Flashback Botnet Detection
A recent threat to Macs has infected over 600,000 computers worldwide. Check if you have it, and if so, let us know.
About the Flashback Botnet
The “Flashback Botnet” Trojan horse takes advantage of security holes in Java. You can be infected passively, and the symptoms would be difficult to detect. If your Mac infected, your passwords and other confidential information may be harvested and used.
What You Should Do Right Now
We are asking all campus Mac users to:
- Run a simple utility to detect if their Macs are infected.
- If infected, please contact the Hampshire College help desk (faculty, staff) at x5418, or the Student Diagnostic Center (students) at x6602.
- If not infected, to run Software Updates immediately. Apple has provided a Java update to block infection via Java.
How to Check for Infection (On Campus or Via VPN Only)
We have created a utility to check for infection. Please note that this utility can only be accessed from campus or via a VPN connection.
- Click on this link: http://software.hampshire.edu/FlashbackCheck.dmg, and save the file.
- Double-click on “FlashbackCheck.dmg”, which will create a virtual disk on your desktop titled “FlashbackCheck.”
- Open up the disk on your desktop and run “CheckForFlashbackBotnet.” If you get a warning that you're about to run potentially dangerous software downloaded from the Internet, ignore it and click "Open".
- If you get a message that tells you that there was no threat detected and to run System Updates, click "OK" and go to your Apple Menu and run Software Updates immediately. Install any updates that are available; don’t worry if no updates are found. When you're done, you can drag the virtual disk icon to the trash to get rid of it.
- If you get a message saying that your computer might be infected, click "OK," and please contact the help desk or Student Diagnostic Center immediately.
How to check for the Flashback Botnet Infection if You’re Off-Campus
If you can’t access the software.hampshire.edu page because you’re off campus, there is a way to check for the infection manually:
- From the Finder, select Go→Utilities.
- Find the application “Terminal” and double-click to run it.
- Copy this command and paste it into the Terminal window, next to the “$”:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
- You should see an error message that reads, “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist." If you see anything different, please contact the Hampshire College IT help desk at 413.559.5418.
- Now copy this command and paste it into the Terminal window, next to the “$”:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
- You should see an error message that reads, “The domain/default pair of (/Users/YOURUSER/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist." If you see anything different, please contact the Hampshire College IT help desk at 413.559.5418.
- Quit Terminal.
- To ensure that you’re guarded against future attempts to infect you with this threat, please run Apple Menu→Software Updates and install all available updates.