or Connect
AppleInsider › Forums › Software › Mac OS X › Apple releases Flashback removal tool
New Posts  All Forums:Forum Nav:

Apple releases Flashback removal tool

post #1 of 53
Thread Starter 
Coming on the heels of its Thursday Java update, Apple has released a separate program to remove the so-called Flashback trojan that has affected over 600,000 Macs worldwide.

Apple on Friday released version 1.0 of its "Flashback malware removal tool" which will scan a user's computer and erase known iterations of the trojan that some are calling the worst the Mac platform has ever seen.

The standalone program is meant to be used by Mac users who don't have Java already installed on their machines and includes the same code as yesterday's software update that plugged a security hole which allowed the malware to automatically install itself without admin authorization.

From the release notes:
Quote:
About Flashback malware removal tool

This Flashback malware removal tool that will remove the most common variants of the Flashback malware.

If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed.

In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware.

This update is recommended for all OS X Lion users without Java installed.




At one point, a reported 600,000 Macs worldwide were part of the Flashback botnet, which harvested personal information and web browsing logs from affected machines. Apple was slow to release a patch for the exploit, but managed to roll out two updates within the past week.

The notorious trojan was first discovered last year by a security firm, tricking users into installing it under the guise of an Adobe Flash installer. The most recent version bypasses any user action and automatically installs itself after an affected website is visited.

Apple's Flashback removal tool comes in at 356KB and can be downloaded . In order to use the software, a user's Mac must be running OS X Lion without Java installed.

[ View article on AppleInsider ]
post #2 of 53
I commend Apple for releasing this standalone Flashback trojan removal tool, for people who do not have Java installed (on Lion). This should help take some of the confusion and frustration away. Thank you Apple.
post #3 of 53
Might be a good idea for Apple to buy Little Snitch and fold it into OSX.

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #4 of 53
Quote:
Originally Posted by SpamSandwich View Post

Might be a good idea for Apple to buy Little Snitch and fold it into OSX.

I was thinking the same thing the other day. Little Snitch would be a cheap investment for Apple to make to ensure users were more comfortable about what programs were attempting to send data out over the Internet. Little Snitch saved me after I installed it, after I was infected with this Flashback trojan, as it found several variants of Flashback still lurking around on my Mac.
post #5 of 53
What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.
post #6 of 53
Quote:
Originally Posted by jonyo View Post

What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.

Apple policy has always been to support only current and previous OS. There are plenty of other ways to find out if you're infected and how to prevent re-infection. Just look...
post #7 of 53
Clearly I'm wrong but I had thought the "Automatically download safe downloads list" would also get rid of any malware files it detects.


Quote:
Originally Posted by SpamSandwich View Post

Might be a good idea for Apple to buy Little Snitch and fold it into OSX.

This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.

The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

 

Goodbyeee jragosta :: http://forums.appleinsider.com/t/160864/jragosta-joseph-michael-ragosta

Reply

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

 

Goodbyeee jragosta :: http://forums.appleinsider.com/t/160864/jragosta-joseph-michael-ragosta

Reply
post #8 of 53
OK, I downloaded the update, how do you launch it???
post #9 of 53
Quote:
Originally Posted by SolipsismX View Post

Clearly I'm wrong but I had thought the "Automatically download safe downloads list" would also get rid of any malware files it detects.




This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.

The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.

Exactly. The existing firewall is already fairly robust. NoobProof is much better for the average user than Little Snitch.

http://support.apple.com/kb/HT1810?v...S&locale=en_US

Configuring the Application Firewall in Mac OS X v10.6 and later
Follow these steps:

Choose System Preferences from the Apple menu.
Click Security.
Click the Firewall tab.
Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.
Click Start to enable the firewall.
Click Advanced to customize the firewall configuration.
Application Firewall's three advanced settings

1. Block all incoming connections:

Mac OS X v10.6 will block all connections except a limited list of services essential to the operation of your computer.

The system services that are still allowed to receive incoming connections are:

configd, which implements DHCP and other network configuration services
mDNSResponder, which implements Bonjour
racoon, which implements IPSec
This mode will prevent all sharing services, such as File Sharing and Screen Sharing found in the Sharing System Preferences pane, from receiving incoming connections. To use these services, disable this option.

2. Automatically allow signed software to receive incoming connections

Applications that are already signed by a valid certificate authority will automatically be added to the list of allowed applications rather than prompting the user to authorize them. For example, since iTunes is already signed by Apple, it will automatically be allowed to receive incoming connections through the firewall.

3. Enable stealth mode

With stealth mode enabled, the computer will not respond to requests that probe the computer to see if it is there. The computer will still answer requests coming in for authorized applications, but other unexpected requests, such as ICMP (ping), will not get a response.

Digitally-signed applications

All applications not in the list that have been digitally signed by a Certificate Authority trusted by the system (for the purpose of code signing) are allowed to receive incoming connections. Every Apple application in Mac OS X v10.6 has been signed by Apple and is allowed to receive incoming connections. If you wish to deny a digitally signed application, you should first add it to the list and then explicitly deny it.

If you run an unsigned application not in the Application Firewall list, you will be presented with a dialog with options to Allow or Deny connections for the application. If you choose Allow, Mac OS X v10.6 will sign the application and automatically add it to the Application Firewall list. If you choose Deny, Mac OS X v10.6 will sign the application, automatically add it to the Application Firewall list and deny the connection.

Some applications check their own integrity when they are run without using code signing. If the Application Firewall recognizes such an application it will not sign it, but then it will re-present the dialog every time the application is run. This may be avoided by upgrading to a version of the application which is signed by its developer.
post #10 of 53
Quote:
Originally Posted by Maecvs View Post

OK, I downloaded the update, how do you launch it???

It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

 

Goodbyeee jragosta :: http://forums.appleinsider.com/t/160864/jragosta-joseph-michael-ragosta

Reply

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

 

Goodbyeee jragosta :: http://forums.appleinsider.com/t/160864/jragosta-joseph-michael-ragosta

Reply
post #11 of 53
Quote:
Originally Posted by SolipsismX View Post

It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.

I can't find it either. Anyone know how what we are supposed to do after downloading the update?
post #12 of 53
http://support.apple.com/kb/DL1517

Read this for more info.
Command & Conquer
Reply
Command & Conquer
Reply
post #13 of 53
Quote:
Originally Posted by unother View Post

Apple policy has always been to support only current and previous OS. There are plenty of other ways to find out if you're infected and how to prevent re-infection. Just look...

I'm not saying that Apple should support it, I'm saying I don't know how to find and/or remove the problem on my sister's older machine since Apple's tool won't run on the older system. I was under the impression that both the Kaspersky tool and the Symantec tool also won't run on stuff below 10.6.
post #14 of 53
Quote:
Originally Posted by SpamSandwich View Post

Might be a good idea for Apple to buy Little Snitch and fold it into OSX.

Quote:
Originally Posted by adamw View Post

I was thinking the same thing the other day. Little Snitch would be [...] still lurking around on my Mac.


Quote:
Originally Posted by SolipsismX View Post


[...]

This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.

The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.

True. You don't want OS X to be like Windows Vista Apple can introduce it but leave it off or minimal by default. The only people who finds Little Snitch indispensable is the pirates and the paranoids
post #15 of 53
I can't seem to find it either.
post #16 of 53
Quote:
Originally Posted by SolipsismX View Post

It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.

The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.

The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.
post #17 of 53
Quote:
Originally Posted by dempson View Post

The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.

The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.

Thanks for clearing that up.
post #18 of 53
Quote:
Originally Posted by dempson View Post

The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.

The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.

Thank you.

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

 

Goodbyeee jragosta :: http://forums.appleinsider.com/t/160864/jragosta-joseph-michael-ragosta

Reply

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

 

Goodbyeee jragosta :: http://forums.appleinsider.com/t/160864/jragosta-joseph-michael-ragosta

Reply
post #19 of 53
Quote:
Originally Posted by jonyo View Post

What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.

I know you don't want to hear that but we are talking a G4 here. If that doesn't do it for you consider removing Java.
post #20 of 53
Quote:
Originally Posted by jonyo View Post

I'm not saying that Apple should support it, I'm saying I don't know how to find and/or remove the problem on my sister's older machine since Apple's tool won't run on the older system. I was under the impression that both the Kaspersky tool and the Symantec tool also won't run on stuff below 10.6.

You will have to review the various web sites that cover removal. Google is your friend.
post #21 of 53
Quote:
Originally Posted by dempson View Post

The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.

The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.

OK. Thanks for the info. I guess that means I don't have the Trojan.
post #22 of 53
Quote:
Originally Posted by jonyo View Post

What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.

Apple would rather you were part of a botnet than provide you with a fix for vulnerable software they supplied you with.

Oh, and their Java updates weren't for 10.6 either.
post #23 of 53
Quote:
Originally Posted by cnocbui View Post

Apple would rather you were part of a botnet than provide you with a fix for vulnerable software they supplied you with.

Oh, and their Java updates weren't for 10.6 either.

how is the search for the 4 leaf clover going for you?
post #24 of 53
Quote:
Originally Posted by dempson View Post

The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.

The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.

It installs a system-level component called MRT (Malware Removal Tool?) Agent along with a LaunchAgent. My guess would be this may not be a permanent installation but rather if a version of Flashback is found, it will install the CoreService and launch agent, prompt a reboot and then execute the malware removal before any other process can start. It can then remove the MRT installation. If no version of Flashback is found, the installation won't need to install anything at all so it will say install has been successful but it won't in fact install anything, which is a bit misleading. It should say no infection found or something.

Assuming it is a temporary installation, it appears to be a cure and not a prevention so it won't block or alert of future installations of Flashback that use other exploits e.g vulnerabilities in Flash, PDFs or infected downloads.
post #25 of 53
This tool has a brilliantly explanatory interface Apple. Your GUI team must have worked overtime to make it so user-friendly.

And why have the notice: "This update is recommended for all OS X Lion users without Java installed." Do you know something we don't?

I've been reading that this vulnerability is caused exclusively by Java being installed. As I've never installed Java, why on earth would you be recommending I run this tool?
post #26 of 53
Quote:
Originally Posted by jonyo View Post

I'm not saying that Apple should support it, I'm saying I don't know how to find and/or remove the problem on my sister's older machine since Apple's tool won't run on the older system. I was under the impression that both the Kaspersky tool and the Symantec tool also won't run on stuff below 10.6.

Are you certain your sister's is even a concern? I would look into that explanation as well. After all, the issue didn't pop up even via Flash until about a year ago when Snow Leopard was the current OS. Perhaps these exploits didn't exist until the version of Flash and Java that was only supported by 10.6 and higher so your sister has nothing to worry about.

If nothing else there are instructions for using Terminal to check for the files in question.

Quote:
Originally Posted by Bloodshotrollin'red View Post

And why have the notice: "This update is recommended for all OS X Lion users without Java installed." Do you know something we don't?

1. there were variants that installed via Flash as well. This might be looking for them also

2. it could be a placebo for the noob users that are so sure their computers must be infected somehow even though they think Java is another word for coffee

3. a little of each of the other two
post #27 of 53
Quote:
Originally Posted by SolipsismX View Post

It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.

Don't worry. It just works.

Trust Apple. Don't worry.
post #28 of 53
Quote:
Originally Posted by AppleInsider View Post

In order to use the software, a user's Mac must be running OS X Lion without Java installed.

Aha. That explains why Software Update never saw any of Apple's recent Java patches.
Because I didn't have Java Runtime installed! LOL. D/L-ed and ran the removal tool, and it found nothing.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #29 of 53
Quote:
Originally Posted by SpamSandwich View Post

Might be a good idea for Apple to buy Little Snitch and fold it into OSX.

Quote:
Originally Posted by adamw View Post

I was thinking the same thing the other day. Little Snitch would be a cheap investment for Apple to make to ensure users were more comfortable about what programs were attempting to send data out over the Internet. Little Snitch saved me after I installed it, after I was infected with this Flashback trojan, as it found several variants of Flashback still lurking around on my Mac.


I have little snitch installed and although effective, it is damn annoying with all the popups for legitimate software, mostly Apple's so unless they could make it less intrusive it would not be something Apple would want average consumers to see all the time. Reminds me of Vista.

EDIT: thanks Splash-reverse I see we had the same thought.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #30 of 53
Yes, except I doubt if people would trust the functionality if it came directly from Apple. Currently, Little Snitch tells people about every out going call from their Macs including those from Apple. Apple likely would start to include exceptions whereby Little Snitch wouldn't provide such notifications.

Quote:
Originally Posted by SpamSandwich View Post

Might be a good idea for Apple to buy Little Snitch and fold it into OSX.
post #31 of 53
I honestly don't see how it is annoying other than the first time you run software. One of the options Little Snitch asks you is do you want to forever allow or deny communications from said app. If you select yes to either, you will never get a notification regarding that app again. I have Little Snitch installed. I haven't received a notification in months because I haven't installed any new software. If you get constant notification you are either installing a lot of applications or you select allow or deny for that session of the app only. When you open the app again, you will have to make the same decision again.

There are certain apps like Apple's that I always allow, and certain apps from companies like Adobe or Google that I always deny.

Quote:
Originally Posted by mstone View Post

I have little snitch installed and although effective, it is damn annoying with all the popups for legitimate software, mostly Apple's so unless they could make it less intrusive it would not be something Apple would want average consumers to see all the time. Reminds me of Vista.

EDIT: thanks Splash-reverse I see we had the same thought.
post #32 of 53
Quote:
Originally Posted by TBell View Post

I honestly don't see how it is annoying other than the first time you run software. One of the options Little Snitch asks you is do you want to forever allow or deny communications from said app. If you select yes to either, you will never get a notification regarding that app again. I have Little Snitch installed. I haven't received a notification in months because I haven't installed any new software. If you get constant notification you are either installing a lot of applications or you select allow or deny for that session of the app only. When you open the app again, you will have to make the same decision again.

There are certain apps like Apple's that I always allow, and certain apps from companies like Adobe or Google that I always deny.

So would you allow a terminal app connection attempt to

www.apple.com.edgekey.net
?

Sounds like it could be a sneaky hack attempt.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #33 of 53
Quote:
Originally Posted by adamw View Post

I was thinking the same thing the other day. Little Snitch would be a cheap investment for Apple to make to ensure users were more comfortable about what programs were attempting to send data out over the Internet. Little Snitch saved me after I installed it, after I was infected with this Flashback trojan, as it found several variants of Flashback still lurking around on my Mac.

Little Snitch is a fantastic tool but it's far far too confusing for the average user.

It's a cornucopia of settings, questions and messages once installed.
It is the antithesis of everything OS X stands for in terms of UI.
post #34 of 53
Will Apple need to release a new fix like this every time a new virus/trojan/worm is discovered? That doesn't seem scaleable.

It seems like there must be a better way to do it, and if these things show up frequently, it would be complicated for users.
post #35 of 53
Quote:
Originally Posted by I am a Zither Zather Zuzz View Post

Will Apple need to release a new fix like this every time a new virus/trojan/worm is discovered? That doesn't seem scaleable.

It seems like there must be a better way to do it, and if these things show up frequently, it would be complicated for users.

Apple would rather that users did not access the web directly other than through Apple.com. Everything else should be accessed through App Store apps and all email should go through iClould. That way Apple would be able to prevent any malware from ever infecting a Mac or iOS device.

Perhaps users feel more secure in that sort of sheltered life, but in the real world you are going to run into some ne'er-do-wells once in a while. When you get too complacent, you forget how to fend for yourself, or adapt to unfamiliar circumstances. I little virus scare once an a while is not such a bad thing. The entire world is far too dependent on the Internet and computers anyway.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #36 of 53
Quote:
Originally Posted by wizard69 View Post

You will have to review the various web sites that cover removal. Google is your friend.

I followed the Terminal instructions that were posted (here or ars.technica, can't remember). They ran no prob, system clean. Oh, but when I got the (3rd) Java update from Apple, it said: malware detected, removed.

Great. It's like we have PCs in the 90s.
post #37 of 53
I use SweetProductions "Cookie" app to manage Safari cookies. After running the malware removal installer, then restarting Safari, I discovered my Cookie file had been reset, and in turn erasing my favorite Cookie list. Anyone else have a similar experience?

Fortunately, I have a recent TM backup. Restoring my Cookie folder fixed the problem. BTW no warning prompt appeared while the malware removal installer was running.

10.7.3
iMac i7
post #38 of 53
A new Mac trojan has just been identified. It was released into the wild about March 16th, and uses the same Java exploit to gain access and infect Macs. More info:

http://www.zdnet.com/blog/security/n...eraction/11545

Look for the following 2 files being present to detect infection:

/Library/Preferences/com.apple.PubSabAgent.pfile
/Library/LaunchAgents/com.apple.PubSabAGent.plist

This trojan reportedly does the following to a Mac:

"After infecting a given Mac, this Trojan is like most: it connects to a remote website using HTTP in typical command and control (C&C) fashion to fetch instructions from remote hackers telling it what to do. The backdoor contains functionality to take screenshots of the user’s current session, upload and download files, as well as execute commands remotely on the infected machine. Encrypted logs are sent back to the control server, so the hackers can monitor activity."
post #39 of 53
Quote:
Originally Posted by SolipsismX View Post

Clearly I'm wrong but I had thought the "Automatically download safe downloads list" would also get rid of any malware files it detects.




This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.

The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.

Computer itself, Mac or PC, is not for novice. Some things must be learnt, but most of the time people do random things without thinking and then whine.

Which of us is the fisherman and which the trout?

Reply

Which of us is the fisherman and which the trout?

Reply
post #40 of 53
Quote:
Originally Posted by SpamSandwich View Post

Might be a good idea for Apple to buy Little Snitch and fold it into OSX.

It would have to be modified in some way because as it is, the "learning phase" would drive most people crazy. It can be annoying to get those popups every few minutes for the fist couple of weeks. Plus, most people would not use it properly as it is designed now. Most would just click allow without reading.

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple releases Flashback removal tool