How To Check If Your Mac Is Infected With the Flashback Trojan

It was two nights ago around 2am while reading a tech thread about the reappearance of the OS X Trojan malware known as Flashback I began feeling this dreadful concern about my MacBook Pro. I had recently updated my Flash player via pop-up notification, a big no-no, as the Flashback Trojan was named for its fake Adobe Flash Player installer, complete with Flash player logos. I literally jumped out of bed and went through various steps to check if my machine was infected, as I had noticed some instability issues...

Flash forward to this morning and the big news in the Mac community is yesterday's report about the possible malware infection of up to 550,000 machines worldwide:

The exploit saves an executable file onto the hard drive of the infected Mac machine. The file is used to download malicious payload from a remote server and to launch it. Doctor Web found two versions of the Trojan horse: attackers started using a modified version of BackDoor.Flashback.39 around April 1. Similarly to the older versions, the launched malware first searches the hard drive for the following components:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If the files are not found, the Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders' statistics server and sends consecutive queries at control server addresses.

Fortunately, after running a few Terminal commands I was able to (triple) check and verify my machine had installed a legit Flash Player update instead of any malicious code. You can do this yourself if you're comfortable with using Terminal (the application is located in Applications>Utilities>Terminal).

How to Check Using Terminal (Harder Way)
1. Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2. If this command returns a line which includes, DYLD_INSERT_LIBRARIES, take note of location.
3. You're safe if the error message is: "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

Of course, I wanted to make sure the multitude of friends who use Macs like myself were informed. But upon sharing the news, this computer-speak mumbo jumbo about command lines and checking for inserted bits of code were met with confusion, indifference...the reputation of Mac users being mostly hands-off with their machines is more true than not.

How to Check Using the Super Simple Script
So we were pleased to see a MUCH easier Flashback diagnostic script tool became available this morning, via Mashable. All you have to do is download this zipped file, open Files.zip, and double click each uncompressed files to run the security check on your computer.

Pin it button big

Once again, if you see "does not exist" in the report, you're clear. Even so, you'll want to make sure to update your OS X system with the latest Java for Mac OS X Update to plug this annoying security hole. And ALWAYS update any Adobe component directly from the Adobe site, not when served a pop-up notification while browsing online.

If you see anything else than the "does not exist" response noted above, you might want to get ready for some headache-inducing reading and learn about how to manually remove the malware. I did, headaches and all...lesson learned, tough stuff.