Quick Applescript to check your Mac for the Flashback infection
There is lots of media exposure on the possibility that multiple Macs may be infected by a trojan called “Flashback“. This involves a vulnerability in Java that malicious websites can exploit.
If you have Java on your Mac you need to make sure you have updated to the latest Java update from Apple to patch this issue. The easiest way is to just run Software Update on your Mac and get the latest updates from Apple. You can download them manually as well from Apple:
If you are concerned that you might already be infected F-Secure has some excellent instructions on how to find out here. The Applescript below will run the commands referenced in the F-Secure article to do a quick and dirty check. If everything comes back clean it will tell you. If it comes back as possibly infected it will direct you (or your user) to the website for more detailed information.
I’m posting it as a script file for download here:
Flashback Checker Script
Or you can copy the code from here and paste it into AppleScript Editor to run:
[codesyntax lang=”applescript”]
–see if this entry exists. If not an error will occur and be trapped
try
do shell script “defaults read /Applications/Safari.app/Contents/Info LSEnvironment”
–set this variable if this entry exists
set LSE to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set LSE to “false”
end if
end try
–search Firefox for infections
try
do shell script “defaults read /Applications/Firefox.app/Contents/Info LSEnvironment”
–set this variable if this entry exists
set FLSE to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set FLSE to “false”
end if
end try
–see if this entry exists. If not an error will occur and be trapped
try
do shell script “defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES”
set DLib to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set DLib to “false”
end if
end try
–if all variables are false then the machine isn’t infected
if LSE is “false” and DLib is “false” and FLSE is “false” then
display dialog “You are not infected with Flashback”
–if any variable is true the machine may be infected and needs closer inspection
else if LSE is “true” or DLib is “true” or FLSE is “true” then
display dialog “You may have the Flashback infection” & return & “Go to following URL for more information:” & return & return & “http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml”
end if
[/codesyntax]
webmaster :: Apr.05.2012 :: Applescript, Management, Scripts :: 17 Comments »
17 Responses to “Quick Applescript to check your Mac for the Flashback infection”
Thanks! Very kind of you to post this. And double thanks from my grandparents and parents who are concerned but not knowledgeable enough to run the terminal commands!
Gary K.
Portland, OR
[…] Quick Applescript to check your Mac for the Flashback infection […]
Thanks very much.
Thank you!
Flashback free.
thanks – i had to modify the script a little. i had moved my browser into a folder within applications. it would be good to note that the script needs to be changed or insert a line of code to see if the browser exists in the folder.
For Gary K. and others, I’d suggest compiling and saving this as an application and sending that out to less savvy Mac users. They can just double-click to run the script to determine if they are in fact infected. Too bad the script doesn’t remove as well.
I tried to save this script as an application so that I could distribute it to friends. But for some reason, AppleScript Editor 2.4.2 (in Lion) will not save the script as an application. I’m not an Apple Script expert so I would appreciate any help suggestions you might have as to why this is happening. Thanks.
The script was created on Lion so it should work. Depends on what error you’re getting. If it works as a script it should be able to be saved as an application.
Never mind. I figured out the problem was trying to save to the Utilities folder. In Lion that requires admin authorization, which cannot be done in a save dialog. So I saved the app to my desktop and then moved it to Utilities. Whew!
Thank you so much for posting the code to input into my Applescript! I feel better now knowing I’ve avoided this particular “attack”. 🙂
Thanks, this is just what I needed to be able to give to customers to check their Macs!
– David
[…] UPDATE: 2011.04.09 There is a script you can download and run to check and see if you are infected. You can download it here. […]
Thanks! Having family members run Terminal commands was not going to be fun.
[…] ??? ???. ??????? Mashable ????? ????? ?????, Mac Stuff — ???. ?? ? ?? ?????????????? ??????????. (????????) ??????? […]
I’m flashback free!
Well, except for those spells where I’m transported back to the planet Uranus with Steve Jobs and we’re doing shrooms, and he’s all like, I’m going to surpass your market cap before I die and I’m like, right, that’ll be the day.
[…] […]
Anyone who thinks they are invulnerable is fooling themselves. Having said that, I’d take my Mac for security any day over other platforms. And the fact that this vulnerability comes from Java, not the core OS, must make Apple feel good about leaving Java out of 10.7 unless the user requests it.