At least for detection (from the article): "During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically."
It's hard to believe, the claim is that is uses Reddit's search functionality to find connection addresses. I've never been able to find anything using Reddit's search.
9 comments
[ 4.3 ms ] story [ 33.5 ms ] threadThis might be legit, but I'll wait and see if this appears anywhere else before I trust it as being valid.
https://en.wikipedia.org/wiki/Dr._Web
Also, more info here seems to support the fact that they are the real deal:
https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback
(as usual with wikipedia, you should check the original sources to verify).
http://www.tuaw.com/2014/10/03/thousands-of-macs-infected-wi...
In terminal run:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
You should get this error:
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
Then run:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
You should get this error:
The domain/default pair of (/Users/YOURUSER/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
If you do you are clean of this variant!
If this doesn't happen go to http://www.f-secure.com/v-descs/trojan-downloader_osx_flashb... to fix it