Search This Blog

A shell script to check if your Mac is infected with Flashback Trojan

UPDATE(17/April/2012): Apple finally released the official fix for flashback: http://support.apple.com/kb/HT5242
You should run Software Update to install the update. 



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The following content is outdated. Use the update above.
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The new Mac trojan, Flashback, has been infected 600,000 users. To check if your Mac has been infected, you can download the following script and run it in Terminal.

#!/bin/bash

SafariInfected=0
echo -n "Checking Safari... "
if [[ -z `defaults read /Applications/Safari.app/Contents/Info LSEnvironment 2>&1 | grep "does not exist"` ]]; then
    SafariInfected=1
    echo "INFECTED."
else
    echo "NOT INFECTED."
fi

FirefoxInfected=0
echo -n "Checking Firefox... "
if [[ -z `defaults read /Applications/Firefox.app/Contents/Info LSEnvironment 2>&1 | grep "does not exist"` ]]; then
    FirefoxInfected=1
    echo "INFECTED."
else
    echo "NOT INFECTED."
fi

DyldInsertLibrariesInfected=0
echo -n "Checking DYLD_INSERT_LIBRARIES... "
if [[ -z `defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2>&1 | grep "does not exist"` ]]; then
    DyldInsertLibrariesInfected=1
    echo "INFECTED."
else
    echo "NOT INFECTED."
fi

JavaPatched=0
echo -n "Checking Java... "
if [[ -n `which java` ]]; then
    JavaVersion=`java -version 2>&1 | grep "java version" | awk '{print $3}'`
    echo -n "(verion=$JavaVersion) "
    JavaVersionNumber=`echo $JavaVersion | sed -e "s/[\"\._]//g"`
    if [[ $JavaVersionNumber -lt 16031 ]]; then
        echo "NOT PATCHED."
    else
        JavaPatched=1
        echo "PATCHED."
    fi
else
    JavaPatched=1
    echo "PATCHED."
fi

if [[ $SafariInfected -eq 1 || $FirefoxInfected -eq 1 || $DyldInsertLibrariesInfected -eq 1 ]]; then
    echo "Warning: your system is INFECTED with Flashback Trojan." 1>&2
fi

if [[ $JavaPatched -eq 0 ]]; then
    echo "Warning: your Java is not patched with Java 1.6.0_31. You need to run Software Update to install the Java update, which protects from the Flashback Trojan." 1>&2
fi
~                                      

How to run it?

  1. Download the script.
  2. Extract chk_flashback from the downloaded tar.gz file.
  3. Open Terminal and run it.
    chmod +x chk_flashback; ./chk_flashback

To manually remove the trojan:

F-Secure instructions to manually remove flashback trojan


No comments:

Post a Comment