Posts RSS Comments RSS 48 Posts and 155 Comments till now

Quick Applescript to check your Mac for the Flashback infection

There is lots of media exposure on the possibility that multiple Macs may be infected by a trojan called “Flashback“. This involves a vulnerability in Java that malicious websites can exploit.

If you have Java on your Mac you need to make sure you have updated to the latest Java update from Apple to patch this issue. The easiest way is to just run Software Update on your Mac and get the latest updates from Apple. You can download them manually as well from Apple:

If you are concerned that you might already be infected F-Secure has some excellent instructions on how to find out here. The Applescript below will run the commands referenced in the F-Secure article to do a quick and dirty check. If everything comes back clean it will tell you. If it comes back as possibly infected it will direct you (or your user) to the website for more detailed information.

I’m posting it as a script file for download here:
Flashback Checker Script

Or you can copy the code from here and paste it into AppleScript Editor to run:

[codesyntax lang=”applescript”]
–see if this entry exists. If not an error will occur and be trapped
try
do shell script “defaults read /Applications/Safari.app/Contents/Info LSEnvironment”
–set this variable if this entry exists
set LSE to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set LSE to “false”
end if
end try

–search Firefox for infections
try
do shell script “defaults read /Applications/Firefox.app/Contents/Info LSEnvironment”
–set this variable if this entry exists
set FLSE to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set FLSE to “false”
end if
end try

–see if this entry exists. If not an error will occur and be trapped
try
do shell script “defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES”
set DLib to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set DLib to “false”
end if
end try

–if all variables are false then the machine isn’t infected
if LSE is “false” and DLib is “false” and FLSE is “false” then
display dialog “You are not infected with Flashback”

–if any variable is true the machine may be infected and needs closer inspection
else if LSE is “true” or DLib is “true” or FLSE is “true” then
display dialog “You may have the Flashback infection” & return & “Go to following URL for more information:” & return & return & “http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml”
end if
[/codesyntax]

17 Responses to “Quick Applescript to check your Mac for the Flashback infection”

  1. on 06 Apr 2012 at 6:59 pmGary

    Thanks! Very kind of you to post this. And double thanks from my grandparents and parents who are concerned but not knowledgeable enough to run the terminal commands!

    Gary K.
    Portland, OR

  2. on 06 Apr 2012 at 7:21 pmFlashback Java trojan horse | HKMacs

    […] Quick Applescript to check your Mac for the Flashback infection […]

  3. on 07 Apr 2012 at 2:51 pmHenry

    Thanks very much.

  4. on 07 Apr 2012 at 3:07 pmSteveP

    Thank you!

    Flashback free.

  5. on 07 Apr 2012 at 8:34 pmSteveM

    thanks – i had to modify the script a little. i had moved my browser into a folder within applications. it would be good to note that the script needs to be changed or insert a line of code to see if the browser exists in the folder.

  6. on 07 Apr 2012 at 10:23 pmBradley Dichter

    For Gary K. and others, I’d suggest compiling and saving this as an application and sending that out to less savvy Mac users. They can just double-click to run the script to determine if they are in fact infected. Too bad the script doesn’t remove as well.

  7. on 08 Apr 2012 at 6:32 pmB. Jefferson Le Blanc

    I tried to save this script as an application so that I could distribute it to friends. But for some reason, AppleScript Editor 2.4.2 (in Lion) will not save the script as an application. I’m not an Apple Script expert so I would appreciate any help suggestions you might have as to why this is happening. Thanks.

  8. on 08 Apr 2012 at 6:39 pmwebmaster

    The script was created on Lion so it should work. Depends on what error you’re getting. If it works as a script it should be able to be saved as an application.

  9. on 08 Apr 2012 at 6:39 pmB. Jefferson Le Blanc

    Never mind. I figured out the problem was trying to save to the Utilities folder. In Lion that requires admin authorization, which cannot be done in a save dialog. So I saved the app to my desktop and then moved it to Utilities. Whew!

  10. on 09 Apr 2012 at 4:53 amElizabeth

    Thank you so much for posting the code to input into my Applescript! I feel better now knowing I’ve avoided this particular “attack”. 🙂

  11. on 09 Apr 2012 at 12:11 pmtechgoose

    Thanks, this is just what I needed to be able to give to customers to check their Macs!

    – David

  12. […] UPDATE: 2011.04.09 There is a script you can download and run to check and see if you are infected. You can download it here. […]

  13. on 10 Apr 2012 at 12:00 amGus

    Thanks! Having family members run Terminal commands was not going to be fun.

  14. […] ??? ???. ??????? Mashable ????? ????? ?????, Mac Stuff — ???. ?? ? ?? ?????????????? ??????????. (????????) ??????? […]

  15. on 10 Apr 2012 at 4:24 pmBill Gates

    I’m flashback free!

    Well, except for those spells where I’m transported back to the planet Uranus with Steve Jobs and we’re doing shrooms, and he’s all like, I’m going to surpass your market cap before I die and I’m like, right, that’ll be the day.

  16. […] […]

  17. on 12 Apr 2012 at 9:33 amwebmaster

    Anyone who thinks they are invulnerable is fooling themselves. Having said that, I’d take my Mac for security any day over other platforms. And the fact that this vulnerability comes from Java, not the core OS, must make Apple feel good about leaving Java out of 10.7 unless the user requests it.