Does the Flashback trojan affect Chrome? Lion?

Discussion in 'Apple' started by Alan Browne, Apr 7, 2012.

  1. Alan Browne

    Alan Browne Guest

    Does the Flashback trojan affect Chrome as well?
    Does the Flashback trojan affect browsers under Lion?

    I executed this in terminal
    defaults read /Applications/Chrome.app/Contents/Info LSEnvironment

    and got a file does not exist error. But I'm not sure that's a valid
    test. (I just used the same test as for Safari and substituted Chrome).

    --
    "I was gratified to be able to answer promptly, and I did.
    I said I didn't know."
    -Samuel Clemens.
     
    1. Advertising

  2. Alan Browne

    Alan Browne Guest

    On 2012-04-07 11:30 , Jolly Roger wrote:
    > In article<>,
    > Alan Browne<> wrote:
    >
    >> Does the Flashback trojan affect Chrome as well?
    >> Does the Flashback trojan affect browsers under Lion?
    >>
    >> I executed this in terminal
    >> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
    >>
    >> and got a file does not exist error. But I'm not sure that's a valid
    >> test. (I just used the same test as for Safari and substituted Chrome).

    >
    > My suggestion: Install the latest Apple software update for Java and go
    > on with life.


    DL'ing just before I opened your reply. For some reason it did not
    appear yesterday when I did a s/w update check.

    I assume, once installed, that Java can be turned back on in the browsers?


    --
    "I was gratified to be able to answer promptly, and I did.
    I said I didn't know."
    -Samuel Clemens.
     
    1. Advertising

  3. In article <>,
    Alan Browne <> wrote:

    > Does the Flashback trojan affect Chrome as well?
    > Does the Flashback trojan affect browsers under Lion?
    >
    > I executed this in terminal
    > defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
    >
    > and got a file does not exist error. But I'm not sure that's a valid
    > test. (I just used the same test as for Safari and substituted Chrome).


    Here's a script I found on the web that checks for the Flashback trojan:

    --see if this entry exists.  If not an error will occur and be trapped
    try
    do shell script "defaults read /Applications/Safari.app/Contents/Info 
    LSEnvironment"
    --set this variable if this entry exists
    set LSE to "true"
    on error errmsg
    --set this variable if the error contains the message "does not exist"
    if errmsg contains "does not exist" then
    set LSE to "false"
    end if
    end try
    --search Firefox for infections
    try
    do shell script "defaults read /Applications/Firefox.app/Contents/Info 
    LSEnvironment"
    --set this variable if this entry exists
    set FLSE to "true"
    on error errmsg
    --set this variable if the error contains the message "does not exist"
    if errmsg contains "does not exist" then
    set FLSE to "false"
    end if
    end try
    --see if this entry exists.  If not an error will occur and be trapped
    try
    do shell script "defaults read ~/.MacOSX/environment
    DYLD_INSERT_LIBRARIES"
    set DLib to "true"
    on error errmsg
    --set this variable if the error contains the message "does not exist"
    if errmsg contains "does not exist" then
    set DLib to "false"
    end if
    end try
    --if all variables are false then the machine isn't infected
    if LSE is "false" and DLib is "false" and FLSE is "false" then
    display alert "You are not infected with Flashback"
    --if any variable is true the machine may be infected and needs closer
    inspection
    else if LSE is "true" or DLib is "true" or FLSE is "true" then
    display alert "You may have the Flashback infection" & return & "Go to
    following URL for more information:" & return & return &
    "http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml"
    end if

    --
    Tea Party Patriots is to Patriotism as
    People's Democratic Republic is to Democracy.
     
  4. Kurt Ullman

    Kurt Ullman Guest

    In article <>,
    Jolly Roger <> wrote:

    > In article <>,
    > Alan Browne <> wrote:
    >
    > > Does the Flashback trojan affect Chrome as well?
    > > Does the Flashback trojan affect browsers under Lion?
    > >
    > > I executed this in terminal
    > > defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
    > >
    > > and got a file does not exist error. But I'm not sure that's a valid
    > > test. (I just used the same test as for Safari and substituted Chrome).

    >
    > My suggestion: Install the latest Apple software update for Java and go
    > on with life.


    Quick question for JR or whoever. IF you had the FB trojan does it still
    work after the update or does that take care of it? If you have it do
    you need to do something to get rid of it or does the update kill it
    off?

    --
    People thought cybersex was a safe alternative,
    until patients started presenting with sexually
    acquired carpal tunnel syndrome.-Howard Berkowitz
     
  5. Alan Browne

    Alan Browne Guest

    On 2012-04-07 11:59 , Michelle Steiner wrote:
    > In article<>,
    > Alan Browne<> wrote:
    >
    >> Does the Flashback trojan affect Chrome as well?
    >> Does the Flashback trojan affect browsers under Lion?
    >>
    >> I executed this in terminal
    >> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
    >>
    >> and got a file does not exist error. But I'm not sure that's a valid
    >> test. (I just used the same test as for Safari and substituted Chrome).

    >
    > Here's a script I found on the web that checks for the Flashback trojan:


    That script checks for Safari and Firefox transport of the trojan, not
    Chrome. I emulated the same command found variously around the web
    (above) but I'm not absolutely sure it's a correct test.

    IAC, the Apple update went in an hour or so ago in two Macs. Just my
    son's Mac left to check.

    --
    "I was gratified to be able to answer promptly, and I did.
    I said I didn't know."
    -Samuel Clemens.
     
  6. Alan Browne

    Alan Browne Guest

    On 2012-04-07 12:04 , Jolly Roger wrote:
    > In article<>,
    > Alan Browne<> wrote:
    >
    >> On 2012-04-07 11:30 , Jolly Roger wrote:
    >>> In article<>,
    >>> Alan Browne<> wrote:
    >>>
    >>>> Does the Flashback trojan affect Chrome as well?
    >>>> Does the Flashback trojan affect browsers under Lion?
    >>>>
    >>>> I executed this in terminal
    >>>> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
    >>>>
    >>>> and got a file does not exist error. But I'm not sure that's a valid
    >>>> test. (I just used the same test as for Safari and substituted Chrome).
    >>>
    >>> My suggestion: Install the latest Apple software update for Java and go
    >>> on with life.

    >>
    >> DL'ing just before I opened your reply. For some reason it did not
    >> appear yesterday when I did a s/w update check.
    >>
    >> I assume, once installed, that Java can be turned back on in the browsers?

    >
    > According to Apple:
    >
    > <http://support.apple.com/kb/HT5228>
    >
    > This updates Java to 1.6.0_31:
    >
    > "Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of
    > which may allow an untrusted Java applet to execute arbitrary code
    > outside the Java sandbox. Visiting a web page containing a maliciously
    > crafted untrusted Java applet may lead to arbitrary code execution with
    > the privileges of the current user. These issues are addressed by
    > updating to Java version 1.6.0_31."


    Not the most unambiguous statement.

    At least using a non-admin account has some level of protection for the
    system. But the privacy of the user account infected with this is at
    risk. Can't convince my son to go to a two tier though.

    --
    "I was gratified to be able to answer promptly, and I did.
    I said I didn't know."
    -Samuel Clemens.
     
  7. In article <>,
    Alan Browne <> wrote:

    > > Here's a script I found on the web that checks for the Flashback
    > > trojan:

    >
    > That script checks for Safari and Firefox transport of the trojan, not
    > Chrome. I emulated the same command found variously around the web
    > (above) but I'm not absolutely sure it's a correct test.


    Chrome uses the same WebKit that Safari uses, so it may be that the Safari
    test also works for Chrome.

    --
    Tea Party Patriots is to Patriotism as
    People's Democratic Republic is to Democracy.
     
  8. David Empson

    David Empson Guest

    Michelle Steiner <> wrote:

    > In article <>,
    > Alan Browne <> wrote:
    >
    > > > Here's a script I found on the web that checks for the Flashback
    > > > trojan:

    > >
    > > That script checks for Safari and Firefox transport of the trojan, not
    > > Chrome. I emulated the same command found variously around the web
    > > (above) but I'm not absolutely sure it's a correct test.

    >
    > Chrome uses the same WebKit that Safari uses, so it may be that the Safari
    > test also works for Chrome.


    Chrome has its own built-in build of WebKit. It doesn't use the system
    one installed as part of Safari.

    In any case, the script is directly checking the Safari and Firefox
    applications, so it won't check whether Chrome (or any other web
    browser) has been modified.

    In the case of Firefox, it also makes the mistake of assuming where
    Firefox was installed, which is not a good idea as Firefox is installed
    using drag-and-drop, so the user could have put it in a non-standard
    place. (Safari is installed via a package and shouldn't be moved.)

    --
    David Empson
     
  9. On 04/07/2012 01:59 PM, Alan Browne wrote:
    > On 2012-04-07 12:04 , Jolly Roger wrote:
    >> In article<>,
    >> Alan Browne<> wrote:
    >>
    >>> On 2012-04-07 11:30 , Jolly Roger wrote:
    >>>> In article<>,
    >>>> Alan Browne<> wrote:
    >>>>
    >>>>> Does the Flashback trojan affect Chrome as well?
    >>>>> Does the Flashback trojan affect browsers under Lion?
    >>>>>
    >>>>> I executed this in terminal
    >>>>> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
    >>>>>
    >>>>> and got a file does not exist error. But I'm not sure that's a valid
    >>>>> test. (I just used the same test as for Safari and substituted
    >>>>> Chrome).
    >>>>
    >>>> My suggestion: Install the latest Apple software update for Java and go
    >>>> on with life.
    >>>
    >>> DL'ing just before I opened your reply. For some reason it did not
    >>> appear yesterday when I did a s/w update check.
    >>>
    >>> I assume, once installed, that Java can be turned back on in the
    >>> browsers?

    >>
    >> According to Apple:
    >>
    >> <http://support.apple.com/kb/HT5228>
    >>
    >> This updates Java to 1.6.0_31:
    >>
    >> "Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of
    >> which may allow an untrusted Java applet to execute arbitrary code
    >> outside the Java sandbox. Visiting a web page containing a maliciously
    >> crafted untrusted Java applet may lead to arbitrary code execution with
    >> the privileges of the current user. These issues are addressed by
    >> updating to Java version 1.6.0_31."

    >
    > Not the most unambiguous statement.
    >
    > At least using a non-admin account has some level of protection for the
    > system. But the privacy of the user account infected with this is at
    > risk. Can't convince my son to go to a two tier though.
    >

    I find this part interesting on the check and removal instructions:

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

    --
    *Hemidactylus*
     
  10. In article <1ki89k9.3f2ir0vzr138N%>,
    (David Empson) wrote:

    > In the case of Firefox, it also makes the mistake of assuming where
    > Firefox was installed, which is not a good idea as Firefox is installed
    > using drag-and-drop, so the user could have put it in a non-standard
    > place. (Safari is installed via a package and shouldn't be moved.)


    If you know enough to install it in an unusual place, you shouldn't have
    too much trouble modifying the command to access that place.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
  11. Wes Groleau

    Wes Groleau Guest

    On 04-07-2012 18:43, *Hemidactylus* quoted:
    > On execution, the malware checks if the following path exists in the
    > system:
    >
    > /Library/Little Snitch
    > /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
    > /Applications/VirusBarrier X6.app
    > /Applications/iAntiVirus/iAntiVirus.app
    > /Applications/avast!.app
    > /Applications/ClamXav.app
    > /Applications/HTTPScoop.app
    > /Applications/Packet Peeper.app
    >
    > If any of these are found, the malware will skip the rest of its routine
    > and proceed to delete itself.


    (snicker)
    So the simple way to get rid of it is

    mkdir -p "/Library/Little Snitch"


    --
    Wes Groleau

    Pat's Polemics
    http://Ideas.Lang-Learn.us/barrett
     
  12. Wes Groleau

    Wes Groleau Guest

    On 04-07-2012 19:53, Barry Margolin wrote:
    > (David Empson) wrote:
    >
    >> In the case of Firefox, it also makes the mistake of assuming where
    >> Firefox was installed, which is not a good idea as Firefox is installed
    >> using drag-and-drop, so the user could have put it in a non-standard
    >> place. (Safari is installed via a package and shouldn't be moved.)

    >
    > If you know enough to install it in an unusual place, you shouldn't have
    > too much trouble modifying the command to access that place.


    Quote: "installed using drag-and-drop"

    You don't have to know ANYTHING other than what a mouse looks like.

    --
    Wes Groleau

    Pat's Polemics
    http://Ideas.Lang-Learn.us/barrett
     
  13. On 04/07/2012 11:01 PM, Wes Groleau wrote:
    > On 04-07-2012 18:43, *Hemidactylus* quoted:
    >> On execution, the malware checks if the following path exists in the
    >> system:
    >>
    >> /Library/Little Snitch
    >> /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
    >> /Applications/VirusBarrier X6.app
    >> /Applications/iAntiVirus/iAntiVirus.app
    >> /Applications/avast!.app
    >> /Applications/ClamXav.app
    >> /Applications/HTTPScoop.app
    >> /Applications/Packet Peeper.app
    >>
    >> If any of these are found, the malware will skip the rest of its routine
    >> and proceed to delete itself.

    >
    > (snicker)
    > So the simple way to get rid of it is
    >
    > mkdir -p "/Library/Little Snitch"


    Or prevent it. If you already have the infection what good would
    creating a directory do?


    --
    *Hemidactylus*
     
  14. In article <jlqv82$3kr$>,
    Wes Groleau <> wrote:

    > On 04-07-2012 19:53, Barry Margolin wrote:
    > > (David Empson) wrote:
    > >
    > >> In the case of Firefox, it also makes the mistake of assuming where
    > >> Firefox was installed, which is not a good idea as Firefox is installed
    > >> using drag-and-drop, so the user could have put it in a non-standard
    > >> place. (Safari is installed via a package and shouldn't be moved.)

    > >
    > > If you know enough to install it in an unusual place, you shouldn't have
    > > too much trouble modifying the command to access that place.

    >
    > Quote: "installed using drag-and-drop"
    >
    > You don't have to know ANYTHING other than what a mouse looks like.


    True. But why would someone who doesn't know anything do anything other
    than the "normal" thing? Doesn't FF's disk image have the common:

    => Applications

    icon, which essentially tells the user to drag the app into the
    Applications folder to install it? In general, someone who doesn't
    follow these directions presumably has a reason, and that suggests they
    know what they're doing.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
  15. David Empson

    David Empson Guest

    Barry Margolin <> wrote:

    > In article <jlqv82$3kr$>,
    > Wes Groleau <> wrote:
    >
    > > On 04-07-2012 19:53, Barry Margolin wrote:
    > > > (David Empson) wrote:
    > > >
    > > >> In the case of Firefox, it also makes the mistake of assuming where
    > > >> Firefox was installed, which is not a good idea as Firefox is installed
    > > >> using drag-and-drop, so the user could have put it in a non-standard
    > > >> place. (Safari is installed via a package and shouldn't be moved.)
    > > >
    > > > If you know enough to install it in an unusual place, you shouldn't have
    > > > too much trouble modifying the command to access that place.

    > >
    > > Quote: "installed using drag-and-drop"
    > >
    > > You don't have to know ANYTHING other than what a mouse looks like.

    >
    > True. But why would someone who doesn't know anything do anything other
    > than the "normal" thing? Doesn't FF's disk image have the common:
    >
    > => Applications
    >
    > icon, which essentially tells the user to drag the app into the
    > Applications folder to install it?


    Older ones don't, and a fair number of Mac users of my experience don't
    understand what that icon means, despite me telling them repeatedly.

    > In general, someone who doesn't follow these directions presumably has a
    > reason, and that suggests they know what they're doing.


    Or they don't know what they are doing.

    I've lost count of the number of times I've seen a copy of Firefox.app
    in an unusual place on someone else's computer.

    Most of the time, it was still on the disk image, which would be safer
    because it is read-only.

    I've also seen it on the desktop, or in stranger places.

    --
    David Empson
     
  16. In article <>,
    Jolly Roger <> wrote:

    > In article <>,
    > Kurt Ullman <> wrote:


    > > Quick question for JR or whoever. IF you had the FB trojan does it still
    > > work after the update or does that take care of it? If you have it do
    > > you need to do something to get rid of it or does the update kill it
    > > off?

    >
    > Good question. My guess would be you'd still need to remove it; but it
    > could very well be Apple has included removal code in the Java for OS X
    > Lion 2012-001 updater. The safest bet is to check after installing the
    > update if you think the malware might already exist on your system.


    I pasted in the "defaults read" incantations in terminal from
    <http://news.cnet.com/8301-27076_3-57410050-248/mac-flashback-malware-wha
    t-it-is-and-how-to-get-rid-of-it-faq/> "after" updating JAVA. I wish I
    would have done the incantations before updating. That way, I'd have
    known if I had a problem before updating instead of knowing I didn't
    have the problem after updating. Does that make sense? The update could
    have very well have removed the damning files.
    I don't think I had a problem. JAVA has always been unchecked in Safari
    preferences on my computer. I certainly don't have a problem "after"
    updating JAVA 'cause I checked.
    I think that this is a tempest in a teapot, but I also don't know if I
    had a problem "before" I did the update. I really would have liked to
    know that. Oh well, too late.

    leo
     
  17. David Empson

    David Empson Guest

    Leonard Blaisdell <> wrote:

    > In article <>,
    > Jolly Roger <> wrote:
    >
    > > In article <>,
    > > Kurt Ullman <> wrote:

    >
    > > > Quick question for JR or whoever. IF you had the FB trojan does it still
    > > > work after the update or does that take care of it? If you have it do
    > > > you need to do something to get rid of it or does the update kill it
    > > > off?

    > >
    > > Good question. My guess would be you'd still need to remove it; but it
    > > could very well be Apple has included removal code in the Java for OS X
    > > Lion 2012-001 updater. The safest bet is to check after installing the
    > > update if you think the malware might already exist on your system.

    >
    > I pasted in the "defaults read" incantations in terminal from
    > <http://news.cnet.com/8301-27076_3-57410050-248/mac-flashback-malware-wha
    > t-it-is-and-how-to-get-rid-of-it-faq/> "after" updating JAVA. I wish I
    > would have done the incantations before updating. That way, I'd have
    > known if I had a problem before updating instead of knowing I didn't
    > have the problem after updating. Does that make sense? The update could
    > have very well have removed the damning files.


    It doesn't. The update only installs a new version of Java, and does
    pre-install and post-install steps relating to that. (I've had a look
    through the packages with Pacifist.)

    I can't be certain that Apple's "XProtect" mechanism isn't detecting and
    removing this variant of Flashback (depends what Apple called it in
    their definitions; at first glance it appears not to be), but the Java
    update certainly isn't.

    --
    David Empson
     
  18. Paul Sture

    Paul Sture Guest

    On Sat, 07 Apr 2012 23:01:06 -0400, Wes Groleau wrote:

    > On 04-07-2012 18:43, *Hemidactylus* quoted:
    >> On execution, the malware checks if the following path exists in the
    >> system:
    >>
    >> /Library/Little Snitch
    >> /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
    >> /Applications/VirusBarrier X6.app
    >> /Applications/iAntiVirus/iAntiVirus.app /Applications/avast!.app
    >> /Applications/ClamXav.app
    >> /Applications/HTTPScoop.app
    >> /Applications/Packet Peeper.app
    >>
    >> If any of these are found, the malware will skip the rest of its
    >> routine and proceed to delete itself.

    >
    > (snicker)
    > So the simple way to get rid of it is
    >
    > mkdir -p "/Library/Little Snitch"


    At the moment yes. For future versions of this nasty, all bets are off.

    --
    Paul Sture
     
  19. Alan Browne

    Alan Browne Guest

    On 2012-04-07 14:18 , Michelle Steiner wrote:
    > In article<>,
    > Alan Browne<> wrote:
    >
    >>> Here's a script I found on the web that checks for the Flashback
    >>> trojan:

    >>
    >> That script checks for Safari and Firefox transport of the trojan, not
    >> Chrome. I emulated the same command found variously around the web
    >> (above) but I'm not absolutely sure it's a correct test.

    >
    > Chrome uses the same WebKit that Safari uses, so it may be that the Safari
    > test also works for Chrome.


    It tests in folder locations specific to the browser:

    do shell script "defaults read /Applications/Safari.app
    /Contents/Info LSEnvironment"

    The folder Application/Safari.app ... would have nothing belonging to
    Chrome whether or not they have code commonality.

    --
    "I was gratified to be able to answer promptly, and I did.
    I said I didn't know."
    -Samuel Clemens.
     
  20. Rob Friefeld

    Rob Friefeld Guest

    In article <>,
    Alan Browne <> wrote:

    > Does the Flashback trojan affect Chrome as well?
    > Does the Flashback trojan affect browsers under Lion?
    >
    > I executed this in terminal
    > defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
    >
    > and got a file does not exist error. But I'm not sure that's a valid
    > test. (I just used the same test as for Safari and substituted Chrome).


    Yes, it affects Chrome. The problem is Java, not the browser. The latest
    update from Apple is supposed to fix the vulnerability. As for testing
    for affliction, so far so good.

    Look at TidBITS: http://tidbits.com/article/12918

    > That said, detection comes down to issuing the following defaults read
    > commands in Terminal (F-Secure suggests only the first and last; the others
    > extend the technique from Safari to Google Chrome, Firefox, and iCab). In
    > each case, if you see ³does not exist² at the end of the response from each
    > command, you are not infected. (The defaults read command is entirely safe ‹
    > it¹s just attempting to determine whether some data exists in the Info.plist
    > file within each application package.)


    > defaults read /Applications/Safari.app/Contents/Info LSEnvironment
    > defaults read /Applications/Google\ Chrome.app/Contents/Info LSEnvironment
    > defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
    > defaults read /Applications/iCab\ 4/iCab.app/Contents/Info LSEnvironment
    > defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES


    Rob Friefeld
     
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. FX
    Replies:
    3
    Views:
    262
    Aussie
    Nov 4, 2003
  2. Hesham Elhadad
    Replies:
    0
    Views:
    550
    Hesham Elhadad
    May 6, 2004
  3. Alan Browne
    Replies:
    9
    Views:
    1,496
    Alan Browne
    Jun 28, 2011
  4. Tim McNamara

    Flashback.G trojan

    Tim McNamara, Feb 23, 2012, in forum: Apple
    Replies:
    0
    Views:
    261
    Tim McNamara
    Feb 23, 2012
  5. Fred Moore

    Does Flashback affect Doze?

    Fred Moore, Apr 9, 2012, in forum: Apple
    Replies:
    2
    Views:
    321
    David Empson
    Apr 10, 2012
Loading...

Share This Page