Update – 13 April 2012: Apple have released another update to Java (via software update) which automatically disables Java in Safari, and removes Flashback if it has infected your system. Please use Apple’s update rather than relying on this script!

Update – 10 April 2012: I have edited the script to run the additional commands recommended by TidBITS. The Download button will now return version 0.2 of the script.

It’s finally happened, there has been a serious malware outbreak on the Mac. Over half a million Macs have been infected with the latest variants of the Flashback malware. Earlier versions of this malware relied on tricking users into running an installer, or approving a request for permission to execute, but that has all changed now. The malware moved from being a simple trojan that relied on tricking people into running it, to a fully automated attack requiring no user interaction. The reason for this transformation is that the malware started to use flaws in Java, first, old vulnerabilities that were patched ages ago, so only affecting people who don’t keep their computers up to date, but this week, attacking flaws that Apple had, at the time, not yet patched. This means that for a few days, even the most diligent Mac users could have been hit.

This infection has no noticeable symptoms, and did not require you do do anything “stupid” to get infected. Any Mac user, not matter how careful, could have been infected. So, you need to check to be sure you are not one of the half million plus victims!The very first thing you need to do is be sure that your Java is patched so that you can’t get infected going forward. If you are running a version of OS X older than 10.6 Snowleopard you MUST update to 10.6 or 10.7 Lion – YOU CANNOT BE SAFE ON UNSUPPORTED VERSIONS OF OS X (the same goes for unsupported versions of any OS, Windows, Linux, Unix …). If you are running OS X 10.6 or 10.7, run Software Update now to be sure you are fully patched.

The security firm F-Secure have kindly posted instructions for removing this malware, and these instructions contain commands for checking whether or not you are infected. However, some users have found it quite challenging to follow these instructions, as the are quite dense, and require the user to execute quite cumbersome Terminal commands.

To make things a little easier, I’ve written a little script that will run the commands for you and report on the result.

Download

This tester is simply a Perl script saved with a .command file extension so when you double-click it OS X will run the script in a Terminal window. I’m releasing the script under the FreeBSD License, so you can pretty much do what ever you want with it as long as you leave my copyright notice in place.

For those interested, below is the full source code:

#!/usr/bin/perl

use strict;
use warnings;

# Copyright 2011 Bart Busschots T/A Bartificer Web Solutions. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are
# permitted provided that the following conditions are met:
#
#   1. Redistributions of source code must retain the above copyright notice, this list of
#      conditions and the following disclaimer.
#
#   2. Redistributions in binary form must reproduce the above copyright notice, this list
#      of conditions and the following disclaimer in the documentation and/or other materials
#      provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY BART BUSSCHOTS T/A BARTIFICER WEB SOLUTIONS ''AS IS'' AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
# BART BUSSCHOTS T/A BARTIFICER WEB SOLUTIONS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

# This script runs the terminal commands recommended by F-Secure at 
# http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
# and the additional commands recommended by TidBITS at
# http://tidbits.com/article/12918 and reports the results.

my @commands = (
    '/usr/bin/defaults read /Applications/Safari.app/Contents/Info LSEnvironment 2>&1',
    '/usr/bin/defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2>&1',
    '/usr/bin/defaults read /Applications/Google\ Chrome.app/Contents/Info LSEnvironment 2>&1',
    '/usr/bin/defaults read /Applications/Firefox.app/Contents/Info LSEnvironment 2>&1',
    '/usr/bin/defaults read /Applications/iCab\ 4/iCab.app/Contents/Info LSEnvironment 2>&1',
);

my $num_failed = 0;
foreach my $command (@commands){
    print "Executing: $command\n";
    my $output = `$command`;
    print "Output: $output\n";
    if($output =~ m/does[ ]not[ ]exist$/sx){
        print "\nPASS\n\n";
    }else{
        print "\nFAIL\n\n";
        $num_failed++;
    }
}

my $result = q{};
if($num_failed){
    $result = 'One or more of the terminal commands recommended by F-Secure or TidBITS has returned a value indicating that you ARE infected with Trojan-Downloader:OSX/Flashback. For more see the instructions at http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml';
}else{
    $result = 'All the terminal commands recommended by F-Secure and TidBITS have returned the expected answers for a system that is NOT infected with Trojan-Downloader:OSX/Flashback';
}

print "$result\n";

system(qq{/usr/bin/osascript -e 'tell app "System Events" to display dialog "$result"'});