Flashback Trojan – is your Mac Infected?

If you’ve had an eye on Mac related news lately, you may have heard of the Flashback Trojan.

Flashback masquerades as an Adobe Flash updater. It is said to have infected 600000 Macs throughout the world. That is about 1% according to some estimates.

Do you have Flashback on your Mac? If so,now can it be removed? Read on.


You can tell if you have Flashback by running a couple of commands. You can also check Kaspersky’s Flashback detection page, which checks your Mac’s ID against their database of infected machines.

To check for yourself, open up Terminal (in your Utilities folder) and type these lines and press return. You can copy/paste them one at a time instead – much easier.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

This is one of the few times you want to see an error message. You should see something like ” the defaults pair does not exist.” if you see that error for each of these commands, you are clean.

If not, you have some cleanup to do. You can use Kaspersky’s removal tool, or proceed to remove them manually.


See this F-Secure page for step-by-step instructions. I don’t see any reason to repeat them verbatim here.

Next steps:

Once you’re clean, youll want to stay that way.

If you haven’t already, run Software Update (in the Apple Menu) and install all available updates. Repeat until it tells you your Mac is up to date. You’ll possibly want to disable Java in your browser, too. It’s not used terribly often these days, and this is the way it got in in the first place. If you run into a legitimate web page that needs Java, you can always turn it back on temporarily.

You may also want to install antivirus if you don’t already have it. There is no guarantee it will catch the next new variant to come out right away, but it might help. Sophos and ClamXAV both have good reputations and are free.

Leave a Reply

Your email address will not be published. Required fields are marked *