digital trojan horse in business home software 150x150 How to remove the Backdoor Flashback Trojan from your Mac OS X systemAfter many Mac’s were infected by the updated Trojan that is now making use of multiple vulnerabilities that were found in Java, we decided to write a little tutorial on how to remove the Backdoor.Trojan from your Mac. First make sure that you update your system to the latest version of Java, Apple has released an update that patched the vulnerabilities that were found in Java, which can be downloaded via the software updater or via the Apple support page.

Now let’s get started with the removal of the malware.

Step 1: Star Terminal (applications > utilities) and enter the following command, just copy/paste it to your Terminal windows:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Step 2: This step is very important, please take a piece of paper and write down the value of: DYLD_INSERT_LIBRARIES. When you receive an error about the fact that the domain/default pair doesn’t exist please continue to step 7.

Step 3: When you didn’t got the error message proceed by entering the following command in the same Terminal window that you’ve opened in step 1:

grep -a -o ‘__ldpath__[ -~]*’ %value_that_is_noted_in_step_2%

Step 4: Write again down the value of the “__Idpath__” and continue to the next step.

Step 5: Execute the following commands in Terminal, make sure that you copy/them so that you can’t make any typo’s:

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

Step 6: You should now remove the files that you obtained in step 2 and 5.

Step 7: Enter the following command in the Terminal window:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If your Mac is clean of this variant of the Backdoor.Trojan you will see the following message:

“The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”

Step 8: If not enter the command in the Terminal window:

grep -a -o ‘__ldpath__[ -~]*’ %path_in_step_7%

Step 9: Again note the value after “__ldpath__

Step 10: Enter the following commands:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES

Step 11: You are almost done, just remove the files from step 7 and 9 and your Mac is clean again.

Question? Just ask them in the comment section below.

3 Responses to How to remove the Backdoor Flashback Trojan from your Mac OS X system


  1. Bruce Behnke
    Apr 06, 2012

    Dr. Web light removed everything except a file Backdoor.Flashback.8.exec (I am guessing at the suffix but that is what the icon looks like) located in /Applications/safari.app/Controls/Resources. Neither Delete or Move to Quarantine buttons work for this file. Macscan shows nothing. Suggestions?

    Bruce

Trackbacks/Pingbacks

  1. BackDoor.Flashback botnet responsible for 600,000 infected Mac OS X computers | Your Daily Mac
  2. How to check if your Mac is infected with the Flashback Java trojan (Mac OS X) | Your Daily Mac

Leave a Reply