Does the Flashback trojan affect Chrome? Lion?

Does the Flashback trojan affect Chrome as well?
Does the Flashback trojan affect browsers under Lion?

I executed this in terminal
defaults read /Applications/Chrome.app/Contents/Info LSEnvironment

and got a file does not exist error. But I'm not sure that's a valid
test. (I just used the same test as for Safari and substituted Chrome).

--
"I was gratified to be able to answer promptly, and I did.
I said I didn't know."
-Samuel Clemens.

On 2012-04-07 11:30 , Jolly Roger wrote:
> In article<2vCdnZ7ns8AN2R3SnZ2dnUVZ_umdnZ2d@giganews. com>,
> Alan Browne<> wrote:
>
>> Does the Flashback trojan affect Chrome as well?
>> Does the Flashback trojan affect browsers under Lion?
>>
>> I executed this in terminal
>> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
>>
>> and got a file does not exist error. But I'm not sure that's a valid
>> test. (I just used the same test as for Safari and substituted Chrome).
>
> My suggestion: Install the latest Apple software update for Java and go
> on with life.

DL'ing just before I opened your reply. For some reason it did not
appear yesterday when I did a s/w update check.

I assume, once installed, that Java can be turned back on in the browsers?


--
"I was gratified to be able to answer promptly, and I did.
I said I didn't know."
-Samuel Clemens.

In article <>,
Alan Browne <> wrote:

> Does the Flashback trojan affect Chrome as well?
> Does the Flashback trojan affect browsers under Lion?
>
> I executed this in terminal
> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
>
> and got a file does not exist error. But I'm not sure that's a valid
> test. (I just used the same test as for Safari and substituted Chrome).

Here's a script I found on the web that checks for the Flashback trojan:

--see if this entry exists.* If not an error will occur and be trapped
try
do shell script "defaults read /Applications/Safari.app/Contents/Info*
LSEnvironment"
--set this variable if this entry exists
set LSE to "true"
on error errmsg
--set this variable if the error contains the message "does not exist"
if errmsg contains "does not exist" then
set LSE to "false"
end if
end try
--search Firefox for infections
try
do shell script "defaults read /Applications/Firefox.app/Contents/Info*
LSEnvironment"
--set this variable if this entry exists
set FLSE to "true"
on error errmsg
--set this variable if the error contains the message "does not exist"
if errmsg contains "does not exist" then
set FLSE to "false"
end if
end try
--see if this entry exists.* If not an error will occur and be trapped
try
do shell script "defaults read ~/.MacOSX/environment
DYLD_INSERT_LIBRARIES"
set DLib to "true"
on error errmsg
--set this variable if the error contains the message "does not exist"
if errmsg contains "does not exist" then
set DLib to "false"
end if
end try
--if all variables are false then the machine isn't infected
if LSE is "false" and DLib is "false" and FLSE is "false" then
display alert "You are not infected with Flashback"
--if any variable is true the machine may be infected and needs closer
inspection
else if LSE is "true" or DLib is "true" or FLSE is "true" then
display alert "You may have the Flashback infection" & return & "Go to
following URL for more information:" & return & return &
"http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml"
end if

--
Tea Party Patriots is to Patriotism as
People's Democratic Republic is to Democracy.

In article <jollyroger->,
Jolly Roger <> wrote:

> In article <>,
> Alan Browne <> wrote:
>
> > Does the Flashback trojan affect Chrome as well?
> > Does the Flashback trojan affect browsers under Lion?
> >
> > I executed this in terminal
> > defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
> >
> > and got a file does not exist error. But I'm not sure that's a valid
> > test. (I just used the same test as for Safari and substituted Chrome).
>
> My suggestion: Install the latest Apple software update for Java and go
> on with life.

Quick question for JR or whoever. IF you had the FB trojan does it still
work after the update or does that take care of it? If you have it do
you need to do something to get rid of it or does the update kill it
off?

--
People thought cybersex was a safe alternative,
until patients started presenting with sexually
acquired carpal tunnel syndrome.-Howard Berkowitz

On 2012-04-07 11:59 , Michelle Steiner wrote:
> In article<2vCdnZ7ns8AN2R3SnZ2dnUVZ_umdnZ2d@giganews. com>,
> Alan Browne<> wrote:
>
>> Does the Flashback trojan affect Chrome as well?
>> Does the Flashback trojan affect browsers under Lion?
>>
>> I executed this in terminal
>> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
>>
>> and got a file does not exist error. But I'm not sure that's a valid
>> test. (I just used the same test as for Safari and substituted Chrome).
>
> Here's a script I found on the web that checks for the Flashback trojan:

That script checks for Safari and Firefox transport of the trojan, not
Chrome. I emulated the same command found variously around the web
(above) but I'm not absolutely sure it's a correct test.

IAC, the Apple update went in an hour or so ago in two Macs. Just my
son's Mac left to check.

--
"I was gratified to be able to answer promptly, and I did.
I said I didn't know."
-Samuel Clemens.

On 2012-04-07 12:04 , Jolly Roger wrote:
> In article<ruOdnRcyQ6Pe_B3SnZ2dnUVZ_rWdnZ2d@giganews. com>,
> Alan Browne<> wrote:
>
>> On 2012-04-07 11:30 , Jolly Roger wrote:
>>> In article<2vCdnZ7ns8AN2R3SnZ2dnUVZ_umdnZ2d@giganews. com>,
>>> Alan Browne<> wrote:
>>>
>>>> Does the Flashback trojan affect Chrome as well?
>>>> Does the Flashback trojan affect browsers under Lion?
>>>>
>>>> I executed this in terminal
>>>> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
>>>>
>>>> and got a file does not exist error. But I'm not sure that's a valid
>>>> test. (I just used the same test as for Safari and substituted Chrome).
>>>
>>> My suggestion: Install the latest Apple software update for Java and go
>>> on with life.
>>
>> DL'ing just before I opened your reply. For some reason it did not
>> appear yesterday when I did a s/w update check.
>>
>> I assume, once installed, that Java can be turned back on in the browsers?
>
> According to Apple:
>
> <http://support.apple.com/kb/HT5228>
>
> This updates Java to 1.6.0_31:
>
> "Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of
> which may allow an untrusted Java applet to execute arbitrary code
> outside the Java sandbox. Visiting a web page containing a maliciously
> crafted untrusted Java applet may lead to arbitrary code execution with
> the privileges of the current user. These issues are addressed by
> updating to Java version 1.6.0_31."

Not the most unambiguous statement.

At least using a non-admin account has some level of protection for the
system. But the privacy of the user account infected with this is at
risk. Can't convince my son to go to a two tier though.

--
"I was gratified to be able to answer promptly, and I did.
I said I didn't know."
-Samuel Clemens.

In article <>,
Alan Browne <> wrote:

> > Here's a script I found on the web that checks for the Flashback
> > trojan:
>
> That script checks for Safari and Firefox transport of the trojan, not
> Chrome. I emulated the same command found variously around the web
> (above) but I'm not absolutely sure it's a correct test.

Chrome uses the same WebKit that Safari uses, so it may be that the Safari
test also works for Chrome.

--
Tea Party Patriots is to Patriotism as
People's Democratic Republic is to Democracy.

Michelle Steiner <> wrote:

> In article <>,
> Alan Browne <> wrote:
>
> > > Here's a script I found on the web that checks for the Flashback
> > > trojan:
> >
> > That script checks for Safari and Firefox transport of the trojan, not
> > Chrome. I emulated the same command found variously around the web
> > (above) but I'm not absolutely sure it's a correct test.
>
> Chrome uses the same WebKit that Safari uses, so it may be that the Safari
> test also works for Chrome.

Chrome has its own built-in build of WebKit. It doesn't use the system
one installed as part of Safari.

In any case, the script is directly checking the Safari and Firefox
applications, so it won't check whether Chrome (or any other web
browser) has been modified.

In the case of Firefox, it also makes the mistake of assuming where
Firefox was installed, which is not a good idea as Firefox is installed
using drag-and-drop, so the user could have put it in a non-standard
place. (Safari is installed via a package and shouldn't be moved.)

--
David Empson

On 04/07/2012 01:59 PM, Alan Browne wrote:
> On 2012-04-07 12:04 , Jolly Roger wrote:
>> In article<ruOdnRcyQ6Pe_B3SnZ2dnUVZ_rWdnZ2d@giganews. com>,
>> Alan Browne<> wrote:
>>
>>> On 2012-04-07 11:30 , Jolly Roger wrote:
>>>> In article<2vCdnZ7ns8AN2R3SnZ2dnUVZ_umdnZ2d@giganews. com>,
>>>> Alan Browne<> wrote:
>>>>
>>>>> Does the Flashback trojan affect Chrome as well?
>>>>> Does the Flashback trojan affect browsers under Lion?
>>>>>
>>>>> I executed this in terminal
>>>>> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
>>>>>
>>>>> and got a file does not exist error. But I'm not sure that's a valid
>>>>> test. (I just used the same test as for Safari and substituted
>>>>> Chrome).
>>>>
>>>> My suggestion: Install the latest Apple software update for Java and go
>>>> on with life.
>>>
>>> DL'ing just before I opened your reply. For some reason it did not
>>> appear yesterday when I did a s/w update check.
>>>
>>> I assume, once installed, that Java can be turned back on in the
>>> browsers?
>>
>> According to Apple:
>>
>> <http://support.apple.com/kb/HT5228>
>>
>> This updates Java to 1.6.0_31:
>>
>> "Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of
>> which may allow an untrusted Java applet to execute arbitrary code
>> outside the Java sandbox. Visiting a web page containing a maliciously
>> crafted untrusted Java applet may lead to arbitrary code execution with
>> the privileges of the current user. These issues are addressed by
>> updating to Java version 1.6.0_31."
>
> Not the most unambiguous statement.
>
> At least using a non-admin account has some level of protection for the
> system. But the privacy of the user account infected with this is at
> risk. Can't convince my son to go to a two tier though.
>
I find this part interesting on the check and removal instructions:

http://www.f-secure.com/v-descs/troj...shback_i.shtml

--
*Hemidactylus*

In article <1ki89k9.3f2ir0vzr138N%>,
(David Empson) wrote:

> In the case of Firefox, it also makes the mistake of assuming where
> Firefox was installed, which is not a good idea as Firefox is installed
> using drag-and-drop, so the user could have put it in a non-standard
> place. (Safari is installed via a package and shouldn't be moved.)

If you know enough to install it in an unusual place, you shouldn't have
too much trouble modifying the command to access that place.

--
Barry Margolin,
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***