Detecting and removing the Flashback malware in OS X

The Flashback Trojan's latest iterations have evolved to infect Macs in different ways, but there are methods to detect and remove them.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
4 min read

Recently a new variant of the Imuler/Revir Trojan malware for OS X was found being distributed disguised as erotic images that, if installed on a Mac system, would attempt to steal personal information then upload them to remote servers. The malware's initial variants included offensive political material, but in its recent iteration has been distributed disguised among a collection of cover girl images in an obvious attempt to trick people into opening the application.

While these attempts are relatively easy to avoid, security company F-Secure has been monitoring a more serious threat from the Flashback malware for OS X. This malware, which has been distributed in fake installer application for the popular Adobe Flash Player plug-in, works by modifying the code in Web browsers to launch the malware when they are run, and then try sending information on visited Web pages to remote servers.

Initially this malware was only an OS X installer file that was disguised as Flash Player, but in February of this year, another variant of this malware was found that attempts to take advantage of Java security holes to install without requiring user interaction or being detected.

OS X does not come with Java installed by default, and the latest versions of Java should be patched properly so anyone with new or properly updated systems should be safe from these threats; however, there are likely many people still running older versions of Java on their systems that are still vulnerable.

If you do not use Java on your system, then you can avoid these threats by disabling it in your Web browser, and also by doing so in the Java Preferences utility in your Applications/Utilities/ folder (uncheck any Java runtime listings in the utility to disable them). By doing this, any threats that attempt to take advantage of Java will not work.

If you do this and find Java is required for some of the applications you use, then be sure you have the latest version (currently available via Software Update if you have Java installed).

Terminal command showing lack of infection
By running these commands in the Terminal, if you see "does not exist" as part of the output then your system is not infected. Screenshot by Topher Kessler/CNET

As with previous variants of the malware, the latest variant of the Flashback malware, called OSX/Flashback.I, works by modifying code within Web browsers that causes it to launch when the browsers are opened and result in modified Web pages being displayed.

Today F-Secure has issued a detailed analysis on the Flashback threat, including how to detect and remove it. The analysis covers the various methods the malware has used to alter Web browser code, and discusses for each how to detect and remove the threat, if your system is infected.

To summarize, the malware has overall adopted two modes of infection. The first is where it requires administrative privileges to alter an embedded information property list within the Firefox and Safari Web browsers to contain a variable called "DYLD_INSERT_LIBRARIES" that launches the malware when these applications are run. F-Secure claims the variants of this malware are ultimately harder to detect (provided the user unknowingly supplied administrative privileges when installing the fake Flash Player installer) since it only affects these programs.

The second infection route does not target individual applications, but instead alters a more global version of the property list with the same "DYLD_INSERT_LIBRARIES" variable that will launch the malware whenever any application is opened. Because this modification is done to the user's account and not to files within the Applications folder, the attack does not require admin privileges to complete; however, it does ultimately result in a more obvious infection that will destabilize the system and lead to crashes.

The malware only works as intended if run within Web browsers, so more-recent variants of the malware have included filtering options that only have it run when Safari is loaded, resulting in a more stable system that is less suspect of being affected by malware.

F-Secure's analysis offers a detailed method for detecting and ultimately removing the malware from your system, though you can easily detect the malware in its known variants by running the following three commands sequentially in the OS X Terminal utility (found in the /Applications/Utilities/ folder):

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

If your system is not infected then the output of these commands will state in part that the domain/default pair "does not exist"; however, if it is infected then Terminal will output a path that points to the malware, and you can follow the instructions provided in F-Secure's analysis to remove the malware from your system.

While F-Secure covers how to change affected programs like Safari and Firefox back to their original state, one easy option for doing this is to just redownload Safari and Firefox and install them on your system, or copy them from another system containing the programs, ensuring you delete the old version of the browser. Do keep in mind that this will only be useful for the malware variants that required Admin privileges to install, which are detected by the second and third of the Terminal commands listed above. If the first command is the only one that shows a problem, then you will need to follow F-Secure's instructions for removing the malware.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.