Apple releases Flashback removal tool

Posted:
in macOS edited January 2014


Coming on the heels of its Thursday Java update, Apple has released a separate program to remove the so-called Flashback trojan that has affected over 600,000 Macs worldwide.



Apple on Friday released version 1.0 of its "Flashback malware removal tool" which will scan a user's computer and erase known iterations of the trojan that some are calling the worst the Mac platform has ever seen.



The standalone program is meant to be used by Mac users who don't have Java already installed on their machines and includes the same code as yesterday's software update that plugged a security hole which allowed the malware to automatically install itself without admin authorization.



From the release notes:

Quote:

About Flashback malware removal tool



This Flashback malware removal tool that will remove the most common variants of the Flashback malware.



If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed.



In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware.



This update is recommended for all OS X Lion users without Java installed.











At one point, a reported 600,000 Macs worldwide were part of the Flashback botnet, which harvested personal information and web browsing logs from affected machines. Apple was slow to release a patch for the exploit, but managed to roll out two updates within the past week.



The notorious trojan was first discovered last year by a security firm, tricking users into installing it under the guise of an Adobe Flash installer. The most recent version bypasses any user action and automatically installs itself after an affected website is visited.



Apple's Flashback removal tool comes in at 356KB and can be downloaded . In order to use the software, a user's Mac must be running OS X Lion without Java installed.



[ View article on AppleInsider ]

«13

Comments

  • Reply 1 of 52
    adamwadamw Posts: 114guest
    I commend Apple for releasing this standalone Flashback trojan removal tool, for people who do not have Java installed (on Lion). This should help take some of the confusion and frustration away. Thank you Apple.
  • Reply 2 of 52
    SpamSandwichSpamSandwich Posts: 33,407member
    Might be a good idea for Apple to buy Little Snitch and fold it into OSX.
  • Reply 3 of 52
    adamwadamw Posts: 114guest
    Quote:
    Originally Posted by SpamSandwich View Post


    Might be a good idea for Apple to buy Little Snitch and fold it into OSX.



    I was thinking the same thing the other day. Little Snitch would be a cheap investment for Apple to make to ensure users were more comfortable about what programs were attempting to send data out over the Internet. Little Snitch saved me after I installed it, after I was infected with this Flashback trojan, as it found several variants of Flashback still lurking around on my Mac.
  • Reply 4 of 52
    jonyojonyo Posts: 117member
    What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.
  • Reply 5 of 52
    Quote:
    Originally Posted by jonyo View Post


    What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.



    Apple policy has always been to support only current and previous OS. There are plenty of other ways to find out if you're infected and how to prevent re-infection. Just look...
  • Reply 6 of 52
    solipsismxsolipsismx Posts: 19,566member
    Clearly I'm wrong but I had thought the "Automatically download safe downloads list" would also get rid of any malware files it detects.





    Quote:
    Originally Posted by SpamSandwich View Post


    Might be a good idea for Apple to buy Little Snitch and fold it into OSX.



    This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.



    The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.
  • Reply 7 of 52
    maecvsmaecvs Posts: 129member
    OK, I downloaded the update, how do you launch it???
  • Reply 8 of 52
    macbook promacbook pro Posts: 1,605member
    Quote:
    Originally Posted by SolipsismX View Post


    Clearly I'm wrong but I had thought the "Automatically download safe downloads list" would also get rid of any malware files it detects.









    This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.



    The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.



    Exactly. The existing firewall is already fairly robust. NoobProof is much better for the average user than Little Snitch.



    http://support.apple.com/kb/HT1810?v...S&locale=en_US



    Configuring the Application Firewall in Mac OS X v10.6 and later

    Follow these steps:



    Choose System Preferences from the Apple menu.

    Click Security.

    Click the Firewall tab.

    Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.

    Click Start to enable the firewall.

    Click Advanced to customize the firewall configuration.

    Application Firewall's three advanced settings



    1. Block all incoming connections:



    Mac OS X v10.6 will block all connections except a limited list of services essential to the operation of your computer.



    The system services that are still allowed to receive incoming connections are:



    configd, which implements DHCP and other network configuration services

    mDNSResponder, which implements Bonjour

    racoon, which implements IPSec

    This mode will prevent all sharing services, such as File Sharing and Screen Sharing found in the Sharing System Preferences pane, from receiving incoming connections. To use these services, disable this option.



    2. Automatically allow signed software to receive incoming connections



    Applications that are already signed by a valid certificate authority will automatically be added to the list of allowed applications rather than prompting the user to authorize them. For example, since iTunes is already signed by Apple, it will automatically be allowed to receive incoming connections through the firewall.



    3. Enable stealth mode



    With stealth mode enabled, the computer will not respond to requests that probe the computer to see if it is there. The computer will still answer requests coming in for authorized applications, but other unexpected requests, such as ICMP (ping), will not get a response.



    Digitally-signed applications



    All applications not in the list that have been digitally signed by a Certificate Authority trusted by the system (for the purpose of code signing) are allowed to receive incoming connections. Every Apple application in Mac OS X v10.6 has been signed by Apple and is allowed to receive incoming connections. If you wish to deny a digitally signed application, you should first add it to the list and then explicitly deny it.



    If you run an unsigned application not in the Application Firewall list, you will be presented with a dialog with options to Allow or Deny connections for the application. If you choose Allow, Mac OS X v10.6 will sign the application and automatically add it to the Application Firewall list. If you choose Deny, Mac OS X v10.6 will sign the application, automatically add it to the Application Firewall list and deny the connection.



    Some applications check their own integrity when they are run without using code signing. If the Application Firewall recognizes such an application it will not sign it, but then it will re-present the dialog every time the application is run. This may be avoided by upgrading to a version of the application which is signed by its developer.
  • Reply 9 of 52
    solipsismxsolipsismx Posts: 19,566member
    Quote:
    Originally Posted by Maecvs View Post


    OK, I downloaded the update, how do you launch it???



    It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.
  • Reply 10 of 52
    maecvsmaecvs Posts: 129member
    Quote:
    Originally Posted by SolipsismX View Post


    It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.



    I can't find it either. Anyone know how what we are supposed to do after downloading the update?
  • Reply 11 of 52
    egraregrar Posts: 29member
    http://support.apple.com/kb/DL1517



    Read this for more info.
  • Reply 12 of 52
    jonyojonyo Posts: 117member
    Quote:
    Originally Posted by unother View Post


    Apple policy has always been to support only current and previous OS. There are plenty of other ways to find out if you're infected and how to prevent re-infection. Just look...



    I'm not saying that Apple should support it, I'm saying I don't know how to find and/or remove the problem on my sister's older machine since Apple's tool won't run on the older system. I was under the impression that both the Kaspersky tool and the Symantec tool also won't run on stuff below 10.6.
  • Reply 13 of 52
    Quote:
    Originally Posted by SpamSandwich View Post


    Might be a good idea for Apple to buy Little Snitch and fold it into OSX.



    Quote:
    Originally Posted by adamw View Post


    I was thinking the same thing the other day. Little Snitch would be [...] still lurking around on my Mac.





    Quote:
    Originally Posted by SolipsismX View Post




    [...]



    This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.



    The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.



    True. You don't want OS X to be like Windows Vista Apple can introduce it but leave it off or minimal by default. The only people who finds Little Snitch indispensable is the pirates and the paranoids
  • Reply 14 of 52
    I can't seem to find it either.
  • Reply 15 of 52
    dempsondempson Posts: 62member
    Quote:
    Originally Posted by SolipsismX View Post


    It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.



    The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.



    The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.
  • Reply 16 of 52
    Quote:
    Originally Posted by dempson View Post


    The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.



    The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.



    Thanks for clearing that up.
  • Reply 17 of 52
    solipsismxsolipsismx Posts: 19,566member
    Quote:
    Originally Posted by dempson View Post


    The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.



    The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.



    Thank you.
  • Reply 18 of 52
    wizard69wizard69 Posts: 13,377member
    Quote:
    Originally Posted by jonyo View Post


    What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.



    I know you don't want to hear that but we are talking a G4 here. If that doesn't do it for you consider removing Java.
  • Reply 19 of 52
    wizard69wizard69 Posts: 13,377member
    Quote:
    Originally Posted by jonyo View Post


    I'm not saying that Apple should support it, I'm saying I don't know how to find and/or remove the problem on my sister's older machine since Apple's tool won't run on the older system. I was under the impression that both the Kaspersky tool and the Symantec tool also won't run on stuff below 10.6.



    You will have to review the various web sites that cover removal. Google is your friend.
  • Reply 20 of 52
    maecvsmaecvs Posts: 129member
    Quote:
    Originally Posted by dempson View Post


    The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.



    The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.



    OK. Thanks for the info. I guess that means I don't have the Trojan.
Sign In or Register to comment.