HT5244 Flashback Trojan

Similar Messages

• HT5228 How to find out if your Mac has the Flashback Trojan EASY WAY!!!!

  http://www.cnn.com/2012/04/06/tech/web/mac-flashback-trojan-check/index.html
  Just did it works great and they also have a post on how to remove it as well.

  Here is an even easier way, it will remove most infections too:
  I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271

• HELP! I had a Flashback Trojan/Malware on my Mac, I deleted it in trash, and now my Mac won't start.

  At first my Mac Finder showed n81, n82, etc when you right-click it, instead of the commands " open new finder window", "hide" etc. I also noticed that sometimes, when I would go to sites such as facebook, it would redirect to a different site and I'd have to type in the address again to get to the site. Nothing else was wrong with it. Safari was not shutting down. It wasn't slow.
  I did some research and found that I probably have the Flashback Trojan/Malware virus (whatever that is?) And so I followed what some people did (which got their mac fixed) .. I downloaded clamvax and tinkertool to find the malware (hidden files) and I deleted it in trash.. my computer seemed fine but when I restarted it, it wont turn on anymore.. the screen remains blue, the mouse could still be moved, but it stays that way..
  did I lose all my files? am I being hacked as we speak? Is this virus very dangerous?! I am very paranoid and know nothing about this kind of stuff so please help!
  BTW, the malware was from the game Farm Frenzy.. I have no idea how I got this... I never play online games.

  @Thomas, Thanks for jumping in. I had to take my wife to a Doctor appointment and things went down hill from there.
  I note that you are using Mac OS X 10.5.x.  It's important to understand that the Java vulnerabilities that allowed this malware to get established on your machine cannot be fixed in 10.5.x.  You would need to upgrade to at least 10.6 (Snow Leopard) to be able to get a version of Java with those vulnerabilities fixed.  (Correct me if I'm wrong there, Al!)
  That's 100% correct. Natalia has the distinction of being the first OS X 10.5 user confirmed to be infected by Flashback as far as I can tell. That operating system is becoming increasingly dangerous as the days go by. The OS has not been updated since Aug 2009 and the last Security and Java updates were in June 2011. There is no XProtect system and more and more third party's have dropped support in updating their Applications.
  Natalia_ wrote:
  I actually ran disk utility, and it said that the Macintosh HD is fine... I also tried safe mode/safe boot and did the FSCK command.. even that said that my laptop was fine? but somehow it still stays blue when I start up!
  And I think it probably is fine, except that something is hanging during the initial loading process. Could be most anything.
  As for my files, I appreciate your advice but I am scared I might do something wrong and mess my laptop up even more!
  There is almost no chance of that and at this point it should be obvious to you that if the files on your laptop are that important, you should already have a backup.
  I will take it to Apple and hopefully they can help me... because it seems that my files aren't wiped out... yet... It still displayed that I had my files in there..
  One word of caution, then. I have been told that Apple has instructed their support folks not to attempt to clean up a malware infection. If I were you I wouldn't bring it up unless you have to.
  By the way, while the disk was running, it was making very loud noises.. humming/grinding/etc... what could this mean?
  Only one thing in my experience, you're hard drive is toast. All the more reason to try and get all the data you can off it immediately.
  The only way to test it is to do a surface scan which Disk Utility cannot do. You would need a third party utility to do that. If it tells you there are bad sectors, that is 100% proof that it's going bad, as modern hard drives repair themselves of bad sectors until they run out of reserves to substitute.

• I have an iMac running OS 10.4.11. How can I check to see if I have the Flashback Trojan (and remove it, if I have it)? IMy Safari is also crashing frequently. Any suggestions?

  I have an iMac running OS 10.4.11. How can I check to see if I have the Flashback Trojan (and remove it, if I have it)? IMy Safari is also crashing frequently. Any suggestions?

  Hi Barry, is this an Intel iMac, or a PPC iMac?
  Disable Java in your Browser settings, not JavaScript.
  http://support.apple.com/kb/HT5241?viewlocale=en_US
  http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064
  http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
  Flashback - Detect and remove the uprising Mac OS X Trojan...
  http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html
  In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:
  /Library/Little Snitch
  /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
  /Applications/VirusBarrier X6.app
  /Applications/iAntiVirus/iAntiVirus.app
  /Applications/avast!.app
  /Applications/ClamXav.app
  /Applications/HTTPScoop.app
  /Applications/Packet Peeper.app
  If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.
  http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/
  http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660
  The most current flashback removal instructions are F-Secure's Trojan-Downloader:OSX/Flashback.K.
  https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site
  More bad news...
  https://www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Explo its_Targeted_Attacks_and_Possible_APT_link
  Removal for 10.5...
  http://support.apple.com/kb/DL1534

• How can i fix flashback trojan in my ipad thx

  hi all safari and other apps like chrome and mercury etc have been crashing unexpectadely how can i fix that , i updated i pad and said no more update , pls advise , i read all the messages seems that there is something called flash back trojan how do i remove it
  thx all

  It is not possible for an iPad to contract the Flashback trojan since the iPad cannot run Java. Try the usual steps: restart, reset, restore.
  http://support.apple.com/kb/HT1430
  http://support.apple.com/kb/HT1414
  If you try restoring from a backup and that doesn't fix the problem, try restoring to factory settings and synching your apps. You'll lose the app data and settings, but if the problem is due to a corrupt cache or settings file, that should cure it.
  Regards.

• What does the community recommend as an appropriate response in light of reports that "an estimated 600,000 or more Macs are currently compromised and part of a massive botnet thanks to the Flashback Trojan."  Is Apple taking steps to mitigate the threat?

  What does the community recommend as an appropriate response in light of reports that "an estimated 600,000 or more Macs are currently compromised and part of a massive botnet thanks to the Flashback Trojan."  Is Apple taking steps to mitigate the threat?
  See article in PC World at:  http://www.pcworld.com/businesscenter/article/253403/mac_malware_outbreak_is_big ger_than_conficker.html
  I have a MacBookPro and my wife has an iMac. I assume both are equally vulnearble.
  MLSCOS

  There are checks one can perform to see
  1: If any of their machines have been seen on the Flashback botnet
  http://public.dev.drweb.com/april/
  2: Terminal commands to see if their machine is infected (use copy and paste, then press enter)
  https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
  3: Preventative methods to avoid becoming infected.
  Update Java via Software Update.
  Disable Java in all your web browsers preferences (notice Java is not Javascript)
  Check your status of all browser plug-ins
  https://www.mozilla.org/en-US/plugincheck/
  Firefox + NoScript add-on + Temp Allow All Button on Firefox's toolbar to turn on scripts only on sites you trust.
  Learn how to make bootable clones, this way a complete erase can occur and a reverse clone done.
  https://discussions.apple.com/community/notebooks/macbook_pro?view=documents
  4: Resources if one is infected
  Data Recovery, wiping entire machine, reinstalling OS X, returning clean files, etc.
  https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

• What can I safely recover from Time Machine if I have the Flashback Trojan?

  I have recently found out that my iMac has been infected with the Flashback trojan.  I followed the commands from F-Secure to remove it from my computer however I'm not happy with this solution.  I am going to erase my hard drive and re-install the operating system.  I would then like to restore some of my folders using Time Machine.  However, before I do any of that I would like to know if it's safe to restore from my Home folder the following folders; Movies, Music, and Pictures.  Also, is it safe to recover databases from Address Book and iCal, and accounts from Mail and bookmarks from Safari?
  I apologize if this question is in the wrong category and I would like to thank anyone in advance that may be able to help, as it's much appreciated!

  Plug an external drive into the computer and use that to expand data onto.
  http://pondini.org/TM/16.html

• HT4651 What do I need to know about the Flashback Trojan?

  Reading about the Flashback Trojan malware. How can I check to see if I'm infected? Could it be what's causing Youtube to run badly?

  A good place to start is looking over the other numerous threads on the subject. Please look to your right under More Like This and you will find many other threads.

• FLASHBACK TROJAN?

  any info about flash back trojan?

  Adobe is aware of malware posing as its Flash Player and warns users to ignore any updates that didn't originate on its own servers. "Do not download Flash Player from a site other than adobe.com," said David Lenoe, Adobe's product security program manager, in an entry on Adobe Product Security Incident Response Team's PSIRT blog. "This goes for any piece of software (Reader, Windows Media Player, QuickTime, etc). If you get a notice to update, it's not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."
  The ‘Flashback Trojan’:
  A version of an existing Trojan Horse posing as a legitimate Flash Player installer (named “Flashback.A” by a security firm) is designed to disable updates to the default Mac OS X anti-malware protection system, potentially leaving the system open to the manual installation of other malware without any system warnings. The latest Macs do not have Plash Player included. In order to prevent a potential infection with “Flashback” Trojans, Mac users should always obtain their copy of Adobe Flash Player directly from Adobe’s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet. Also, do not turn on Java in Safari Preferences/Security. Few websites use Java. Javascript is something entirely different and should be left active.
  http://www.appleinsider.com/articles/11/10/19/fake_adobe_flash_malware_seeks_to_ disable_mac_os_x_anti_malware_protection.html
  Flashback Trojan - Detection, and how to remove (with caution):
  http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

• Flashback trojan fix already in?

  Is there already a fix in apple updates for flashback trojan?

  How deal with FLASHBACK trojan?
  Remove OSX/Flashback.I Trojan

• Flashback Trojan - I still think I have it.

  I realised I had the flashback trojan today as when I right-clicked the desktop, some numbers came up instead of the actual options (like N169.3 or something) and so I set off to try and remove it myself. And I am really bad at this stuff.
  I managed to delete the enivronment.plist file (or at least I believe I did), and after restarting my computer the numbers went away and when I right-clicked it was normal. However, I was still feeling uneasy about it, so I went to terminal and typed in ls /Users/Shared.*.so and /Users/Shared.MailWashervXX.so came up.
  I'm supposing that's a bad thing and I don't really know what to do now. Help?

  Probably is.  I don't recognize the name.  But you deleted the environment.plist so it cannot be tracked back for sure.
  One thing about anything in /Users/Shared though.  If something is there torjan or valid app put it there.  And it won't be too serious if you delete it.  A valid app (properly written) will put it back if it needs it.  Otherwise, who cares.  Just trash it.
  As for whehter you extracted all of the trojan code or not, well, here's a quote of the current recommendations on how to handle this (which I am quoting from other posts on this subject):
  Courtesy of Linc Davis:
  You installed a variant of what’s commonly called the “Flashback” malware, although the name is obsolete.
  If you’re absolutely sure you know when that happened, and you back up with Time Machine or something similar, you can save yourself a lot of time by restoring your whole system from the most recent snapshot taken before it was infected. Then take Steps 7, 8, and 10 below.
  How can you tell when the infection took place? All you can be sure of is that you were infected some time before the problems started. You may have visited a blog that prompted you to install some kind of software, or a “certificate.” If you remember doing that recently, mention it in a reply, but don’t post a link.
  If you don’t know when you were infected, there's no easy, reliable way to remove the malware, because it's constantly changing. I suggest you take the following steps immediately:
  1. Back up all data to at least two different devices, if you haven't already done so.
  2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup drive. This action will destroy all data on the drive, so you must be sure of your backups.
  3. Install the Mac OS.
  4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.
  5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.
  6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. It’s best not to restore anything from there. If you must do so, restore only files, not folders, and only if they’re visible in the Finder, and then only if you’re absolutely sure you know what they are and they haven’t been altered. Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.
  7. Launch Safari and select Safari ▹ Preferences… ▹ Security from the menu bar. Uncheck the box labeled Enable Java. Because of recurring security issues, the Java web plugin must be considered unsafe to use. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) Very few websites have legitimate Java content nowadays. If you encounter one that does, and you think you can trust it, enable Java temporarily. Do this only if you know how to check for a malware infection immediately afterwards. If you’re not sure whether you know how to check, you don’t know how. Don’t rely on any kind of “anti-virus” software for protection.
  8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.
  9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.
  10. If you use any third-party web browsers, disable Java in their preferences, as you did with Safari in step 7.
  More information about Flashback can be found by searching this site, or the Web.

• How deal with FLASHBACK trojan?

  Hey folks!
  I updated Adobe Flash player a few days ago (the update popped up - I did not search for it) and I think I may have installed the "Flashback" trojan 'cuz I did the update in a hurry. Is there any way to find out if the trojan has found it's way in to the computer or is a format and reinstallation of the OS necessary? Thanks!!!

  woofmatix wrote:
   So I guess if that file ain't there, the Trojan has not entered the system right?
  Don't assume anything, run a scan using ClamXav and if your Apple Software Update works you can pretty much be rest assured you don't have it.
  Also I would like to know if this comes as an update or just an installer.
  It's a trojan installer on hostile web sites.
  If you look at your Adobe Flash System Preference pane it's got it's own system to check with Adobe and verify the download. The confusion happens because there is a pop-up when one visits a web page and their Flash is outdated.
  I always download my Flash here
  http://get.adobe.com/flashplayer/
  If your still concerned you can peform a
  Restoring OS X 10.5 10.6. 10.7 - simple overwrite OS method
  https://discussions.apple.com/message/16276201#16276201
  That will flush anything out of OS X, but you still need to clean up Applications and Users folders.

• HT5243 Is there a removal tool to remove Flashback Trojan on Snow Leopard?

  Is there a removal tool to remove Flashback Trojan on Snow Leopard?

  Allan Meltzer wrote:
  Is there a removal tool to remove Flashback Trojan on Snow Leopard?
  Your profile says you are running OS X 10.5.1, so that probably needs to be updated (from the "Your Stuff" menu at the top of the page), but if you are running OS X 10.6.8 and have installed everything that Software Update ask you to, then the removal tool already ran. If you saw no notice that anything was removed, then you're OK.

• Should I be concerned about flashback trojan?

  How could I find out if my macbook pro is infected with this flashback trojan?

  Two Helpful Links Regarding Flashback Trojan
  A link to a great User Tip about the trojan: Flashback Trojan User Tip
  A related link in the tip to a checker: Malware Checker Dowload Link
  A Google search can reveal a variety of alternatives on how the remove the trojan should your computer get infected. This can get you started.

• Update's impact on Flashback Trojan

  I have updated my Mac with Apple's response to the Flashback Trojan. Will the update solve the issue even if I already may have the Trojan? Or does it only prevent getting it?  I'm fairly new to a Mac so I am not well versed.

  Linc Davis wrote:
  Not all variants include that file, according to what I've read.
  That is the only market that makes it somewhat close to being a virus. I read many things, only a few are true.
  If the trojan runs as root, as it must in order to alter the Safari application bundle, why would it not replace the codesign binary with a bogus one?
  I have seen no indication that the trojan runs as root. Java certainly doesn't.
  You don't need to be root to hack around in /Applications.
  user227-135:~ jdaniel$ ditto /Applications/Safari.app /Applications/Safari2.app
  user227-135:~ jdaniel$ echo "HOHOHO" >> /Applications/Safari2.app/Contents/Info.plist
  user227-135:~ jdaniel$ codesign -v /Applications/Safari2.app
  /Applications/Safari2.app: invalid signature (code or signature have been modified)
  In architecture: x86_64