Apple releases Flashback removal tool

2

Comments

  • cnocbuicnocbui Posts: 3,305member
    Quote:
    Originally Posted by jonyo View Post


    What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.



    Apple would rather you were part of a botnet than provide you with a fix for vulnerable software they supplied you with.



    Oh, and their Java updates weren't for 10.6 either.
  • haarhaar Posts: 503member
    Quote:
    Originally Posted by cnocbui View Post


    Apple would rather you were part of a botnet than provide you with a fix for vulnerable software they supplied you with.



    Oh, and their Java updates weren't for 10.6 either.



    how is the search for the 4 leaf clover going for you?
  • MarvinMarvin Posts: 13,725member, moderator
    Quote:
    Originally Posted by dempson View Post


    The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.



    The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.



    It installs a system-level component called MRT (Malware Removal Tool?) Agent along with a LaunchAgent. My guess would be this may not be a permanent installation but rather if a version of Flashback is found, it will install the CoreService and launch agent, prompt a reboot and then execute the malware removal before any other process can start. It can then remove the MRT installation. If no version of Flashback is found, the installation won't need to install anything at all so it will say install has been successful but it won't in fact install anything, which is a bit misleading. It should say no infection found or something.



    Assuming it is a temporary installation, it appears to be a cure and not a prevention so it won't block or alert of future installations of Flashback that use other exploits e.g vulnerabilities in Flash, PDFs or infected downloads.
  • bloodshotrollin'redbloodshotrollin'red Posts: 279member
    This tool has a brilliantly explanatory interface Apple. Your GUI team must have worked overtime to make it so user-friendly.



    And why have the notice: "This update is recommended for all OS X Lion users without Java installed." Do you know something we don't?



    I've been reading that this vulnerability is caused exclusively by Java being installed. As I've never installed Java, why on earth would you be recommending I run this tool?
  • charlitunacharlituna Posts: 7,069member
    Quote:
    Originally Posted by jonyo View Post


    I'm not saying that Apple should support it, I'm saying I don't know how to find and/or remove the problem on my sister's older machine since Apple's tool won't run on the older system. I was under the impression that both the Kaspersky tool and the Symantec tool also won't run on stuff below 10.6.



    Are you certain your sister's is even a concern? I would look into that explanation as well. After all, the issue didn't pop up even via Flash until about a year ago when Snow Leopard was the current OS. Perhaps these exploits didn't exist until the version of Flash and Java that was only supported by 10.6 and higher so your sister has nothing to worry about.



    If nothing else there are instructions for using Terminal to check for the files in question.



    Quote:
    Originally Posted by Bloodshotrollin'red View Post


    And why have the notice: "This update is recommended for all OS X Lion users without Java installed." Do you know something we don't?



    1. there were variants that installed via Flash as well. This might be looking for them also



    2. it could be a placebo for the noob users that are so sure their computers must be infected somehow even though they think Java is another word for coffee



    3. a little of each of the other two
  • Quote:
    Originally Posted by SolipsismX View Post


    It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.



    Don't worry. It just works.



    Trust Apple. Don't worry.
  • sockrolidsockrolid Posts: 2,560member
    Quote:
    Originally Posted by AppleInsider View Post


    In order to use the software, a user's Mac must be running OS X Lion without Java installed.



    Aha. That explains why Software Update never saw any of Apple's recent Java patches.

    Because I didn't have Java Runtime installed! LOL. D/L-ed and ran the removal tool, and it found nothing.
  • mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by SpamSandwich View Post


    Might be a good idea for Apple to buy Little Snitch and fold it into OSX.



    Quote:
    Originally Posted by adamw View Post


    I was thinking the same thing the other day. Little Snitch would be a cheap investment for Apple to make to ensure users were more comfortable about what programs were attempting to send data out over the Internet. Little Snitch saved me after I installed it, after I was infected with this Flashback trojan, as it found several variants of Flashback still lurking around on my Mac.





    I have little snitch installed and although effective, it is damn annoying with all the popups for legitimate software, mostly Apple's so unless they could make it less intrusive it would not be something Apple would want average consumers to see all the time. Reminds me of Vista.



    EDIT: thanks Splash-reverse I see we had the same thought.
  • tbelltbell Posts: 3,146member
    Yes, except I doubt if people would trust the functionality if it came directly from Apple. Currently, Little Snitch tells people about every out going call from their Macs including those from Apple. Apple likely would start to include exceptions whereby Little Snitch wouldn't provide such notifications.



    Quote:
    Originally Posted by SpamSandwich View Post


    Might be a good idea for Apple to buy Little Snitch and fold it into OSX.



  • tbelltbell Posts: 3,146member
    I honestly don't see how it is annoying other than the first time you run software. One of the options Little Snitch asks you is do you want to forever allow or deny communications from said app. If you select yes to either, you will never get a notification regarding that app again. I have Little Snitch installed. I haven't received a notification in months because I haven't installed any new software. If you get constant notification you are either installing a lot of applications or you select allow or deny for that session of the app only. When you open the app again, you will have to make the same decision again.



    There are certain apps like Apple's that I always allow, and certain apps from companies like Adobe or Google that I always deny.



    Quote:
    Originally Posted by mstone View Post


    I have little snitch installed and although effective, it is damn annoying with all the popups for legitimate software, mostly Apple's so unless they could make it less intrusive it would not be something Apple would want average consumers to see all the time. Reminds me of Vista.



    EDIT: thanks Splash-reverse I see we had the same thought.



  • mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by TBell View Post


    I honestly don't see how it is annoying other than the first time you run software. One of the options Little Snitch asks you is do you want to forever allow or deny communications from said app. If you select yes to either, you will never get a notification regarding that app again. I have Little Snitch installed. I haven't received a notification in months because I haven't installed any new software. If you get constant notification you are either installing a lot of applications or you select allow or deny for that session of the app only. When you open the app again, you will have to make the same decision again.



    There are certain apps like Apple's that I always allow, and certain apps from companies like Adobe or Google that I always deny.



    So would you allow a terminal app connection attempt to



    www.apple.com.edgekey.net

    ?



    Sounds like it could be a sneaky hack attempt.
  • prof. peabodyprof. peabody Posts: 2,860member
    Quote:
    Originally Posted by adamw View Post


    I was thinking the same thing the other day. Little Snitch would be a cheap investment for Apple to make to ensure users were more comfortable about what programs were attempting to send data out over the Internet. Little Snitch saved me after I installed it, after I was infected with this Flashback trojan, as it found several variants of Flashback still lurking around on my Mac.



    Little Snitch is a fantastic tool but it's far far too confusing for the average user.



    It's a cornucopia of settings, questions and messages once installed.

    It is the antithesis of everything OS X stands for in terms of UI.
  • Will Apple need to release a new fix like this every time a new virus/trojan/worm is discovered? That doesn't seem scaleable.



    It seems like there must be a better way to do it, and if these things show up frequently, it would be complicated for users.
  • mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by I am a Zither Zather Zuzz View Post


    Will Apple need to release a new fix like this every time a new virus/trojan/worm is discovered? That doesn't seem scaleable.



    It seems like there must be a better way to do it, and if these things show up frequently, it would be complicated for users.



    Apple would rather that users did not access the web directly other than through Apple.com. Everything else should be accessed through App Store apps and all email should go through iClould. That way Apple would be able to prevent any malware from ever infecting a Mac or iOS device.



    Perhaps users feel more secure in that sort of sheltered life, but in the real world you are going to run into some ne'er-do-wells once in a while. When you get too complacent, you forget how to fend for yourself, or adapt to unfamiliar circumstances. I little virus scare once an a while is not such a bad thing. The entire world is far too dependent on the Internet and computers anyway.
  • hypercommunisthypercommunist Posts: 122member
    Quote:
    Originally Posted by wizard69 View Post


    You will have to review the various web sites that cover removal. Google is your friend.



    I followed the Terminal instructions that were posted (here or ars.technica, can't remember). They ran no prob, system clean. Oh, but when I got the (3rd) Java update from Apple, it said: malware detected, removed.



    Great. It's like we have PCs in the 90s.
  • 2stepbay2stepbay Posts: 82member
    I use SweetProductions "Cookie" app to manage Safari cookies. After running the malware removal installer, then restarting Safari, I discovered my Cookie file had been reset, and in turn erasing my favorite Cookie list. Anyone else have a similar experience?



    Fortunately, I have a recent TM backup. Restoring my Cookie folder fixed the problem. BTW no warning prompt appeared while the malware removal installer was running.



    10.7.3

    iMac i7
  • adamwadamw Posts: 114guest
    A new Mac trojan has just been identified. It was released into the wild about March 16th, and uses the same Java exploit to gain access and infect Macs. More info:



    http://www.zdnet.com/blog/security/n...eraction/11545



    Look for the following 2 files being present to detect infection:



    /Library/Preferences/com.apple.PubSabAgent.pfile

    /Library/LaunchAgents/com.apple.PubSabAGent.plist



    This trojan reportedly does the following to a Mac:



    "After infecting a given Mac, this Trojan is like most: it connects to a remote website using HTTP in typical command and control (C&C) fashion to fetch instructions from remote hackers telling it what to do. The backdoor contains functionality to take screenshots of the user’s current session, upload and download files, as well as execute commands remotely on the infected machine. Encrypted logs are sent back to the control server, so the hackers can monitor activity."
  • povilaspovilas Posts: 473member
    Quote:
    Originally Posted by SolipsismX View Post


    Clearly I'm wrong but I had thought the "Automatically download safe downloads list" would also get rid of any malware files it detects.









    This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.



    The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.



    Computer itself, Mac or PC, is not for novice. Some things must be learnt, but most of the time people do random things without thinking and then whine.
  • technotechno Posts: 585member
    Quote:
    Originally Posted by SpamSandwich View Post


    Might be a good idea for Apple to buy Little Snitch and fold it into OSX.



    It would have to be modified in some way because as it is, the "learning phase" would drive most people crazy. It can be annoying to get those popups every few minutes for the fist couple of weeks. Plus, most people would not use it properly as it is designed now. Most would just click allow without reading.
  • hill60hill60 Posts: 6,960member
    Quote:
    Originally Posted by hypercommunist View Post


    I followed the Terminal instructions that were posted (here or ars.technica, can't remember). They ran no prob, system clean. Oh, but when I got the (3rd) Java update from Apple, it said: malware detected, removed.



    Great. It's like we have PCs in the 90s.



    So what led you to one of the infected sites?



    Did you open any unusual email attachments, follow any strange links from social sites?



    I've had Adobe Flash updates pop up, which I've closed and ignored then gone to Adobe's site to cross check the version available there and download if necessary.



    The latest bunch of scam emails I've been getting aside from the usual "verify bank details" ones have been purpurtedly from Apple offering the bargain of $9 for a $100 iTunes card:-



    a) They don't know my name



    b) since when did Apple start using Hotmail?



    I delete them without opening the attachment, a bit of common sense goes a long way with things like this.
Sign In or Register to comment.