Apple releases Flashback removal tool

I commend Apple for releasing this standalone Flashback trojan removal tool, for people who do not have Java installed (on Lion). This should help take some of the confusion and frustration away. Thank you Apple.

Might be a good idea for Apple to buy Little Snitch and fold it into OSX.

I was thinking the same thing the other day. Little Snitch would be a cheap investment for Apple to make to ensure users were more comfortable about what programs were attempting to send data out over the Internet. Little Snitch saved me after I installed it, after I was infected with this Flashback trojan, as it found several variants of Flashback still lurking around on my Mac.

What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.

Apple policy has always been to support only current and previous OS. There are plenty of other ways to find out if you're infected and how to prevent re-infection. Just look...

Clearly I'm wrong but I had thought the "Automatically download safe downloads list" would also get rid of any malware files it detects.



This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.

The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.

OK, I downloaded the update, how do you launch it???

Exactly. The existing firewall is already fairly robust. NoobProof is much better for the average user than Little Snitch.

http://support.apple.com/kb/HT1810?v...S&locale=en_US

Configuring the Application Firewall in Mac OS X v10.6 and later
Follow these steps:

Choose System Preferences from the Apple menu.
Click Security.
Click the Firewall tab.
Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.
Click Start to enable the firewall.
Click Advanced to customize the firewall configuration.
Application Firewall's three advanced settings

1. Block all incoming connections:

Mac OS X v10.6 will block all connections except a limited list of services essential to the operation of your computer.

The system services that are still allowed to receive incoming connections are:

configd, which implements DHCP and other network configuration services
mDNSResponder, which implements Bonjour
racoon, which implements IPSec
This mode will prevent all sharing services, such as File Sharing and Screen Sharing found in the Sharing System Preferences pane, from receiving incoming connections. To use these services, disable this option.

2. Automatically allow signed software to receive incoming connections

Applications that are already signed by a valid certificate authority will automatically be added to the list of allowed applications rather than prompting the user to authorize them. For example, since iTunes is already signed by Apple, it will automatically be allowed to receive incoming connections through the firewall.

3. Enable stealth mode

With stealth mode enabled, the computer will not respond to requests that probe the computer to see if it is there. The computer will still answer requests coming in for authorized applications, but other unexpected requests, such as ICMP (ping), will not get a response.

Digitally-signed applications

All applications not in the list that have been digitally signed by a Certificate Authority trusted by the system (for the purpose of code signing) are allowed to receive incoming connections. Every Apple application in Mac OS X v10.6 has been signed by Apple and is allowed to receive incoming connections. If you wish to deny a digitally signed application, you should first add it to the list and then explicitly deny it.

If you run an unsigned application not in the Application Firewall list, you will be presented with a dialog with options to Allow or Deny connections for the application. If you choose Allow, Mac OS X v10.6 will sign the application and automatically add it to the Application Firewall list. If you choose Deny, Mac OS X v10.6 will sign the application, automatically add it to the Application Firewall list and deny the connection.

Some applications check their own integrity when they are run without using code signing. If the Application Firewall recognizes such an application it will not sign it, but then it will re-present the dialog every time the application is run. This may be avoided by upgrading to a version of the application which is signed by its developer.

It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.

I can't find it either. Anyone know how what we are supposed to do after downloading the update?

http://support.apple.com/kb/DL1517

Read this for more info.

I'm not saying that Apple should support it, I'm saying I don't know how to find and/or remove the problem on my sister's older machine since Apple's tool won't run on the older system. I was under the impression that both the Kaspersky tool and the Symantec tool also won't run on stuff below 10.6.

True. You don't want OS X to be like Windows Vista Apple can introduce it but leave it off or minimal by default. The only people who finds Little Snitch indispensable is the pirates and the paranoids

I can't seem to find it either.

The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.

The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.

Thanks for clearing that up.

Thank you.

I know you don't want to hear that but we are talking a G4 here. If that doesn't do it for you consider removing Java.

You will have to review the various web sites that cover removal. Google is your friend.

OK. Thanks for the info. I guess that means I don't have the Trojan.

Apple would rather you were part of a botnet than provide you with a fix for vulnerable software they supplied you with.

Oh, and their Java updates weren't for 10.6 either.

how is the search for the 4 leaf clover going for you?

It installs a system-level component called MRT (Malware Removal Tool?) Agent along with a LaunchAgent. My guess would be this may not be a permanent installation but rather if a version of Flashback is found, it will install the CoreService and launch agent, prompt a reboot and then execute the malware removal before any other process can start. It can then remove the MRT installation. If no version of Flashback is found, the installation won't need to install anything at all so it will say install has been successful but it won't in fact install anything, which is a bit misleading. It should say no infection found or something.

Assuming it is a temporary installation, it appears to be a cure and not a prevention so it won't block or alert of future installations of Flashback that use other exploits e.g vulnerabilities in Flash, PDFs or infected downloads.

This tool has a brilliantly explanatory interface Apple. Your GUI team must have worked overtime to make it so user-friendly.

And why have the notice: "This update is recommended for all OS X Lion users without Java installed." Do you know something we don't?

I've been reading that this vulnerability is caused exclusively by Java being installed. As I've never installed Java, why on earth would you be recommending I run this tool?

Are you certain your sister's is even a concern? I would look into that explanation as well. After all, the issue didn't pop up even via Flash until about a year ago when Snow Leopard was the current OS. Perhaps these exploits didn't exist until the version of Flash and Java that was only supported by 10.6 and higher so your sister has nothing to worry about.

If nothing else there are instructions for using Terminal to check for the files in question.


1. there were variants that installed via Flash as well. This might be looking for them also

2. it could be a placebo for the noob users that are so sure their computers must be infected somehow even though they think Java is another word for coffee

3. a little of each of the other two

Don't worry. It just works.

Trust Apple. Don't worry.

Aha. That explains why Software Update never saw any of Apple's recent Java patches.
Because I didn't have Java Runtime installed! LOL. D/L-ed and ran the removal tool, and it found nothing.

I have little snitch installed and although effective, it is damn annoying with all the popups for legitimate software, mostly Apple's so unless they could make it less intrusive it would not be something Apple would want average consumers to see all the time. Reminds me of Vista.

EDIT: thanks Splash-reverse I see we had the same thought.

Yes, except I doubt if people would trust the functionality if it came directly from Apple. Currently, Little Snitch tells people about every out going call from their Macs including those from Apple. Apple likely would start to include exceptions whereby Little Snitch wouldn't provide such notifications.

I honestly don't see how it is annoying other than the first time you run software. One of the options Little Snitch asks you is do you want to forever allow or deny communications from said app. If you select yes to either, you will never get a notification regarding that app again. I have Little Snitch installed. I haven't received a notification in months because I haven't installed any new software. If you get constant notification you are either installing a lot of applications or you select allow or deny for that session of the app only. When you open the app again, you will have to make the same decision again.

There are certain apps like Apple's that I always allow, and certain apps from companies like Adobe or Google that I always deny.

So would you allow a terminal app connection attempt to

www.apple.com.edgekey.net
?

Sounds like it could be a sneaky hack attempt.

Little Snitch is a fantastic tool but it's far far too confusing for the average user.

It's a cornucopia of settings, questions and messages once installed.
It is the antithesis of everything OS X stands for in terms of UI.

Will Apple need to release a new fix like this every time a new virus/trojan/worm is discovered? That doesn't seem scaleable.

It seems like there must be a better way to do it, and if these things show up frequently, it would be complicated for users.

Apple would rather that users did not access the web directly other than through Apple.com. Everything else should be accessed through App Store apps and all email should go through iClould. That way Apple would be able to prevent any malware from ever infecting a Mac or iOS device.

Perhaps users feel more secure in that sort of sheltered life, but in the real world you are going to run into some ne'er-do-wells once in a while. When you get too complacent, you forget how to fend for yourself, or adapt to unfamiliar circumstances. I little virus scare once an a while is not such a bad thing. The entire world is far too dependent on the Internet and computers anyway.

I followed the Terminal instructions that were posted (here or ars.technica, can't remember). They ran no prob, system clean. Oh, but when I got the (3rd) Java update from Apple, it said: malware detected, removed.

Great. It's like we have PCs in the 90s.

I use SweetProductions "Cookie" app to manage Safari cookies. After running the malware removal installer, then restarting Safari, I discovered my Cookie file had been reset, and in turn erasing my favorite Cookie list. Anyone else have a similar experience?

Fortunately, I have a recent TM backup. Restoring my Cookie folder fixed the problem. BTW no warning prompt appeared while the malware removal installer was running.

10.7.3
iMac i7

A new Mac trojan has just been identified. It was released into the wild about March 16th, and uses the same Java exploit to gain access and infect Macs. More info:

http://www.zdnet.com/blog/security/n...eraction/11545

Look for the following 2 files being present to detect infection:

/Library/Preferences/com.apple.PubSabAgent.pfile
/Library/LaunchAgents/com.apple.PubSabAGent.plist

This trojan reportedly does the following to a Mac:

"After infecting a given Mac, this Trojan is like most: it connects to a remote website using HTTP in typical command and control (C&C) fashion to fetch instructions from remote hackers telling it what to do. The backdoor contains functionality to take screenshots of the user’s current session, upload and download files, as well as execute commands remotely on the infected machine. Encrypted logs are sent back to the control server, so the hackers can monitor activity."

Computer itself, Mac or PC, is not for novice. Some things must be learnt, but most of the time people do random things without thinking and then whine.

It would have to be modified in some way because as it is, the "learning phase" would drive most people crazy. It can be annoying to get those popups every few minutes for the fist couple of weeks. Plus, most people would not use it properly as it is designed now. Most would just click allow without reading.