There is lots of media exposure on the possibility that multiple Macs may be infected by a trojan called “Flashback“. This involves a vulnerability in Java that malicious websites can exploit.

If you have Java on your Mac you need to make sure you have updated to the latest Java update from Apple to patch this issue. The easiest way is to just run Software Update on your Mac and get the latest updates from Apple. You can download them manually as well from Apple:

If you are concerned that you might already be infected F-Secure has some excellent instructions on how to find out here. The Applescript below will run the commands referenced in the F-Secure article to do a quick and dirty check. If everything comes back clean it will tell you. If it comes back as possibly infected it will direct you (or your user) to the website for more detailed information.

I’m posting it as a script file for download here:
Flashback Checker Script

Or you can copy the code from here and paste it into AppleScript Editor to run:

[codesyntax lang=”applescript”]
–see if this entry exists. If not an error will occur and be trapped
try
do shell script “defaults read /Applications/Safari.app/Contents/Info LSEnvironment”
–set this variable if this entry exists
set LSE to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set LSE to “false”
end if
end try

–search Firefox for infections
try
do shell script “defaults read /Applications/Firefox.app/Contents/Info LSEnvironment”
–set this variable if this entry exists
set FLSE to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set FLSE to “false”
end if
end try

–see if this entry exists. If not an error will occur and be trapped
try
do shell script “defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES”
set DLib to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set DLib to “false”
end if
end try

–if all variables are false then the machine isn’t infected
if LSE is “false” and DLib is “false” and FLSE is “false” then
display dialog “You are not infected with Flashback”

–if any variable is true the machine may be infected and needs closer inspection
else if LSE is “true” or DLib is “true” or FLSE is “true” then
display dialog “You may have the Flashback infection” & return & “Go to following URL for more information:” & return & return & “http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml”
end if
[/codesyntax]

:: Apr.05.2012 :: Applescript, Management, Scripts :: 17 Comments »