More than 600,000 Macs infected with Flashback botnet

[Tyrianth]

http://news.cnet.com/8301-1009_3-574.../?tag=mncol;1n

When the trojan executes it checks your system for these directories:

• /Library/Little Snitch
• /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
• /Applications/VirusBarrier X6.app
• /Applications/iAntiVirus/iAntiVirus.app
• /Applications/avast!.app
• /Applications/ClamXav.app
• /Applications/HTTPScoop.app
• /Applications/Packet Peeper.app

If any one of those are found it commits suicide. If you don't have any of those directories it's easy to see if you've been infected or not.

Simply run this command in terminal:

Code:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

You should get this error:

Code:

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

Then run this command:

Code:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

You should get this error:

Code:

The domain/default pair of (/Users/YOURUSER/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

If you get both of those errors than you're Flashback free! If you don't get those errors then removal can be found here

[sophiemj]

thank u I will check it !

[Misen]

Our junior sys admin is having a great day today
(he's patching around 350 macs out in the field)

[Tyrianth]

Our junior sys admin is having a great day today
(he's patching around 350 macs out in the field)

that should be an exciting day for him.

[Myrrar]

They missed the firefox one. You need to do all 3 of these to check:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

[sophiemj]

phew safe