{"id":178,"date":"2012-04-09T17:45:55","date_gmt":"2012-04-10T01:45:55","guid":{"rendered":"http:\/\/www.outofajam.net\/blog\/?p=178"},"modified":"2012-04-09T19:41:37","modified_gmt":"2012-04-10T03:41:37","slug":"new-mac-trojan-variant-on-not-panicking-and-checking-it-out","status":"publish","type":"post","link":"https:\/\/www.outofajam.net\/blog\/2012\/04\/09\/new-mac-trojan-variant-on-not-panicking-and-checking-it-out\/","title":{"rendered":"New Mac Trojan variant: on not panicking and checking it out"},"content":{"rendered":"<p>There&#8217;s been a lot of excitement today about a Trojan targeting Macintosh computers. There is some excellent in depth coverage over at <a title=\"Macworld\" href=\"http:\/\/www.macworld.com\/article\/1166254\/what_you_need_to_know_about_the_flashback_trojan.html\" target=\"_blank\">Macworld<\/a>, but I wanted to hit on some highlights for people who have been asking me about this.<\/p>\n<p>First, don&#8217;t panic. Even if the high end estimates are true, about 600,000 macs are infected, which amounts to about 1% of all the Mac users out there. By those percentages, I would still carry on being a great deal more worried about a great deal many more things, such as your backup plan.<\/p>\n<p>That being said, unlike 99% of all the other scares out there, this one is real in the sense that by visiting the wrong website (apparently, a lot of them are ones ending in a .nu domain &#8211; which I must admit, I&#8217;ve never even seen. Still, a lot of times those incredibly aggravating pop up windows that shady websites pop up for you lead to funkypants domains) you can become infected, and not even know it. The malware does give a few clues that something is up &#8211; upon installing itself within your user folder, it will pretend to run Software Update and ask for your administrator password, so it can gain wider access to the rest of the system. Even if you are savvy enough to deny it (and remember, always ask yourself, why is something suddenly asking for my password? Is this what I expected, and a normal part of my computer routine?), it will still install itself and run in a more limited, but still threatening, capacity.<!--more--><\/p>\n<p>First, go to your Apple Menu and click on Software Update. Let it run, and install any updates there. When it&#8217;s done, do it again. I say this because Apple just patched the vulnerability in Java that allowed this to happen, and if you have the update, you&#8217;ll be safe from here on out. Then, check and see if you are infected. To do that, you can download a script put together by <a href=\"http:\/\/www.bynkii.com\/\" target=\"_blank\">the kind John Welch<\/a>,which you can download here:<\/p>\n<p><a href=\"http:\/\/dl.dropbox.com\/u\/23632593\/Find%20Flashback.zip\">http:\/\/dl.dropbox.com\/u\/23632593\/Find%20Flashback.zip<\/a><\/p>\n<p>Update: another, perhaps easier to use tool, is available here:\u00a0<a title=\"Flashback checker on github\" href=\"https:\/\/github.com\/jils\/FlashbackChecker\/wiki\">https:\/\/github.com\/jils\/FlashbackChecker\/wiki<\/a><\/p>\n<p>Alternately, the folks over at F-Secure have posted the <a href=\"http:\/\/www.f-secure.com\/v-descs\/trojan-downloader_osx_flashback_k.shtml\" target=\"_blank\">instructions<\/a>\u00a0for checking and removing the virus manually, but a quick step-by-step summation for checking is as follows:<\/p>\n<p>1) Click on the Finder in the dock. That&#8217;s the square looking smiley face guy.<\/p>\n<p>2) Go to the menu bar, and click on the &#8216;Go&#8217; menu.<\/p>\n<p>3) From the &#8216;Go&#8217; menu choose &#8216;Utilities&#8217;<\/p>\n<p>4) Within the Utilities folder double click on &#8216;Terminal&#8217;<\/p>\n<p>A command line interface will pop up. Some folks panic at this point, but don&#8217;t worry, it&#8217;s super easy. Simply paste in this command:<\/p>\n<p>defaults read \/Applications\/Safari.app\/Contents\/Info LSEnvironment<\/p>\n<p>Then, after that one, paste in this one:<\/p>\n<p>defaults read ~\/.MacOSX\/environment DYLD_INSERT_LIBRARIES<\/p>\n<p>The response to each of those commands should end in &#8216;does not exist&#8217;. If it doesn&#8217;t, you&#8217;ll want to clean it up. Again, the manual commands are on the <a href=\"http:\/\/www.f-secure.com\/v-descs\/trojan-downloader_osx_flashback_k.shtml\" target=\"_blank\">FSecure website<\/a>. Or, you can download one of the free antivirus programs out there that should be updated by now to deal with this. I generally recommend either <a href=\"http:\/\/www.clamxav.com\/\" target=\"_blank\">ClamXav<\/a>\u00a0or <a href=\"http:\/\/www.sophos.com\/en-us\/products\/free-tools\/sophos-antivirus-for-mac-home-edition.aspx\" target=\"_blank\">Sophos Antivirus<\/a>\u00a0for not acting like viruses themselves. You can leave them installed if you feel safer, but in all honesty, at this point, my general advice still stands: you&#8217;re saving yourself a great deal more hassle if you don&#8217;t have antivirus software installed than if you do.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There&#8217;s been a lot of excitement today about a Trojan targeting Macintosh computers. There is some excellent in depth coverage over at Macworld, but I wanted to hit on some highlights for people who have been asking me about this. First, don&#8217;t panic. Even if the high end estimates are true, about 600,000 macs are &#8230; <a title=\"New Mac Trojan variant: on not panicking and checking it out\" class=\"read-more\" href=\"https:\/\/www.outofajam.net\/blog\/2012\/04\/09\/new-mac-trojan-variant-on-not-panicking-and-checking-it-out\/\" aria-label=\"Read more about New Mac Trojan variant: on not panicking and checking it out\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[4],"tags":[11,27,8,35,36],"class_list":["post-178","post","type-post","status-publish","format-standard","hentry","category-security","tag-how-to","tag-maintenance","tag-three-steps-to-being-safe","tag-trojan","tag-virus"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1QPzl-2S","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.outofajam.net\/blog\/wp-json\/wp\/v2\/posts\/178","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.outofajam.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.outofajam.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.outofajam.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.outofajam.net\/blog\/wp-json\/wp\/v2\/comments?post=178"}],"version-history":[{"count":6,"href":"https:\/\/www.outofajam.net\/blog\/wp-json\/wp\/v2\/posts\/178\/revisions"}],"predecessor-version":[{"id":180,"href":"https:\/\/www.outofajam.net\/blog\/wp-json\/wp\/v2\/posts\/178\/revisions\/180"}],"wp:attachment":[{"href":"https:\/\/www.outofajam.net\/blog\/wp-json\/wp\/v2\/media?parent=178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.outofajam.net\/blog\/wp-json\/wp\/v2\/categories?post=178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.outofajam.net\/blog\/wp-json\/wp\/v2\/tags?post=178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}