Reportedly, only somewhere between one and two percent of the worldwide Mac installed base has been infected with the now notorious Flashback Trojan horse malware that exploits a security flaw in Java in order to install itself on Macs without user involvement.
Apple released Java updates last week that patch the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6, although the substantial number of users running OS X 10.4 Tiger or 10.5 Leopard—the last Mac OS versions that support Power PC Macs—are still left vulnerable. I’m exceedingly doubtful patches will be issued for Tiger and Leopard.
The workaround for those OSes is to disable Java if you don’t need it (> Applications > Utilities > Java Preferences), or disable Java in your browser preferences.
But how do you know if your Mac is infected? Apple also says it is is developing software that will detect and remove the Flashback malware, but it’s not ready yet.
In the meantime, there are diagnostics that can be run to detect infection. If you are a Terminal jock, instructions on how to proceed can be found several places on the Web. But there’s an easier way to check for the Flashback Trojan’s presence in the form of a couple of small and simple freeware utilities that only take a few seconds to download. In the interest of research, I tried them both out, even though the first one quickly gave my MacBook a clean bill of health. Both work quickly and well, and either will do the job.
FlashbackChecker 1.0 Utility
Juan Leon’s free FlashbackChecker utility runs tests described in the F-Secure Bulletin as of April 6th, 2012. Note that this utility checks and reports the presence of Flashback malware, but does not remove it, and Leon has no affiliation with F-Secure.
- Mac OS X 10.5 up
- PPC and Intel
FlashbackChecker 1.0 is donationware.
Test4Flashback Malware Checker Utility
Marc Zeedar—my former Mac Web columnist colleague on MacOpinion and now publisher of Real Studio Developer magazine—has written a simple and free Test4Flashback utility that upon startup tells you whether or not your Mac is infected. This software does not attempt removal.
Product [Test4Flashback (.zip)]
The greatest likelihood is that your Mac, like mine, will prove uninfected. However, reportedly 56 percent of Flashback infections are in U.S. users’ machines, and another 20-odd percent are in Canada. So, if yours is one of the unfortunate minority, you can find instructions for Flashback removal on the Web as well. Unhappily, they are complex and fraught with potential problems. An F-Secure note on Flashback says: “Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.”
Unless you are really tech-savvy, it’s probably better to take that advice and farm out the disinfection to a professional, or do a global backup of your files and a clean system reinstall. MacFixIt’s Topher Kessler has posted a handy tutorial on how to proceed with that.
See updates below for additional options.
Prevention Is Better Than Remediation – Set up Free OpenDNS To Block Malware
OpenDNS’s Allison Rhodes reports that OpenDNS security and DNS provider of choice for 2% of all Internet users is blocking the Flashback Trojan. People not yet using OpenDNS need only to set up the service on their wireless router, computer or device to secure their computers and devices from the attack. (OpenDNS also offers OpenDNS Enterprise, a security service for businesses that includes comprehensive malware and botnet protection.)
If you’re already using OpenDNS services, no action is required to get the protection. It was enabled for you automatically. In addition to protection from Flashback, OpenDNS will also protect you from future, widespread attacks and make your Internet both faster and more reliable.
Rhodes says OpenDNS is the ideal measure Internet users can take to protect their machines from Flashback, since it is a proactive, preventative measure, and the only solution that doesn’t require software or installing of anything, recommending that all Mac users switch to OpenDNS now to prevent infection, and avoid a scenario where infection occurs and disinfection is necessary.
Even for those people who find their machine has already been infected by Flashback, Rhodes maintains, enabling OpenDNS will prevent the malware from connecting to its command and control and causing your machine any damage.
To set up the OpenDNS free service, you need simply create an account, choose your router or computer and follow the step-by-step instructions. Note that setting up OpenDNS on your router will protect all devices connecting to the Internet through your WiFi network, and Windows users should use OpenDNS, too.
For more information, visit blog.opendns.com.
[Update: April 12, 2012]
F-Secure Issues Free Flashback Removal Tool for Mac
Shortly after I finished and submitted this article, F-Secure released a free tool that automates detection and removal of the Flashback Mac OS X malware. The tool creates a log file (RemoveFlashback.log) on the current user’s Desktop. If any infections are found, they are quarantined into an encrypted ZIP file (flashback_quarantine.zip) to the current user’s Home folder. The ZIP is encrypted with the password “infected.”
F-Secure Corporation protects consumers and businesses against computer viruses and other threats from the Internet and mobile networks. F-Secure’s award-winning solutions are available as a service subscription through more than 170 Internet service providers and mobile operator partners around the world, making F-Secure the global leader in this market.
You can download the Flashback Removal Tool for Mac via CNET Secure Download.
[Update 2: April 12, 2012]
Kaspersky Flashfake Removal Tool
Kaspersky Lab’s experts recently analyzed the Flashfake botnet and found a total of 670,000 infected computers worldwide, with more than 98% of the computers most likely running Mac OS X. It is anticipated that the other 2% of machines running the Flashfake bot are very likely to be Macs as well. This is the largest Mac-based infection to date, with the largest number of victims targeting developed countries. The United States had the most infected computers (300,917) followed by Canada (94,625), the United Kingdom (47,109) and Australia (41,600). Other infected countries included France (7891), Italy
(6585), Mexico (5747), Spain (4304), Germany (4021) and Japan (3864). Users can check if they’re infected with Flashfake by visiting our safe verification site, and can remove it using the Kaspersky Flashfake Removal Tool.
On April 6 Kaspersky Lab’s researchers reverse-engineered the Flashfake malware and registered several domain names which could be used by criminals as a C&C server for managing the botnet. This method enabled them to analyze the communications between infected computers and the C&Cs. By connecting to Flashfake, Kaspersky Lab’s experts are able to continuously monitor the botnets communication with active bots and have published their findings.
Throughout the weekend Kaspersky Lab experts have seen a decline in the number of active bots: on April 6 the total number was 650,748. At the conclusion of April 8 the number of active bots was 237,103; however, the decrease in infected bots does not mean the botnet is rapidly shrinking. The statistics represent the number of active bots connected to Flashfake during the past few days – it is not the equivalent of the exact number of infected machines. Infected computers that were inactive during the weekend would not be communicating with Flashfake, thus making them not appear as an infected bot.
Since connecting to the botnet for analysis, Kaspersky Lab’s sinkhole server has registered all the data sent by bots from the infected computers and recorded their UUIDs in a dedicated database. Based on this information, Kaspersky Lab’s experts have created an online resource where all users of Mac OS X can check if their computer has been infected by Flashback / Flashfake.
How to determine if your computer is infected:
- Visit Kaspersky Lab’s site at www.flashbackcheck.com to determine if you’re infected.
- This dedicated site is safe for users to visit and enter their UUID, which will be checked in Kaspersky Lab’s Flashfake database of infected computers. Instructions for entering user UUIDs are included as well.
How to disinfect your computer:
- If your UUID is found in our database, you need to disinfect your Mac. Here are three recommendations to do this:
- Use a free special utility, the Kaspersky Flashfake Removal Tool. It will automatically scan your system and remove Flashback if it is detected. This is a free-to-download and free-to-use program.
- Download a trial version of Kaspersky Anti-Virus 2011 for Mac. This program offers comprehensive protection against all known malicious programs for Mac OS X, including Flashback.
- Detect and remove Flashback manually. Follow the instructions provided flashbackcheck.com.
For more information on the Flashfake botnet and the Flashfake Trojan, visit Kaspersky Labs.