Flashback Trojan targeting Macs as well as PCs.. - MyTractorForum.com - The Friendliest Tractor Forum and Best Place for Tractor Information
Register Home FAQ Garage MTF Gallery Search Today's Posts Mark Forums Read Store Chat Room

Computer and Electronics The Geek Garage: Computers, Audio/Video, and any thing else electronic forum...

Reply
 
Thread Tools Display Modes
Old 04-05-2012, 01:21 PM   post #1 of 13
littletractorguy
The Mod from... Nowhere!
 
littletractorguy's Avatar
 
Join Date: Dec 2009
Location: Saskatchewan
Posts: 7,901
MTF Member # 36339
Images: 6
Garage
Default Flashback Trojan targeting Macs as well as PCs..

Well, it had to happen sooner or later... The FlashBack Trojan Horse, which exploits a security hole in Java version 1.6.0_29 has begun to seriously target Macs. The Mac version of this Trojan has been out in the wilds of the Internet since around September of 2011, but was initially not very sophisticated, hard to "accidentally" download, and easy to detect and remove.... That has changed....

What IS a Trojan Horse?

Briefly, a Trojan Horse (aka Trojan) is a piece of malicious software that disguises itself as something beneficial or desirable so you will download it, then it goes and does bad things. The Flashback Trojan is a password sniffing Trojan, if I understand the reports correctly. So, bad.

What do I DO about it? How do I know if I have it?

Well, there's a couple of things you can do to check and prevent this Trojan.

First of all, lets check.... Here's a link to a Gizmodo site that talks about checking for and removing the virus. Personally, I'm pretty leery about telling folks to do the removal steps BEFORE they check to see if they've got it, so lets focus on checking first.

In that article, they tell you to go to the Terminal and issue a certain command. Lets break that down a bit, 'cause many folks are unfamiliar with or nervous about the Terminal...

1. Make sure you're in the Finder (look at the top left menu, make sure it says "Finder").
2. Go to the "Go" menu in the menubar across the top of your screen.
3. From the "Go" menu, choose Utilities. This opens the Utilities folder.
4. In the Utilities folder, find the application called Terminal. Its icon looks like this:
5. Double-click on it to start it.

Okay, now that you have the Terminal window opened, copy and paste the following command into it (Highlight the following line from its beginning to its end, then choose Edit-> Copy... Click inside the Terminal window and choose Edit -> Paste) and hit Return.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

(There is nothing hazardous in this command, as it is a READ command)

When you hit return, hopefully your Terminal window will respond with:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

If you get the above message, you're NOT infected with this Trojan....


So what to do NEXT?

This Trojan exploits a vulnerability in Java, a programming language used on both Macs and PCs. This vulnerability, as I mentioned, exists in version 1.6.0_29 of Java on both Macs and PCs... The best way to prevent being infected is by making sure you update your Java to the most current version (I believe they're up to 1.6.0_31 now). On the Mac, you can do that by going to the Apple menu and choosing Software Update. You should see an update in your list titled "Java for MacOS X.6 Update 7" (or "Java for MacOS X.7 Update 7 if you've upgraded to OS X.7"). Run this update!

What if I think my machine is infected?

Good question.... they do give you some removal instructions in that Gizmodo article, that seem to come from a reputable source. None of my machines have been infected (thank goodness) so I haven't tried them yet....

Lets talk about that when we get there!
littletractorguy is offline   Reply With Quote Quick reply to this message
Sponsored Links
Advertisement
 
Old 04-05-2012, 02:55 PM   post #2 of 13
pianotuner
Senior MTF Member
 
Join Date: Feb 2011
Location: Mo.
Posts: 529
MTF Member # 55782
Default Re: Flashback Trojan targeting Macs as well as PCs..

I'm guessing the hackers got bored for something to do.
pianotuner is offline   Reply With Quote Quick reply to this message
Old 04-10-2012, 05:53 PM   post #4 of 13
MacLawn
外人Geezer MTF Member
 
MacLawn's Avatar
 
Join Date: Jun 2007
Location: Georgia RED clay & Mississippi Prairie
Posts: 1,852
MTF Member # 6284
Default Re: Flashback Trojan targeting Macs as well as PCs..

little, I posted a link to a small program that will detect the trojan:

https://github.com/jils/FlashbackChecker/wiki
__________________
That old man - he don't think like an old man...
Now I wouldn't want to be within 400 - 500 yards of one of them nuclear bombs when it goes off, I tell ye! WW1 Vet Old Man
"He's pinned under an outcropping of rock. Lucky for him, the rock kept the dirt from burying him alive".
Dirt, it's nothing but dirt, I tell ye...


"I thought I was wrong one time, but I was mistaken." Command Sergeant Major Jim

http://www.mytractorforum.com/attachment.php?attachmentid=780993&stc=1&d=1398926  159
MacLawn is offline   Reply With Quote Quick reply to this message
Old 04-10-2012, 06:41 PM   post #5 of 13
littletractorguy
The Mod from... Nowhere!
 
littletractorguy's Avatar
 
Join Date: Dec 2009
Location: Saskatchewan
Posts: 7,901
MTF Member # 36339
Images: 6
Garage
Default Re: Flashback Trojan targeting Macs as well as PCs..

Hey Mac....

Thankx for that! So, I downloaded it and ran it, and it ALSO said I'm not infected, so that's good, I figure...

I'm kinda torn, because one of the "common-sense" things to be wary of on the PC side is downloading applications from the web that SAY they do good things, but then infect you with trojans... Kinda a Catch-22 sorta situation... So, outta due diligence, I ran the FlashbackChecker app, THEN went back and did the check manually in Terminal, and it still says I'm clean... So, good... Took a bit of time and dug through the package contents, I can't see anything bad or malicious in them, but I'm not enough of a programmer to be 100% definitive....

That's the worst part about viruii, they destroy your trust in mankind.... AND they make you paranoid!
littletractorguy is offline   Reply With Quote Quick reply to this message
Old 04-10-2012, 07:03 PM   post #6 of 13
WNYTractorTinkerer
5000 Strong & Climbing
 
WNYTractorTinkerer's Avatar
 
Join Date: May 2009
Location: New York
Posts: 9,202
MTF Member # 26264
Images: 13
Garage
Icon2 Re: Flashback Trojan targeting Macs as well as PCs..

Quote:
Originally Posted by littletractorguy View Post
That's the worst part about viruii, they destroy your trust in mankind.... AND they make you paranoid!
I wouldn't say they destroy trust in all mankind though LTG..

Just the A-holes that sit and dream up all of the malicious code up and make life **** for all kinds of other folks.. It just makes you wary of where you go and what you do on the web.. Java's been a favorite target for them since like- forever.. It makes them jump to life so nicely!!

It's too bad someone has finally got around to effectively infect the 'Safe' Mac's.. (Still takes user intervention) Mac's are still the safest machines going though.. As they are now getting more and more popular I'm sure it will keep happenning.. guys!


So the lesson we all need to heed is to ALWAYs check any software's source out before downloading and installing it.. (Kinda just like living with Windows!)

I gotta go feed my new mouse now...
WNYTractorTinkerer is offline   Reply With Quote Quick reply to this message
Old 04-12-2012, 07:29 PM   post #7 of 13
MacLawn
外人Geezer MTF Member
 
MacLawn's Avatar
 
Join Date: Jun 2007
Location: Georgia RED clay & Mississippi Prairie
Posts: 1,852
MTF Member # 6284
Default Re: Flashback Trojan targeting Macs as well as PCs..

Apple just came out with an upgrade that will remove and prevent this trojan - just go to Software Update... under the Apple menu and update Java. Done.
__________________
That old man - he don't think like an old man...
Now I wouldn't want to be within 400 - 500 yards of one of them nuclear bombs when it goes off, I tell ye! WW1 Vet Old Man
"He's pinned under an outcropping of rock. Lucky for him, the rock kept the dirt from burying him alive".
Dirt, it's nothing but dirt, I tell ye...


"I thought I was wrong one time, but I was mistaken." Command Sergeant Major Jim

http://www.mytractorforum.com/attachment.php?attachmentid=780993&stc=1&d=1398926  159
MacLawn is offline   Reply With Quote Quick reply to this message
Old 04-12-2012, 10:56 PM   post #8 of 13
littletractorguy
The Mod from... Nowhere!
 
littletractorguy's Avatar
 
Join Date: Dec 2009
Location: Saskatchewan
Posts: 7,901
MTF Member # 36339
Images: 6
Garage
Default Re: Flashback Trojan targeting Macs as well as PCs..

Quote:
Originally Posted by MacLawn View Post
Apple just came out with an upgrade that will remove and prevent this trojan - just go to Software Update... under the Apple menu and update Java. Done.
Got it!

Thankx again, MacLawn!

The interesting bit for Mac users to note in this update is THIS phrase in the description of the update:

"This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application."

Implications this has for ME at least is that I do a fair bit of work with a Java-based web conferencing package. This update means that when I click on the web link I use to get INTO this web conferencing package, it will no longer automatically fire up that applet. Instead, it will just download a Java Web Start file (a .jnlp file). I'll have to turn that back on if I want those java applets to start, I guess... So that's a BIT unsafe.... The other thing you can do, if you want to be able to RUN Java applets, BUT you don't want them to run automatically is you can either tell Safari NOT to run files it downloads (go into your Preferences, choose General, and UNCHECK the box that says Open "safe" files after downloading), or tell Firefox to ask before opening tham (see below).


Edit: Looks like, the first time you hit a web app after this update, the computer prompts you to re-enable web start, like this:


Last edited by littletractorguy; 04-13-2012 at 12:09 AM.
littletractorguy is offline   Reply With Quote Quick reply to this message
Old 04-13-2012, 04:51 PM   post #9 of 13
coldwater
Proud Member of the 1K Club
 
coldwater's Avatar
 
Join Date: Mar 2011
Location: Ct.
Posts: 1,319
MTF Member # 56256
Garage
Default Re: Flashback Trojan targeting Macs as well as PCs..

Awesome post LTG. I checked mine per your outstanding instructions, and it came back clean! Thank you!!
coldwater is offline   Reply With Quote Quick reply to this message
Old 04-18-2012, 11:23 PM   post #10 of 13
littletractorguy
The Mod from... Nowhere!
 
littletractorguy's Avatar
 
Join Date: Dec 2009
Location: Saskatchewan
Posts: 7,901
MTF Member # 36339
Images: 6
Garage
Default Re: Flashback Trojan targeting Macs as well as PCs..

Update update....

I just spent 30 minutes on the phone working with a friend of mine (actually my oral surgeon who pulled my wisdom teeth), I have now seen this Flashback Trojan Horse in the wild. He saw a news article about it, and called me immediately. We ran the Terminal commands from the Gizmodo article and his machine came back clean, BUT he said, his Sophos AntiVirus had reported a problem to him several days ago... When we checked his anti-virus log, there WAS A threat in there. We found, in his backups from JANUARY, a copy of a file called FlashPlayer-Installer-11.pkg (I believ)... so, masquerading as a flash installer. The Trojan version he had was the osx/flshplyr-A variant, so an older one, not as nasty as the current -D variant. He hasn't noticed any odd things in any of his online transactions since January that might be a result of sniffed passwords, but as a precaution, I did suggest he change any online passwords he may be using (PayPal, etc).

So, there.... I can no longer say I've never seen a Trojan Horse on a Mac.

Gonna go run my anti-virus software now....

Some other helpful hints for Mac users, based on my friend's experience.... If you GET a web browser window that just comes up outta the blue and says things like "You should update your [Fill In Software name here, in this case for him it was Flash Player]"... DON'T accept its suggestion that it can download the software for you. Instead, go to the vendor's website YOURSELF and check there for updates. In the case of Adobe, you can go to www.adobe.com, right there they have buttons like "Get Flash Player". You can pretty much guarantee that if you GO to the vendor's website, you're not downloading a virus. On the OTHER hand, while I was looking up the info on this flash player.pkg file, I did a Google search of it, and one of the FIRST sites in my listing was "Download your FREE Flash Player FAST HERE!" and when you look at the URL that goes with it, its NOT Adobe's URL.... DING, DING go the warning bells! NOT a legitimate site!

So, fellow Mac users, lets be careful out there! Common sense and caution will get you through!
littletractorguy is offline   Reply With Quote Quick reply to this message
Old 04-18-2012, 11:50 PM   post #11 of 13
littletractorguy
The Mod from... Nowhere!
 
littletractorguy's Avatar
 
Join Date: Dec 2009
Location: Saskatchewan
Posts: 7,901
MTF Member # 36339
Images: 6
Garage
Default Re: Flashback Trojan targeting Macs as well as PCs..

Oh and by the way, while I have your attention here, I have to mention this.... my instructions in my first post on this thread were not as complete as I thought. In working through the instructions from the Gizmodo site to help my friend, I noticed there's TWO terminal commands that you issue to check for the presence of the FlashBack virus, each checks for a different variant.... The first is:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

and the SECOND is:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

if BOTH of these come back with a response like:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

or

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

you're clean.... So my apologies for that, I'm still kinda new at this whole virus detection thing.
littletractorguy is offline   Reply With Quote Quick reply to this message
Old 04-19-2012, 09:19 AM   post #12 of 13
orange j d
My Orange Jane Deere
 
orange j d's Avatar
 
Join Date: Jan 2010
Location: Georgia
Posts: 3,341
MTF Member # 37225
Images: 1
Default Re: Flashback Trojan targeting Macs as well as PCs..

A ton for the info guys,
__________________


Sent from my FREE MTF APP PROVIDED BY MY FRIENDS AT MTF*****

Remember: Marriage is the number one cause of divorce.
orange j d is offline   Reply With Quote Quick reply to this message
Sponsored Links
Advertisement
 
Old 04-19-2012, 02:11 PM   post #13 of 13
MacLawn
外人Geezer MTF Member
 
MacLawn's Avatar
 
Join Date: Jun 2007
Location: Georgia RED clay & Mississippi Prairie
Posts: 1,852
MTF Member # 6284
Default Re: Flashback Trojan targeting Macs as well as PCs..

Good help, there, little. You are so right about not clicking on those pop-ups that come up asking to update, etc. I NEVER click on anything like that.
__________________
That old man - he don't think like an old man...
Now I wouldn't want to be within 400 - 500 yards of one of them nuclear bombs when it goes off, I tell ye! WW1 Vet Old Man
"He's pinned under an outcropping of rock. Lucky for him, the rock kept the dirt from burying him alive".
Dirt, it's nothing but dirt, I tell ye...


"I thought I was wrong one time, but I was mistaken." Command Sergeant Major Jim

http://www.mytractorforum.com/attachment.php?attachmentid=780993&stc=1&d=1398926  159
MacLawn is offline   Reply With Quote Quick reply to this message
Sponsored Links
Advertisement
 
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the MyTractorForum.com - The Friendliest Tractor Forum and Best Place for Tractor Information forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in

Human Verification

In order to verify that you are a human and not a spam bot, please enter the answer into the following box below based on the instructions contained in the graphic.




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 04:17 AM.



Powered by vBulletin® Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Garage Plus vBulletin Plugins by Drive Thru Online, Inc.
Compact Tractor Reviews Tractor Reviews Snowblowers Lawn Mower Forum
My Tractor Forum Snow Thrower Power Equipment Forum
Combine Forum Snowblower Forum ATV and UTV Reviews