Malware: Trojan Flashback

Posted: September 6, 2012 in Encyclopedia viruses
Tags: , , , ,

Malware Trojan HorseFlashback is an example of malicious software that allows cyber criminals can steal passwords and other sensitive information from the infected computer. The system can be compromised when visiting malicious Web sites. Said Trojan was the first large-scale real threat faced by owners of “Poppy.” Despite the fact that the application uses a vulnerability in the Java, and not in OS X, in 98% of his victims were just Mac-system.

If you go to an infected site that is hosting Flashback, the program will attempt to show you a trained applet Java. If you have a version of the Java vulnerability and it is enabled in your browser, the malicious code will infect your system and install a specific set of components. Since Apple released the first update for this vulnerability only 3 April and 6 April issued a second update, at the moment a large number of Mac is still at risk of infection.

How does the new Trojan? After the initial infection, Flashback starts window Software Update, to try to intercept your administrator password, but it does so only in order to more deeply penetrate the Mac.

Once the Trojan has infected the computer successfully, Flashback introduces himself in the Safari browser, and begins to collect information on your actions, including user names and passwords. He then sends the data to the control servers on the Internet.

The important part is that, unlike the majority of malware for Mac, which we’ve seen before, Flashback can infect a system, even if you just went to a special page while using the vulnerable software. You do not need to enter an administrator password or manually install something.

Check for malware

Establish a presence Flashback  in the system, is quite simple. For this we need to do two simple commands in Terminal (found in / Applications / Utilities):

defaults read ~ / .MacOSX / environment DYLD_INSERT_LIBRARIES

defaults read / Applications / Safari.app / Contents / Info LSEnvironment

If execution of these commands, you will get the following message, the worry should not yet:

The domain / default pair of (/ Users / Deavy / .MacOSX / environment, DYLD_INSERT_LIBRARIES) does not exist

The domain / default pair of (/ Applications / Safari.app / Contents / Info, LSEnvironment) does not exist

Getting rid of Flashback

1. To start, run the command in a terminal:

defaults read / Applications / Safari.app / Contents / Info LSEnvironment

2. Remember or write down the value of DYLD_INSERT_LIBRARIES.

3. If you get «The domain / default pair of (/ Applications / Safari.app / Contents / Info, LSEnvironment) does not exist», go to step 8.

4. Otherwise, run the new command. Necessarily as its option, use the path obtained in step 2:

grep-a-o ‘__ldpath__ [- ~] *’ put_poluchennyy_v_shage_2

5. Remember or write down the value of __ ldpath__

6. Run the following command in the Terminal (but first make sure that in step 2, you will receive only one value):

sudo defaults delete / Applications / Safari.app / Contents / InfoLSEnvironment

sudo chmod 644 / Applications / Safari.app / Contents / Info.plist

7. Now delete the files received in paragraphs 2 and 5.

8. Again return to the terminal and run this command:

defaults read ~ / .MacOSX / environment DYLD_INSERT_LIBRARIES

9. Make a note of the result. If you received a similar message:

«The domain / default pair of (/ Users / Deavy / .MacOSX / environment, DYLD_INSERT_LIBRARIES) does not exist», then the system is clean.

10. Otherwise, run the command using as a parameter the path from step 9

grep-a-o ‘__ldpath__ [- ~] *’ put_poluchennyy_v_shage_9

11. Write down the value of __ ldpath__

12. We carry a couple of Terminal commands:

defaults delete ~ / .MacOSX / environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

13. Delete files received in paragraphs 9 and 11.

14. And now the hard part. Want to return to the terminal and run the command

ls-lA ~ / Library / LaunchAgents /

It returns a list of software that runs on startup. If you are using OS X for a long time, the resulting list is likely to be more than one result. In this case, F-Secure recommends that you contact them in support, but we will try to use your loaf. You have to select the most suspicious plist-files with names like «com.java.update.plist» and perform with them the following:

defaults read ~ / Library / LaunchAgents / imya_podozritelnogo_fayla ProgramArguments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s