Sunday, April 8, 2012

Check and remove botnet Flashback for your Mac

iMac-2010-gr

More than 600000 Macs have been infected botnet Flashback. To check your Mac, follow simple steps below:

Run Terminal (find it in Application/Utilities or search in Spotlight), and input 3 commands:

- defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

- defaults read /Applications/Safari.app/Contents/Info LSEnvironment

- defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

If the results are as follows, congratulation! your Mac hasn’t been infected.

- The domain/default pair of (/Users/jacqui/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

- The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

- The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist

In the case, you Mac is infected, don’t worry, you can remove it by following the guide from www.f-secure.com

Manual Removal Instructions

1. Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES

3. Proceed to step 8 if you got the following error message:
"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

4. Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%

5. Take note of the value after "__ldpath__"

6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

7. Delete the files obtained in steps 2 and 5

8. Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

10. Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%

11. Take note of the value after "__ldpath__"

12. Run the following commands in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES

13. Finally, delete the files obtained in steps 9 and 11.

14. Run the following command in Terminal:
ls -lA ~/Library/LaunchAgents/

15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.

16. Run the following command in Terminal:
defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15%ProgramArguments

17. Take note of the path. If the filename does not start with a ".", then you might not be infected with this variant.

18. Delete the files obtained in steps 15 and 17.

Don’t forget to run Software Update to update to the latest MacOS.

1 Responses to “Check and remove botnet Flashback for your Mac”

Herve Leger Bandage Dresses said...
April 20, 2012 at 12:26 AM

 Thanks your reminder.
Herve Leger Outlet
Herve Leger Sale Dresses
White One Shoulder Dress
herve leger strapless


Post a Comment

Feel free to post some comments here!