Apple releases Flashback removal tool
Coming on the heels of its Thursday Java update, Apple has released a separate program to remove the so-called Flashback trojan that has affected over 600,000 Macs worldwide.
Apple on Friday released version 1.0 of its "Flashback malware removal tool" which will scan a user's computer and erase known iterations of the trojan that some are calling the worst the Mac platform has ever seen.
The standalone program is meant to be used by Mac users who don't have Java already installed on their machines and includes the same code as yesterday's software update that plugged a security hole which allowed the malware to automatically install itself without admin authorization.
From the release notes:
Quote:
About Flashback malware removal tool
This Flashback malware removal tool that will remove the most common variants of the Flashback malware.
If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed.
In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware.
This update is recommended for all OS X Lion users without Java installed.
About Flashback malware removal tool
This Flashback malware removal tool that will remove the most common variants of the Flashback malware.
If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed.
In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware.
This update is recommended for all OS X Lion users without Java installed.
At one point, a reported 600,000 Macs worldwide were part of the Flashback botnet, which harvested personal information and web browsing logs from affected machines. Apple was slow to release a patch for the exploit, but managed to roll out two updates within the past week.
The notorious trojan was first discovered last year by a security firm, tricking users into installing it under the guise of an Adobe Flash installer. The most recent version bypasses any user action and automatically installs itself after an affected website is visited.
Apple's Flashback removal tool comes in at 356KB and can be downloaded . In order to use the software, a user's Mac must be running OS X Lion without Java installed.
[ View article on AppleInsider ]
Comments
Might be a good idea for Apple to buy Little Snitch and fold it into OSX.
I was thinking the same thing the other day. Little Snitch would be a cheap investment for Apple to make to ensure users were more comfortable about what programs were attempting to send data out over the Internet. Little Snitch saved me after I installed it, after I was infected with this Flashback trojan, as it found several variants of Flashback still lurking around on my Mac.
What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.
Apple policy has always been to support only current and previous OS. There are plenty of other ways to find out if you're infected and how to prevent re-infection. Just look...
Might be a good idea for Apple to buy Little Snitch and fold it into OSX.
This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.
The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.
Clearly I'm wrong but I had thought the "Automatically download safe downloads list" would also get rid of any malware files it detects.
This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.
The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.
Exactly. The existing firewall is already fairly robust. NoobProof is much better for the average user than Little Snitch.
http://support.apple.com/kb/HT1810?v...S&locale=en_US
Configuring the Application Firewall in Mac OS X v10.6 and later
Follow these steps:
Choose System Preferences from the Apple menu.
Click Security.
Click the Firewall tab.
Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.
Click Start to enable the firewall.
Click Advanced to customize the firewall configuration.
Application Firewall's three advanced settings
1. Block all incoming connections:
Mac OS X v10.6 will block all connections except a limited list of services essential to the operation of your computer.
The system services that are still allowed to receive incoming connections are:
configd, which implements DHCP and other network configuration services
mDNSResponder, which implements Bonjour
racoon, which implements IPSec
This mode will prevent all sharing services, such as File Sharing and Screen Sharing found in the Sharing System Preferences pane, from receiving incoming connections. To use these services, disable this option.
2. Automatically allow signed software to receive incoming connections
Applications that are already signed by a valid certificate authority will automatically be added to the list of allowed applications rather than prompting the user to authorize them. For example, since iTunes is already signed by Apple, it will automatically be allowed to receive incoming connections through the firewall.
3. Enable stealth mode
With stealth mode enabled, the computer will not respond to requests that probe the computer to see if it is there. The computer will still answer requests coming in for authorized applications, but other unexpected requests, such as ICMP (ping), will not get a response.
Digitally-signed applications
All applications not in the list that have been digitally signed by a Certificate Authority trusted by the system (for the purpose of code signing) are allowed to receive incoming connections. Every Apple application in Mac OS X v10.6 has been signed by Apple and is allowed to receive incoming connections. If you wish to deny a digitally signed application, you should first add it to the list and then explicitly deny it.
If you run an unsigned application not in the Application Firewall list, you will be presented with a dialog with options to Allow or Deny connections for the application. If you choose Allow, Mac OS X v10.6 will sign the application and automatically add it to the Application Firewall list. If you choose Deny, Mac OS X v10.6 will sign the application, automatically add it to the Application Firewall list and deny the connection.
Some applications check their own integrity when they are run without using code signing. If the Application Firewall recognizes such an application it will not sign it, but then it will re-present the dialog every time the application is run. This may be avoided by upgrading to a version of the application which is signed by its developer.
OK, I downloaded the update, how do you launch it???
It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.
It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.
I can't find it either. Anyone know how what we are supposed to do after downloading the update?
Read this for more info.
Apple policy has always been to support only current and previous OS. There are plenty of other ways to find out if you're infected and how to prevent re-infection. Just look...
I'm not saying that Apple should support it, I'm saying I don't know how to find and/or remove the problem on my sister's older machine since Apple's tool won't run on the older system. I was under the impression that both the Kaspersky tool and the Symantec tool also won't run on stuff below 10.6.
Might be a good idea for Apple to buy Little Snitch and fold it into OSX.
I was thinking the same thing the other day. Little Snitch would be [...] still lurking around on my Mac.
[...]
This has been said many times but I don't what Little Snitch has that is proprietary or Apple couldn't easily reproduce on their own. It's a high level outgoing firewall and access-list.
The problem with Little Snitch is that it's not for novice users so that it's not something I see Apple incorporating which is probably why they've tried to keep their own OS X firewall appear as simple as possible to the user.
True. You don't want OS X to be like Windows Vista
It showed up in my updates so i downloaded it, even though I don't have Java installed, but then nothing popped up and I can't locate it on my system.
The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.
The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.
The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.
The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.
Thanks for clearing that up.
The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.
The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.
Thank you.
What about older OS X versions? Are pre-10.6 & 10.7 systems that have java installed equally vulnerable to this trojan? I'd like to check my sister's old powerbok g4 that's running OS X 10.5, but this tool says it's specifically for 10.7 only, and I know the java updates that solved this issue were only for 10.6 & 10.7.
I know you don't want to hear that but we are talking a G4 here. If that doesn't do it for you consider removing Java.
I'm not saying that Apple should support it, I'm saying I don't know how to find and/or remove the problem on my sister's older machine since Apple's tool won't run on the older system. I was under the impression that both the Kaspersky tool and the Symantec tool also won't run on stuff below 10.6.
You will have to review the various web sites that cover removal. Google is your friend.
The Flashback removal tool runs immediately at the point you get it via Software Update, or when you run the manual download version via Installer. The removal tool doesn't remain on your system after it has done its check (and removal, if necessary). If it doesn't find an infection there is no feedback. If it does, you are alerted.
The same tool was included in the latest Java updates for Lion (2012-003) and Snow Leopard (update 8), and it works the same way for those updates.
OK. Thanks for the info. I guess that means I don't have the Trojan.