Checking Your Mac for the Flashback Trojan


Mac’s aren’t supposed to get viruses, right? That’s strictly a Windows (or other operating system) thing, right? Well news over the past week of the Java-borne Flashback virus has gotten some Mac users (read: me) thinking otherwise. Reportedly, more than 600,000 Macs may be infected with the virus.


Did you get your Apple system update yet? Did you get it before the infection occurred? If you answered either of those questions in the negative, you might want to check to see if you have the virus in your system and get your system update as soon as possible. The Apple update is detailed here.


You might be wondering how to check to see if you have the virus, and how would you eradicate it if you did. Yesterday, a link to F-Secure circled the Web with instructions on how to determine if you have the virus and how to get rid of it if you do. In a “nutshell”, F-Secure recommends the following steps:


Manual Removal Instructions

1. Run the following command in Terminal:

defaults read /Applications/ LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:

“The domain/default pair of (/Applications/, LSEnvironment) does not exist”

4. Otherwise, run the following command in Terminal:

grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%

5. Take note of the value after “__ldpath__”
6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):

sudo defaults delete /Applications/ LSEnvironment

sudo chmod 644 /Applications/

7. Delete the files obtained in steps 2 and 5
8. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

“The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”

10. Otherwise, run the following command in Terminal:

grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%

11. Take note of the value after “__ldpath__”
12. Run the following commands in Terminal:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

13. Finally, delete the files obtained in steps 9 and 11.


I know what you’re thinking – no way, Jose, am I going to play around with command line voodoo. Even F-Secure cautions this “operation” is not for the faint of heart. I recommend you hit the link above to F-Secure if you are one of those daredevil do-it-yourselfers to read all of the qualifications and extra information and proceed with extreme caution if you choose this option.


If you are more like me, looking for the quick and easy, then check out this link to a couple of zipped files that can do the heavy lifting for you. These AppleScripts hosted by CloudApp basically do the work of the multi-step F-Secure process for detecting the virus when you download and unzip them. There are two because there are two areas of your hard drive that are targeted by the virus. Click the link above and download the zip, open and then open each of the files (trojan-check and trojan-check-2) independently. What you are looking for is the following image:




The key words being “does not exist.” If anything other than “does not exist” shows up, then head to F-Secure at the link above and either bite the bullet yourself and go through the manual removal process, get your IT savvy friend to help or head to the Apple Store for the professional touch.


I hope your day is filled with the words “do not exist.”


On-Line Transactions: Good. On-Line Insecure Transactions: Bad

ThiefIt is always nice when the hackers warn you that they are going to strike: next week, security researchers are planning on hacking into your “secure” transactions by intercepting data during an on-line transaction on a site allegedly protected by an SSL certificate.

The dirty deed will be taking place at the Black Hat Security conference in Los Vegas, reports Thomas Claburn at InformationWeek. According to the article, experts Mike Zusman, principal consultant at Intrepidus Group, and Alex Sotirov, an independent security researcher, have found and can exploit a weakness in the browser to conduct what is known as a “man in the middle” attack on sites protected by Extended Validation (EV) Secure Sockets Layer (SSL) certificates. This type of attack entails “sniffing” out the desired data as the data leaves the user’s browser or via what is called a “browser cache poisoning attack on EV SSL websites.

The browsers supporting EV SSL? Well, they include the most recent versions of Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, and Opera. I guess that means pretty much all of them.

What does it all mean? It means that while the Advocate advocates adopting the “free”-ly on-line model and the wonders that all of this great technology and access offers, we all, attorneys in particular, need to be mindful of the hazard these security breaches pose. Carefully consider the risks of sharing or storing sensitive data on-line at all times – you never know where the thieves are hiding, even Las Vegas!