New Trojan Reportedly Infecting Millions of Macs

An OSX trojan has infected millions of computers according to an article published on ArsTechnica.

According to Dr. Web (the Russian antivirus company claiming to have discovered the infections), 57 percent of the infected Macs are located in the US and 20 percent are in Canada. This latest variant of the Flashback trojan searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them. The trojan utilizes a vulnerability in Java for OSX that was patched by Oracle in February 2012 but wasn’t sent to users through Apple update until earlier this week. This is another reason why it’s important that users be familiar with their systems update cycles and regularly check and install updates. The Flashback trojan installs itself after you visit a compromised or malicious webpage. This means that any computer, no matter how safe your browsing habits, is potentially at risk.

How to check for the virus on your Mac.

The instructions for checking for the virus require that you have at least some knowledge of how to use the terminal on the Mac or a similar system.

1. Begin by opening Terminal.

2. Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you receive the results: “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist” proceed to the next step.

If you received any other result your system has been infected. If your system is infected there are instructions how to manually remove the trojan on the F-secure website.

3. If you received a negative result in step 2 run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

You should again receive the result:

“The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”

Once again, any other result your system has been infected. If your system is infected there are instructions how to manually remove the trojan on the F-secure website. The removal instructions are fairly complex and do require more than just a cursory knowledge of Terminal.