Sunday, April 15, 2012

Flashback Malware And
The Confusing Case Of
The Apple Flashback Malware Remover v1.0

--
[Updated 2012-04-18:
Symantec are now reporting that, according to their data collection, the Flashback botnet is down to 140, 000 Macs. That's still a vast number, but a remarkable improvement thanks to Apple's Java update and Remover. 


Also new: 
My net friend Al Varnell, who performs a great deal of vigilant work with ClamXav and the ClamAV project, has provided me with new information and insight reflected below. Of greatest interest is the fact that the Flashback malware series has been specifically aimed at Intel CPU Macs only. PPC Macs are immune.]


Apple has provided a separate tool for Mac OS X 10.7 users (only) for the removal of most versions of the Flashback malware. It is entitled (despite odd journalist claims to the contrary) the 'Flashback Malware Remover.' Apple also call it their 'Flashback malware removal tool.' The Software Update system in 10.7 is offering the tool to those who have no installed Java. Optionally, you can manually download it from Apple's Downloads site:


http://support.apple.com/kb/DL1517


Here is Apple's description of the Flashback malware removal tool:
About Flashback malware removal tool 
This update removes the most common variants of the Flashback malware. This update contains the same malware removal tool as Java for OS X 2012-003.If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed. 
In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware. 
This update is recommended for all OS X Lion users without Java installed.
Why does the description say 'without' Java installed? Because there have been quite a few versions of the Flashback malware that did not involve Java. Mac users who do not have Java installed (which is the default starting with Mac OS X 10.7) would never have been offered Java for OS X 2012-003 via Software update and therefore would never have run Flashback Malware Remover on their Macs via that update. Rather than leaving those users out in the cold, Apple have provided the Remover as a standalone installer application.


NOTE: The Remover only runs on Mac OS 10.7. I checked.


What is confusing about the Remover is that Apple have NOT provided an actual application tool. Instead Apple has provided an 'installer' package that runs within their Installer program and that is ALL that it does. 






Essentially, Apple took the Java for OS X 2012-003 installer and removed everything except the Remover process from the installation. In other words: NOTHING is installed on your Mac. Not-a-thing. And yes, that is freaky. The installer is the Remover. Get it? This is going to freak out and confuse quite a few Mac users. This has already been proven to be the case up on Apple's Discussion forums at their Support site. I can't blame them! It makes no sense, except that Apple had the Remover handy inside their Java for OS X 2012-003 installer, so they sped the Remover out the door within that same format.


Don't worry about it! Just run the installer and the Remover will run. Keep the .dmg file if you would like to run it again in the future. This is a great idea because the older Trojan horse versions of Flashback (of which there are reportedly 13 versions that don't use Java) are going to remain out in the wild on the Internet.


Please refer back to my previous article for details about how to avoid being infected with Trojan horse malware, along with other security rules and tips:

The Rules of Computing: Keeping Your Mac Secure

The Numbers:


Adding up all the Macs infected with ALL the variations of the Flashback malware, apparently well over 600,000 Macs were affected:



After Apple's three Java updates, the last of which included the Remover, the number dropped to half, less than 300,000 infected Macs:


Who's left in the Flashback botnet?

1) Users with Mac OS X 10.6 or 10.7 with Java installed who have not run the most recent updater or Apple's separate Flashback Malware Remover.

2) Users with Mac OS X 10.7 who never installed Java and have not yet run Apple's Flashback Malware Remover.

3) Anyone using Mac OS X 10.5 on Intel Macs. From the data of which I am aware, the Flashback malware code is directly ONLY at Intel Macs, making PPC Macs immune. It is not clear whether there has been infection of Mac OS X 10.4 Intel Macs. However, I continue to suspect there have. The Java security hole exploited by Malware.OSX.Flashback.N, the latest version (according to Intego) is apparently present in the last Java update for that version of Mac OS X.

Kaspersky has provided a web page where you can check if your specific Mac was infected with Flashback. However, I can't recommend it as the page requires you to enter your Mac's hardware UUID (Universally Unique Identifier). That's a bit like giving away your social security number and could be used by hackers to fake being you on the Internet. I suggest you only give it away to people you know and trust. Therefore, I'm not going to link Kaspersky's Flashback infection checking page here. If you'd like to use it, go digging around at the Kaspersky.com website.

Is this the time to buy Mac Anti-Malware software?
(Often wrongly called 'Anti-Virus' software). 

Probably not, unless you are dealing with the 'LUSER Factor' or unless you have an Intel Mac with Mac OS X 10.5 or 10.4. Even then, I suggest you first download and use Mark Allan's ClamXav software. It's FREE. My Mac Security friends and I work to keep the ClamAV open source project up-to-date with the latest Mac malware definitions. Install it, update its malware definitions and have it scan your entire boot drive.

There are also a number of free scanner versions of commercial anti-malware apps. I'd suggest checking out Sophos Free Anti-Virus for Mac. (I can no longer recommend the free PC Tools iAntiVirus app, which is drastically out-of-date).

If you'd like to buy the best Anti-Malware program, I continue to recommend Intego's VirusBarrier. They have a 30 trial version. I own it, use it and like it. It ships with excellent bells and whistles including its own firewall, Internet website protection, good background scanning that doesn't eat your CPU, and its own reverse firewall (similar to the renowned Little Snitch software). The only drawback is the yearly fee for malware definitions. I pay it and don't mind.

I have friends who like F-Secure Anti-Virus. They offer free online tools and a 30 day free trial. (Use the 'campaign code' on their AV page). The only reason I avoid F-Secure is that they are FUD mongers, attempting to scare Mac users with exaggerated reports about Mac malware. I don't deal with that.

Sophos is the best if you are running a small business or enterprise network of Macs. They also offer a free trial. I also like their free Sophos Security Monitor app for iOS devices. It provides timely computer security information.

The other anti-malware providers can be anywhere from OK to total CRAP. The crap includes (IMHO of course) anything from ZeoBIT and Symantec. IOW: Run away from MacKeeper and Norton Anti-Virus. 


Coming Up:


Over at my MacSmarticles blog, I will be posting an article about ZeoBIT paying their users to bombard Mac software review sites, a grotesque abuse of marketing.

Here at the Mac-Security blog, I will be providing a list of my favorite Mac security information sources.
--

No comments:

Post a Comment