computer. They came out negative. Then I updated ClamXav and here it is...
1.) First scan found an OSX.Flashback-8 under users/computer and supposedly moved it to the quarantine folder but since it is (.rserv), i can't see it... I searched discussion boards and decided to check my activity monitor and it was running. This is after it was quarantined and after I downloaded the apple patch... Now I have Little Snitch checking things up.
2.) Then I ran another scan. This time ClamXav found another one (file name: Safari.app, Infection name: OSX.Falshback-12). So this one does not have a (.)file name and it is under quarantine but I still can not see it in the folder. Furthermore, there is an error "ERROR: Can't unlink '/Applications/Safari.app/Contents/Resources/.PandaAntivirusTitanium.png': Permission denied". I have no idea what this file is... The only program downloaded between first and second scan is Little Snitch! So it is curious that the first scan did not pick this one up...

MacE -

I'm pretty much convinced that Flashback-8 and Flashback-12 that ClamXav reports are false positives unless someone has some credible information to the contrary.
All I can find on those subjects is basically the same thing you found - ClamXav reports them but that is all.

Take a look at this post from the Apple forum for instance.
The user states he checked his Mac using the terminal commands (which to me is a valid check since so many different places verified that), but then after that check reports the Mac to be clean, ClamXav comes up with these -8 and -12 variants.

I find that very interesting krs. I've also read somewhere that Flashback apparently deletes itself if the computer it attempts to install on has ClamXav. :confused:

I find that very interesting krs. I've also read somewhere that Flashback apparently deletes itself if the computer it attempts to install on has ClamXav.

Yes.....

or any one of these applications:

Little Snitch
Xcode.app/Contents/MacOS/Xcode
VirusBarrier X6
iAntiVirus
avast!
ClamXav
HTTPScoop
Packet Peeper
Microsoft Word
Microsoft Office 2008
Microsoft Office 2011
Skype

Makes sense if the purpose of the trojan is to create a botnet.

On the other hand - are there really 600 000 Macs that visited a malicious web site (which is required to get this trojan in the first place) and don't have at least one of the above applications installed?
I find that a bit hard to believe.

Yes.....

or any one of these applications:



Makes sense if the purpose of the trojan is to create a botnet.

On the other hand - are there really 600 000 Macs that visited a malicious web site (which is required to get this trojan in the first place) and don't have at least one of the above applications installed?
I find that a bit hard to believe.

Hard to say for sure. I have both ClamXav and Xcode on my computer so if the theory is correct I should have had nothing like that on my computer. I don't even know if this "null" was part of it, but I suspect it was by the way it just popped up and asked me for my password. I read a lot of news and a few times I have clicked a link that takes me to another link which takes me to a shady site. I close the window and clear my cookies. But nothing remotely like this last episode. Maybe if I would have given "null" my admin password (stupidly) then maybe it would have deleted itself seeing as I have Xcode and ClamXav. Logically, I couldn't do that however. Is it possible that it may reside on one's Mac without being installed at which point ClamXav may discover it? Hard to say.

Hard to say for sure. I have both ClamXav and Xcode on my computer so if the theory is correct.....................

Nothing to do with "Theory" or any guesses.

The trojan code was analysed and the torjan code is such that it deletes itself if it detects any of the applications I listed.

This comes from the F-Secure site which I think provides the most accurate information about it
Threat Description: Trojan-Downloader:OSX/Flashback.I (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml)

If you google for this trojan, you get the feeling the world has gone crazy - the amount of misinformation out there is just mind-boggling.

Every report adds a little bit of misinformation - like a bush fire out of control.

This place no reports that 2% of the macs are infected worldwide
Flashback trojan infected 2% of all Macs, Kapersky confirms botnet size - SlashGear (http://www.slashgear.com/flashback-trojan-infected-2-of-all-macs-kapersky-confirms-botnet-size-09222126/)

but the number of infected macs is still 550 000 to 600 000.
Last time I checked, the installed base was 62 million; I have seen numbers for the current installed base of between 60 and 90 million - that is still 1% or less of an infection rate no matter how one does the math.

Has any ehMac user been infected?
And I mean one where the test using the terminal command shows an infection.

Some of the sites describing this trojan are looking for infected Macs to test the detection software.
At a 1% rate with a heavy concentration in the US and Canada one would thing some of the ehMac users have an infected Mac.

Apple Developing Software to Remove Flashback Malware - Mac Rumors (http://www.macrumors.com/2012/04/10/apple-developing-software-to-remove-flashback-malware/).

This should help shortly.

Apple Developing Software to Remove Flashback Malware - Mac Rumors (http://www.macrumors.com/2012/04/10/apple-developing-software-to-remove-flashback-malware/).

This should help shortly.

Amen to that.

One thing I've noticed about the programs that check for the malware. They test for it in Safari and Firefox but don't mention anything about Chrome. Is there a way to check for it in Chrome?

This is the terminal command for chrome.

best is to copy and paste it.

defaults read /Applications/Google\ Chrome.app/Contents/Info LSEnvironment

Thanks for the information krs. I thought it might be just a case of substituting the name of the browser. Didn't think about adding "Google" :D

Note that Apple has not released a Java update for OSX 10.5 and earlier. If you are running an earlier OSX, then disable Java from your browser because it is still vulnerable.

Safari: click Preferences, then Security tab uncheck "Enable Java".
Also uncheck the "Open 'safe' files after downloading" box in Safari Preferences > General tab.

Google Chrome: open Preferences, type "Java" in the search text box. Scroll down until you reach Plug-ins, click "Disable individual plug-ins." If Java is installed, you'll see a "disable" link for it.

Firefox: From the Firefox menu, choose Tools, Add-ons, disable the Java plugin(s)
How To Disable Java in your Mac Web Browser | Mac|Life (http://www.maclife.com/article/howtos/how_disable_java_your_mac_web_browser)

I have been compiling information on the Tibet and Flashback trojans at
“Flashback” Java trojan and “Tibet” Microsoft Office trojan target Mac OSX | CanadaRAM: Memory and Computer Q&A (http://www.computer-answers.ca/2012/computer-questions/macintosh-questions/microsoft-office-bourne-trojan-horse-for-mac/)

That's a relief, I don't have it.