April 12, 2012

A number of readers responded to the story I published last week on the Flashback Trojan, a contagion that was found to have infected more than 600,000 Mac OS X systems. Most people wanted to know how they could detect whether their systems were infected with Flashback — and if so — how to remove the malware. This post covers both of those questions.

Screen shot of Flashback detection tool from Dr.Web

Since the discovery last week of the Flashback Mac botnet, several security firms have released tools to help detect and clean up Flashback infections. Dr.Web, the Russian antivirus vendor that first sounded the alarm about the outbreak, has published a free online service that lets users tell whether their systems have been seen phoning home to Flashback’s control servers (those servers have since been hijacked by researchers). The service requires users to enter their Mac’s hardware unique user ID (HW-UUID), because this is how the miscreants who were running the botnet kept track of their infections.

F-Secure Corp., the Finnish security firm that worked with Dr.Web to more accurately gauge the true number of Flashback-infected Macs, has a Flashback Removal Tool available for download from its Web site.

Where is Apple’s response in all of this, you ask? Apple says it is developing software that will detect and remove Flashback. Inexplicably, it has not yet released this tool, nor has it added detection for it to the XProtect antivirus tool built into OS X. The company’s advisory on this threat is predictably sparse, and focuses instead on urging users to apply a recent update for Java. Flashback attacks a well-known Java flaw, but it’s worth noting that Apple released the Java patch only after Flashback had begun infecting hundreds of thousands of Macs.

Update, 8:22 p.m. ET: Apple just released a new version of Java that includes a Flashback remover. Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion. It includes no new security fixes, but it adopts a novel approach to the debate over whether to temporarily disable or remove Java: “It configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application.” If the Java web plug-in detects that no applets have been run for at least 35 days, it will again disable Java applets.

Original post:

In its advisory, Apple said it “is working with ISPs worldwide to disable the command and control network” that criminals were using to direct the activities of the Flashback botnet. But Apple’s actions speak much louder than words. Forbes’ Andy Greenberg published a fascinating piece on Wednesday showing that when it comes to working with the security community, Apple is still a bit like a spoiled toddler who hasn’t yet learned to play nice with other children in the sandbox.

On the issue of security in general, Apple appears to still have its head firmly planted in the sand: F-Secure notes that Apple still has not shipped an update that fixes this Java flaw on OS X 10.5 (or earlier), even though 16 percent of all all Macs still run this OS.

While Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the Oracle-developed software framework when users access webpages that use it. If you have Java but no longer need it, get rid of it. If you need Java on your Mac only for a specific application (such as OpenOffice), you can unplug it from the browser by disabling its plugin. In Safari, this can be done by clicking Preferences, and then the Security tab (uncheck “Enable Java”). In Google Chrome, open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing. In Mozilla Firefox for Mac, click Tools, Add-ons, and disable the Java plugin(s).

Broken record alert: If you don’t need Java, remove it from your system, whether you are a Mac or Windows user. If you need further convincing of my reasons for this recommendation, I’d encourage you to browse through some of my past Java-related posts.

18 thoughts on “How to Find and Remove Mac Flashback Infections

    1. Kim

      Yay, that will really help the customer. Apple is so far behind the curve that they don’t even realize this has been standard practice for years. Sigh.

      Its also a bit distressing to see how complicated it is to disable Java in Chrome. I mean really?

  1. Gary

    Can you assume you’re not infected if you never have Java enabled except for the brief period it’s used with one application (and then turned off)?

    1. qka

      Better to be safe than sorry. The test in Terminal is only copying & pasting 2 lines, more if you are infected.

  2. JCitizen

    “Apple is still a bit like a spoiled toddler who hasn’t yet learned to play nice with other children in the sandbox.”

    If the marketing folks a Microsoft were vengeful; they’d come out with an advertisement that brings this up, along the same lines as the ‘cool’ guy Apple adds. ]:)

    1. Carlos

      “marketing folks a[t] Microsoft”

      The what? Microsoft has marketing? Since when?

  3. Baden

    I just got an email from the Apple security mail list stating that they have released two new updates: one to auto-disable Java (see: http://support.apple.com/kb/HT5242) and the other a tool to remove the flashback malware.

  4. Tony Smit

    In the print version of the May 2012 edition of PC World, it has an article titled :
    Manage Downloads Better With JDownloader

    where one line says :
    JDownloader is one such utility, and since it is Java-based, it works across Windows, Mac, and Linux.

    So I looked it up on

    * Version: 0.9.581

    which provides a download link

    JDownloader also has a Wikipedia entry at http://en.wikipedia.org/wiki/JDownloader

    which says the program is buggy and lists quite a few bugs and undesirable features

    The rule is that programs that are buggy also have a lot of unknown exploits waiting for malware criminals to find them.

    Just another reason for avoiding Java-based programs, particularly for people who have little interest in futzing with undesirable features.

  5. Mark

    No problem here, I saved some money and no trojan, I DON’T have a mac$$$

  6. Nicholas Weaver

    The situation has changed in the past hour or two:

    Apple has released another Java update. The big changes…

    1: It detects and removes the major Flashback variants

    2: It deactivates the plug-in. To reactivate it requires explicit user interaction: clicking on the disabled applet, saying “yes”, and restarting the browser, and after 35 days of not being used, it automatically re-deactivates it.

  7. TJ

    A lot has been reported recently about methods to detect and remove Flashback, but I’ve seen nothing written about how botnets routinely download additional malware onto compromised systems. (In some cases, actually erasing all traces of the original malware.)

    So, is there any evidence to date that these Mac bots have downloaded additional malware?

  8. MrUnFixit-Maybe

    We wouldn’t want Apple to be seen to be challenging the software lead Oracle/Sun, Google, and Adobe have with their widely deployed products, would we?

    Might distract us from the failure to implement a robust implementation of Unix which is after all what OS-X is, isn’t it?

    Tsk, tsk.

  9. Donna

    Oh God.. 🙁 its not safe anymore using mac… now its better not connecting to the internet *sigh*

  10. Biton

    have a look at woodsfinance.com as we (including our bank) found out that this is a money laundering scam…

    email send to people;
    Dear, Mr xxx xxxxxx, an exciting opportunity to work in our team has arisen. Vacancy-Accounting Manager (no experience required). Location-United Kingdom.

    The Candidate: Aged older than age 18; speed and accuracy; good interpersonal skills; communication skills, both written and oral; strong interest in smartphone and new technology is a plus.

    We provide absolutely free: training; tutorials and study material for computer certification in UK; study in UK with a trainer.

    Salary Full-Time: £22700+bonus;
    Salary Part-Time: £16200+bonus.

    Email back and We will send you an email with information on how to continue.

    HR Manager
    Betty J. Tapscott
    Woods Finance Associates

Comments are closed.