The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Apr
7
A Quick Tester for Trojan-Downloader:OSX/Flashback
Filed Under Computers & Tech, Security, My Projects on April 7, 2012 at 2:59 pm
Update – 13 April 2012: Apple have released another update to Java (via software update) which automatically disables Java in Safari, and removes Flashback if it has infected your system. Please use Apple’s update rather than relying on this script!
Update – 10 April 2012: I have edited the script to run the additional commands recommended by TidBITS. The Download button will now return version 0.2 of the script.
It’s finally happened, there has been a serious malware outbreak on the Mac. Over half a million Macs have been infected with the latest variants of the Flashback malware. Earlier versions of this malware relied on tricking users into running an installer, or approving a request for permission to execute, but that has all changed now. The malware moved from being a simple trojan that relied on tricking people into running it, to a fully automated attack requiring no user interaction. The reason for this transformation is that the malware started to use flaws in Java, first, old vulnerabilities that were patched ages ago, so only affecting people who don’t keep their computers up to date, but this week, attacking flaws that Apple had, at the time, not yet patched. This means that for a few days, even the most diligent Mac users could have been hit.
This infection has no noticeable symptoms, and did not require you do do anything “stupid” to get infected. Any Mac user, not matter how careful, could have been infected. So, you need to check to be sure you are not one of the half million plus victims!The very first thing you need to do is be sure that your Java is patched so that you can’t get infected going forward. If you are running a version of OS X older than 10.6 Snowleopard you MUST update to 10.6 or 10.7 Lion – YOU CANNOT BE SAFE ON UNSUPPORTED VERSIONS OF OS X (the same goes for unsupported versions of any OS, Windows, Linux, Unix …). If you are running OS X 10.6 or 10.7, run Software Update now to be sure you are fully patched.
The security firm F-Secure have kindly posted instructions for removing this malware, and these instructions contain commands for checking whether or not you are infected. However, some users have found it quite challenging to follow these instructions, as the are quite dense, and require the user to execute quite cumbersome Terminal commands.
To make things a little easier, I’ve written a little script that will run the commands for you and report on the result.
This tester is simply a Perl script saved with a .command file extension so when you double-click it OS X will run the script in a Terminal window. I’m releasing the script under the FreeBSD License, so you can pretty much do what ever you want with it as long as you leave my copyright notice in place.
For those interested, below is the full source code:
#!/usr/bin/perl
use strict;
use warnings;
# Copyright 2011 Bart Busschots T/A Bartificer Web Solutions. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are
# permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this list of
# conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice, this list
# of conditions and the following disclaimer in the documentation and/or other materials
# provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY BART BUSSCHOTS T/A BARTIFICER WEB SOLUTIONS ''AS IS'' AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
# BART BUSSCHOTS T/A BARTIFICER WEB SOLUTIONS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This script runs the terminal commands recommended by F-Secure at
# http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
# and the additional commands recommended by TidBITS at
# http://tidbits.com/article/12918 and reports the results.
my @commands = (
'/usr/bin/defaults read /Applications/Safari.app/Contents/Info LSEnvironment 2>&1',
'/usr/bin/defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2>&1',
'/usr/bin/defaults read /Applications/Google\ Chrome.app/Contents/Info LSEnvironment 2>&1',
'/usr/bin/defaults read /Applications/Firefox.app/Contents/Info LSEnvironment 2>&1',
'/usr/bin/defaults read /Applications/iCab\ 4/iCab.app/Contents/Info LSEnvironment 2>&1',
);
my $num_failed = 0;
foreach my $command (@commands){
print "Executing: $command\n";
my $output = `$command`;
print "Output: $output\n";
if($output =~ m/does[ ]not[ ]exist$/sx){
print "\nPASS\n\n";
}else{
print "\nFAIL\n\n";
$num_failed++;
}
}
my $result = q{};
if($num_failed){
$result = 'One or more of the terminal commands recommended by F-Secure or TidBITS has returned a value indicating that you ARE infected with Trojan-Downloader:OSX/Flashback. For more see the instructions at http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml';
}else{
$result = 'All the terminal commands recommended by F-Secure and TidBITS have returned the expected answers for a system that is NOT infected with Trojan-Downloader:OSX/Flashback';
}
print "$result\n";
system(qq{/usr/bin/osascript -e 'tell app "System Events" to display dialog "$result"'});
Thanks Bart. This worked a treat for me and confirmed that I am one of the lucky ones that are Virus free. Happy days. What a great present for Easter this is. You’re the best. 😉
Very good, I’m clean. Thanks man!
Thanks for this, I’m clean.
Thank you, Bartholomew !
I have run the script and I am, apparently, clean.
I have yet to hear some podcast coverage of all this lark. Ken Ray seems to be on hiatus.
Has it already been on IMP? I was half listening to a recent episode and not sure if I missed it.
So, should I get Clam X AV?
Bart,
Thanks for taking the time to do this. Most appreciated.
All clean here i’m glad to say.
Thnx, this helped. Keep up the good work
Thanks folks!
Chris – myself and Allison Sheridan have recorded an in-depth discussion for this week’s “Chit Chat Across The Pond” segment on the NosillaCast Mac Podcast, and we’ll be covering it on the IMP Live we’ll be recording tonight at 22:30GMT.
As for AV, I think at this stage Mac users should consider running some, either the free and open source ClamXav, the free for home use version of Sophos, or one of the commercial products. This is a game-changing moment IMO.
Bart.
You rock Bart! Thanks a bunch! And I’m clean from the get-go…
Thank you. I ran this initially via terminal a couple days ago, am clean. However, I’ve developed a number of problems in FireFox and Thunderbird recently, and wonder if you know of some other hidden cause. Lost all my inbox contents yesterday; can’t access restore history in FF. I’m working it through via FX forum respondants, but concerned it’s systemic. Thanks
Hi Bart,
Great Job! Thanks very much for doing this. It really helped the non-tech members of my family.
My intel-iMac is clean … don’t yell at me, but can this be run on PowerPC Macs?
Thanks a bunch!!
Hi Bart. I can’t get it to run. It downloads as a .zip file and I keep getting an Archive Utility error.
Thanks everyone!
ahmo – I doubt your other miscellaneous problems are due to Flashback, it’s probably just coincidence. I’d try the usual Mac trouble-shooting steps like using Disk Utility to check your disk and to repair disk permissions.
Karrell – no idea whether or not this will work on a PPC – the script itself is written in Perl and not compiled, so that won’t cause trouble, but the terminal commands that the script executes may have changed between OS X versions. Only one way to find out, try running it 🙂 – oh – don’t panic if it tells you you might be infected, the scrip errs on the side of caution, if it can’t prove you’re not infected it assumes you might be.
Lionel – try downloading it again – it sounds like your download got corrupted.
Hi Bart:
Thanks so much for the script! Worked like a charm on my Intel MacBook. Cannot thank you enough!
This is a wonderful thing you are doing for the Mac Community with this script. (I still shake when I open up the terminal.) This script is easy and accessible for all. Bravo!
Regretfully, this FLASHBACK marks the end of the Power PC Mac being connected to the internet. I have 3 PPC’s and they are finally being put to rest. Maybe I will make a Lamp out of my Power Mac g5!
Thanks Bart. 😉
[…] to determine whether their machines are infected to this post from Bart Busschots who developed A Quick Tester for Trojan-Downloader:OSX/Flashback. This incorporates the terminal instructions provided by F-Secuire into a single script for […]
Bart,
Does your script just check Safari or does it check the alternate browsers as well. TidBITS provided some additional information with tests for other browsers. http://tidbits.com/article/12918
[…] an easy way to see if you are compromised, use the script available on this page. If you are infected, or are concerned about security then get in touch. We can discuss your […]
Thanks Bart for making it so simple to check our Macs.
Hi Bart,
I have listened repeatedly to Chit Chat across the Pond in attempt to figure out the following (This is not a criticism of the great job you have done there!). I use Chrome & every time I access a site with Java (e.g. Transverse Wave Java applet) Chrome asks for permission to run the plugin. Does this mean that Chrome is “safe” as my full time browser?
I have done all the various checks & everything is clean (for the moment), so thanks for your help here.
Kaite – the script didn’t run the extra commands at TidBITS, but now it does 🙂
Michael – I just did some testing with Chrome myself, and you are right that it won’t run Java without getting your permission first. This would indeed protect you, and shows yet again how Chrome leads the way in browser security.
Bart.
Can you elaborate on what’s different about the script now what you actually added? I don’t know what tidbits article you’re referring to so I don’t understand what’s different from what we talked about last weekend.
Hi Allison,
The TidBITS article lists another three terminal commands to dig around for this malware in few other places it could be hiding. So, the change in the script is that it now runs the two commands recommended by F-Secure, as well as the three additional commands recommended by TidBITS.
Bart.
Thanks Bart – I didn’t realize the word TidBITS at the top was a link until I went back and re-read.
The script leaves the Terminal open when complete – I think this will confuse the less sophisticated users I’m helping. any chance it could close it out when done?
Thanks so much for this!
Hi Allison,
Unfortunately not – that’s a side effect of how OS X is set up by default – you’ll see that the last thing it says is “[Process Complete]” this means the terminal has actually exited, but OS X keeps the window open by default.
I hummed and hawed about whether to use a .command file or an Automator action. I settled on a .command file because it will be the most compatible across versions of OS X. I’ve had problems running Automator actions from one version of OS X on another, so I figure I’d probably cause more confusion if the script didn’t run at all for some people rather than if it just left a Terminal window open for the users to close.
It’s trade-off, so not ideal but it does work.
Bart.
Hi again, Bart.
A couple of my friends told me that the script will not run on their machines due to problems with access privileges. They both have administrator privileges for their machines. Any thoughts?
Thanks.
Lou
Hi Bart,
Me again. Thanks for the feedback on Chrome. I would also like to add my thanks for your little script. I just tried walking my niece through using Test4Flashback & it failed because she is on a G5 (I know, I know, but my budget is limited). But when I used your FlashbackTest it worked like a charm. So once again many thanks.
Mr. Busschots, as an old but not always smart Mac user, I am grateful to you for the knowledge and generosity that went into your creating and distributing this script. Thanks very much. Dan Rutenberg
Thanks Bart,
Thanks for taking the time to do this for the less able out here. All clean here and glad to be sure. Thanks again. Dan
Hey Bart,
Thanks for this, much appreciated, You’re a star.
Pleased to report all my machines were clean.
Adam
I’m one of the lucky ones who isn’t infected. Thanks a million for making this so easy Bart!
Great thanks for the script! Im not infected!
Thank you for doing this. I am happy to say I am not infected but I always keep my MAC up to date.
Hi Bart. Thanks for the script. All clear and ok thank goodness. I was worried as my flash wasn’t the latest version even though I have the automatic update radio button marked! Anyway all other stuff the latest and I’m clear. Great work again.
Hi Bart, thanks for the script, I used it and I’m clean in all my Macs. I linked to your site and script on my blog, to tell people about it. I have a question for you: I run as a standard user on all my computers, Windows or Mac, does running as a standard user instead of an administrator make any difference on the situation with the Flashback Trojan?
Thank you.
Hi Erick – the simple answer is that I don’t know.
However, what I can say is that it certainly doesn’t need admin rights to infect you. The only difference that I can see is that it MIGHT be easier for the infection to reach out of your account and into all the other accounts on your Mac if you use an admin account, but, as I understand it, you’ll be on the botnet either way.
Bart.
Hi Bart,
I just wanted to say thank you for posting this! It passed my machine. Now to see if the Wife’s machine passes. Thank you for everything you do for the community.
-Josh
Thanks for posting this script, I really appreciate it.
One of the problems with malware detection/antivirus utilities are that they often rely on distribution of signature files to defend against infections. So the malware can infect your machine if it beats your antivirus utility to the punch. One rough and ready way to defend yourself is to set your system up to notify you if files are added to certain folders such as LaunchAgent/LaunchDeamon folders.
Shipped with our Mac systems are some neat scripting tools we can use to help with tracking unwanted files being added to our systems. I have enabled Folder Actions and attached a script (which is supplied by Apple with the OS X installation) to a few of my folders that will notify me if anything is added to them. The folders that seem most critical to me are:
~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/System/Library/LaunchAgents
/System/Library/LaunchDaemons
The name of the script I have added is “add – new item alert.scrpt” and it simply notifies me if it sees that a file is added to an assigned folder. After notification I can decide what I want to do. If i was installing some software, then it is probably fine. If I was just browsing the web, maybe something fishy is going on.
You can use your favorite search engine to find instructions for utilizing OS X’s Folder Actions in general and for installing this particular script.
i’m clean, thanks!
Since this little drama is now over, and since this post is proving to be a spam magnet, I’m closing the comments now.