What is known about Mac flashback trojan malware?

Similar Messages

• HT4651 What do I need to know about the Flashback Trojan?

  Reading about the Flashback Trojan malware. How can I check to see if I'm infected? Could it be what's causing Youtube to run badly?

  A good place to start is looking over the other numerous threads on the subject. Please look to your right under More Like This and you will find many other threads.

• HELP! I had a Flashback Trojan/Malware on my Mac, I deleted it in trash, and now my Mac won't start.

  At first my Mac Finder showed n81, n82, etc when you right-click it, instead of the commands " open new finder window", "hide" etc. I also noticed that sometimes, when I would go to sites such as facebook, it would redirect to a different site and I'd have to type in the address again to get to the site. Nothing else was wrong with it. Safari was not shutting down. It wasn't slow.
  I did some research and found that I probably have the Flashback Trojan/Malware virus (whatever that is?) And so I followed what some people did (which got their mac fixed) .. I downloaded clamvax and tinkertool to find the malware (hidden files) and I deleted it in trash.. my computer seemed fine but when I restarted it, it wont turn on anymore.. the screen remains blue, the mouse could still be moved, but it stays that way..
  did I lose all my files? am I being hacked as we speak? Is this virus very dangerous?! I am very paranoid and know nothing about this kind of stuff so please help!
  BTW, the malware was from the game Farm Frenzy.. I have no idea how I got this... I never play online games.

  @Thomas, Thanks for jumping in. I had to take my wife to a Doctor appointment and things went down hill from there.
  I note that you are using Mac OS X 10.5.x.  It's important to understand that the Java vulnerabilities that allowed this malware to get established on your machine cannot be fixed in 10.5.x.  You would need to upgrade to at least 10.6 (Snow Leopard) to be able to get a version of Java with those vulnerabilities fixed.  (Correct me if I'm wrong there, Al!)
  That's 100% correct. Natalia has the distinction of being the first OS X 10.5 user confirmed to be infected by Flashback as far as I can tell. That operating system is becoming increasingly dangerous as the days go by. The OS has not been updated since Aug 2009 and the last Security and Java updates were in June 2011. There is no XProtect system and more and more third party's have dropped support in updating their Applications.
  Natalia_ wrote:
  I actually ran disk utility, and it said that the Macintosh HD is fine... I also tried safe mode/safe boot and did the FSCK command.. even that said that my laptop was fine? but somehow it still stays blue when I start up!
  And I think it probably is fine, except that something is hanging during the initial loading process. Could be most anything.
  As for my files, I appreciate your advice but I am scared I might do something wrong and mess my laptop up even more!
  There is almost no chance of that and at this point it should be obvious to you that if the files on your laptop are that important, you should already have a backup.
  I will take it to Apple and hopefully they can help me... because it seems that my files aren't wiped out... yet... It still displayed that I had my files in there..
  One word of caution, then. I have been told that Apple has instructed their support folks not to attempt to clean up a malware infection. If I were you I wouldn't bring it up unless you have to.
  By the way, while the disk was running, it was making very loud noises.. humming/grinding/etc... what could this mean?
  Only one thing in my experience, you're hard drive is toast. All the more reason to try and get all the data you can off it immediately.
  The only way to test it is to do a surface scan which Disk Utility cannot do. You would need a third party utility to do that. If it tells you there are bad sectors, that is 100% proof that it's going bad, as modern hard drives repair themselves of bad sectors until they run out of reserves to substitute.

• What is known about UCMA support in 'Skype for Business', the next generation of Lync Server?

  Microsoft has announced that the next version of Lync will be "Skype for Business".  In the first half of 2015, the next version of Lync will become Skype for Business with a new client experience, new server release, and updates to the service
  in Office 365.
  http://blogs.skype.com/2014/11/11/introducing-skype-for-business/
  What is known about support for UCMA and other Lync SDKs in the new version that is expected to be released in less than six months?
  UCFin

  There is now publicly available information that all the Lync SDKs will be supported in Skype for Business. Specifically, there will be support for:
  Unified Communications Managed API (UCMA)
  Lync Server SDK
  Lync Client Managed API (including UI Suppression)
  Unified Communication Web API (UCWA)
  You can read more on my blog post: here: http://blog.thoughtstuff.co.uk/2015/03/lync-development-apis-whats-supported-in-skype-for-business/
  -tom
  Tom Morgan Developing Lync

• This is what I hate about Mac...

  This is what bugs me about running mac!  I have sent various crash reports to this forum (A support forum hosted by APPLE).
  No one has ever pointed me in the right direction.  I don't know who else to ask?  Is there anyone?
  Lots of people seem to think their Mac is great.
  Mine keeps crashing!
  If I want to run Logic 9 I have to spend $2500 because I would need a New Mac pro.
  If my Mac didn't give me so much grief I would spend the money on a new one.
  I am convinced that I should get a PC! It must be more stable!
  grrrr

  I only see one post about crashing, and it got responses but you never followed up.
  Like pancenter said, try reinstalling the latest version of 10.5 from the combo updater.  I would do whatever hardware tests you have available,  it's possible you have bad memory or a hard drive starting to fail.
  If that doesn't help, I'd try running Logic with no hardware hooked up and no third party plugins.  If you still get crashes that points to a problem with Logic, if not start adding those back in a little at a time since one of those may be causing the crashes.
  In your other post you mentioned switching to Cubase.  They don't support G5 any more with their latest versions, only intel.  I don't who if any of the audio devs is still supporting PPC, if you want the latest software you may need to get a new machine at some point.  The good news is that even an iMac or laptop will probably run circles around the machine you have now.

• HT5228 How to find out if your Mac has the Flashback Trojan EASY WAY!!!!

  http://www.cnn.com/2012/04/06/tech/web/mac-flashback-trojan-check/index.html
  Just did it works great and they also have a post on how to remove it as well.

  Here is an even easier way, it will remove most infections too:
  I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271

• HT5228 Malicious Flashback Trojan

  I am not sure if my computer is infected. I was yesterday on facebook downloading one of my own IMovies to my Facebook page. I was prompted to install Adobe Flashplayer. I downloaded install_flash_player_osx.dmg which I did. During the process I was also prompted to give my administrators password, which is normal. However I now read in the news that this is exactly what happens with the malicious Flashback Trojan. Do I have to download security update 2012-001 which is over 200MB. It is a bit of a challenge as I am in a very remote area and only access to Internet via a mobile network. Thank you for any advise.

  Never give out your administrator password unless you manually initiated the action. If you get a pop-up asking to update flash, dismiss it, and manually verify your version at: http://www.adobe.com/software/flash/about/
  and, if necessary, update it at: http://get.adobe.com/flashplayer/
  Unfortunately, the standard behaviour of Flash Player and many other types of auto-update programs makes them impossible to distinguish from malware. This will be fixed in Mountain Lion with Gatekeeper. You will be able to restrict your machine to getting software only from the Mac App Store.
  To check if you have malware, try the following...
  In Terminal.app, run:
  cat ~/.MacOSX/environment.plist
  and
  codesign -v /Applications/Safari.app
  If you get anything about "DYLD_INSERT_LIBRARIES" on the first and/or "code or signagure modified" on the second, then you are infected. Any other responses (including none) means you're fine.

• Any discussion on flashback Trojan?

  Any suggestions on what communities to ask about the flashback Trojan ?

  Adobe is aware of malware posing as its Flash Player and warns users to ignore any updates that didn't originate on its own servers. "Do not download Flash Player from a site other than adobe.com," said David Lenoe, Adobe's product security program manager, in an entry on Adobe Product Security Incident Response Team's PSIRT blog. "This goes for any piece of software (Reader, Windows Media Player, QuickTime, etc). If you get a notice to update, it's not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."
  The ‘Flashback Trojan’:
  A version of an existing Trojan Horse posing as a legitimate Flash Player installer (named “Flashback.A” by a security firm) is designed to disable updates to the default Mac OS X anti-malware protection system, potentially leaving the system open to the manual installation of other malware without any system warnings. The latest Macs do not have Plash Player included. In order to prevent a potential infection with “Flashback” Trojans, Mac users should always obtain their copy of Adobe Flash Player directly from Adobe’s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet. Also, do not turn on Java in Safari Preferences/Security. Few websites use Java. Javascript is something entirely different and should be left active.
  http://www.appleinsider.com/articles/11/10/19/fake_adobe_flash_malware_seeks_to_ disable_mac_os_x_anti_malware_protection.html
  Flashback Trojan - Detection, and how to remove (with caution):
  http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
  You can also use this to check whether you have been infected (for Intel Macs only)and remove it if required:
  http://www.macupdate.com/app/mac/42571/anti-flashback-trojan
  Last, but by no means least, use Open DNS, which is the simplest way of preventing infection in the first place. Open DNS also protects against phishing attacks, and speeds up your internet connection:
  http://blog.opendns.com/2012/04/09/worried-about-mac-malware-just-set-up-opendns /
  How to get it:
  https://store.opendns.com/get/home-free

• What does the community recommend as an appropriate response in light of reports that "an estimated 600,000 or more Macs are currently compromised and part of a massive botnet thanks to the Flashback Trojan."  Is Apple taking steps to mitigate the threat?

  What does the community recommend as an appropriate response in light of reports that "an estimated 600,000 or more Macs are currently compromised and part of a massive botnet thanks to the Flashback Trojan."  Is Apple taking steps to mitigate the threat?
  See article in PC World at:  http://www.pcworld.com/businesscenter/article/253403/mac_malware_outbreak_is_big ger_than_conficker.html
  I have a MacBookPro and my wife has an iMac. I assume both are equally vulnearble.
  MLSCOS

  There are checks one can perform to see
  1: If any of their machines have been seen on the Flashback botnet
  http://public.dev.drweb.com/april/
  2: Terminal commands to see if their machine is infected (use copy and paste, then press enter)
  https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
  3: Preventative methods to avoid becoming infected.
  Update Java via Software Update.
  Disable Java in all your web browsers preferences (notice Java is not Javascript)
  Check your status of all browser plug-ins
  https://www.mozilla.org/en-US/plugincheck/
  Firefox + NoScript add-on + Temp Allow All Button on Firefox's toolbar to turn on scripts only on sites you trust.
  Learn how to make bootable clones, this way a complete erase can occur and a reverse clone done.
  https://discussions.apple.com/community/notebooks/macbook_pro?view=documents
  4: Resources if one is infected
  Data Recovery, wiping entire machine, reinstalling OS X, returning clean files, etc.
  https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

• What should I know about the Trustor Rapport malware protection update?

  I received a message to allow update of something trustor rapport malware protection. I did not know if I had it or if I should allow it to update. Anyone know about this?

  Trojan War
  If you discover a trojan program is running on your computer then look to the following information for assistance:
  1. A recent discussion on the Apple Support Communities: MacDefender Trojan.
  2. An excellent site devoted to Mac Malware: Macintosh Virus Guide
  3. Another site for removing MacDefende, et.al.: MAC Defender Rogue Anti-Virus analysis and Removal
  4. A new removal utility - MacDefenderKiller
  5. And to protect against a recent variant, MacGuard.
  Before you delete anything, we need your help. Some AV folks in our community need to analyze these files in order to protect others. Before you delete anything please consider doing the following:   Upload either the original .zip file or the MacGuard application to http://www.VirusTotal.com.  If either is not detected by ClamXAV, then also upload it to http://cgi.clamav.net/sendvirus.cgi.   If you are uncomfortable doing this for any reason and can determine the URL of the site where you got it please send the link to [email protected].
  Removing strange software can be a task.  The following outlines various ways of uninstalling software:
  Uninstalling Software: The Basics
  Most OS X applications are completely self-contained "packages" that can be uninstalled by simply dragging the application to the Trash.  Applications may create preference files that are stored in the /Home/Library/Preferences/ folder.  Although they do nothing once you delete the associated application, they do take up some disk space.  If you want you can look for them in the above location and delete them, too.
  Some applications may install an uninstaller program that can be used to remove the application.  In some cases the uninstaller may be part of the application's installer, and is invoked by clicking on a Customize button that will appear during the install process.
  Some applications may install components in the /Home/Library/Applications Support/ folder.  You can also check there to see if the application has created a folder.  You can also delete the folder that's in the Applications Support folder.  Again, they don't do anything but take up disk space once the application is trashed.
  Some applications may install a Startup item or a Log In item.  Startup items are usually installed in the /Library/StartupItems/ folder and less often in the /Home/Library/StartupItems/ folder.  Log In Items are set in the Accounts preferences.  Open System Preferences, click on the Accounts icon, then click on the LogIn Items tab.  Locate the item in the list for the application you want to remove and click on the Delete [-] button to delete it from the list.
  Some software use startup daemons or agents that are a new feature of the OS.  Look for them in /Library/LaunchAgents/ and /Library/LaunchDaemons/ or in /Home/Library/LaunchAgents/.
  If an application installs any other files the best way to track them down is to do a Finder search using the application name or the developer name as the search term.  Unfortunately Spotlight will not look in certain folders by default.  You can modify Spotlight's behavior or use a third-party search utility, Easy Find, instead.  Download Easy Find at VersionTracker or MacUpdate.
  Some applications install a receipt in the /Library/Receipts/ folder.  Usually with the same name as the program or the developer.  The item generally has a ".pkg" extension.  Be sure you also delete this item as some programs use it to determine if it's already installed.
  There are many utilities that can uninstall applications.  Note that you must have this software installed before you install software you may need to uninstall.  Uninstallers won't work if you install them after the fact.  Here is a selection:
  AppZapper
  Automaton
  Hazel
  CleanApp
  Yank
  SuperPop
  Uninstaller
  Spring Cleaning
  Look for them and others at VersionTracker or MacUpdate.
  For more information visit The XLab FAQs and read the FAQs on removing software and dealing with spyware and malware.
  After removing all the components of the software you may have to restart the computer to fully disable the software.  This will be the case when removing software that has installed a daemon.  After the daemon has been removed you need to restart the computer to stop the daemon.  Alternatively, you can kill the daemon process using the Terminal application or Activity Monitor.
  That most likely is just a rename of the trojan known as MacDefender. Do not download it or allow it access to your computer.

• "What to do now if I had the Flashback Trojan?"

  I just did a software update (was overdue) that included the java security fix, and was immediately informed that the "OSX.FlashBack.iv" malware was found and removed.
  Does anyone happen to know how serious a threat the malware presents, how to assess any potential damage it may have done, and what I might do to minimize any after-the-fact damage?

  MadMacs0 wrote:
  I'm pretty sure I would go to all the sites I could remember signing into that had significant financial data of mine on them and change my passwords. If I used the same password on multiple sites (I don't) I would change all those, as well. I already check all my transactions on a daily basis due to a mysterious Credit Card compromise a few months back, but if I wasn't, I would do that. A site called mint.com (run by Intuit) makes it easy to see everything at once, but the in order to do that I have to provide significant information to them.
  I did go to all of my credit card/bank account sites and changed my user names and passwords. And this time, I'll print the info out, but won't do what I've done before (which was to store that info in a spreadsheet that I had saved to my drive).
  As far as mint.com or any other third party is concerned (including the online backup-service companies), I simply don't trust them and/or don't have high enough confidence in the security measures they have in place to hand over my personal info.
  I would certainly endorse the use of Little Snitch as being worth the time, money and effort to install, setup and maintain. It's not for everyone, but I've used it for years to keep track of what information leaves my computer. During the period when it first alerted users to the existence of the Flashback "N" variant I gained new respect for it's capability.
  Thinking about Little Snitch again...I think I read somewhere that FlashBack checks out the system it has targeted and doesn't install itself if it detects the presence of Little Snitch. (If true, I don't know how FlashBack got into my system.) 

• HT4651 Is Mac OS 10.7.3 vulnerable to DNSchanger Trojan malware?

  Is Mac OS 10.7.3 vulnerable to DNSchanger Trojan Malware?

  All computers are suspectible to trojans if the user intalls it, 10.7.3 is no different, so if you've installed something with your admin password and your having issues, it could be a trojan. But likely did not get on your machine without your assistance.
  The site you linked too shows a all green light, so it's not malicious.
  I've found the IP's used by the malicious DNS changer network, however it is old news.
  DNS stands for Domain Name Server, what this does is when you search for say google.com, or apple.com, it translates the Domain name of apple.com into a IP address (number) that then allows your computer to connect to that site.
  Because servers (computers) are moved around to different hosting services with different IP address, sort of alike a business that changes location if the lease for the location is expired, the name of the domain (like a name of a business) doesn't change so people can still find the site.
  The Domain Name Server handles all the IP changes, proving your computer with the latest IP address to connect too.
  Now in your System Preferences > Network > DNS will be the iP addresses of the Domain Name Server your using, usually it's your ISP's but people often change it to something faster or offers more security or "filtering" of malicious site or even content!
  So what you need to do is check two things, your Mac's and your router's DNS setting to make sure the IP address (two of them usually) are set to IP addressed that you KNOW belong to your ISP or a alternate DNS provider you have selected.
  The only way to find out is to contact your ISP and give them your account/location present DNS IP numbers  and they will tell you the IP address of the closest DNS to your location which is likely what they use.
  If your DNS settings on either the Mac or the router is NOT kosher, then you've got a problem.

• What to do about a virus that uses your mac to send email?

  what to do about a virus that uses your mac to send email?

  It's highly unlikely that your Mac has a virus, since no virus, worm or trojan has been reported, much less confirmed, as having the behavior you mention. As LB suggested, most likely it's your email account itself that has been compromised, or some other computer (a Windows system, almost certainly) that has your addresses on it has been infected.
  Check the "sent" folder for your email account and see if the bogus messages are shown there. If they are, that at least would verify that the emails were sent via your email account. Report back and let us know whether your email account is POP, IMAP or Exchange, and who your email host is.
  If the messages are not shown anywhere in your "sent mail" folder, then someone has almost certainly gotten hold of your contact list and spoofed your email address.
  Regards.

• Should I be concerned about flashback trojan?

  How could I find out if my macbook pro is infected with this flashback trojan?

  Two Helpful Links Regarding Flashback Trojan
  A link to a great User Tip about the trojan: Flashback Trojan User Tip
  A related link in the tip to a checker: Malware Checker Dowload Link
  A Google search can reveal a variety of alternatives on how the remove the trojan should your computer get infected. This can get you started.

• HT1338 what is the latest Mac OS X software update about?

  I received a Mac OS X software update alert today 9/23/12 . Does anyone know what is it about?

  If you are referring to the Lion update information can be found here.