Flashback Malware And The Confusing Case Of The Apple Flashback Malware Remover v1.0

--
[Updated 2012-04-18:
Symantec are now reporting that, according to their data collection, the Flashback botnet is down to 140, 000 Macs. That's still a vast number, but a remarkable improvement thanks to Apple's Java update and Remover. 

Symantec: Flashback malware now down to 140K machines

Also new: 
My net friend Al Varnell, who performs a great deal of vigilant work with ClamXav and the ClamAV project, has provided me with new information and insight reflected below. Of greatest interest is the fact that the Flashback malware series has been specifically aimed at Intel CPU Macs only. PPC Macs are immune.]


Apple has provided a separate tool for Mac OS X 10.7 users (only) for the removal of most versions of the Flashback malware. It is entitled (despite odd journalist claims to the contrary) the 'Flashback Malware Remover.' Apple also call it their 'Flashback malware removal tool.' The Software Update system in 10.7 is offering the tool to those who have no installed Java. Optionally, you can manually download it from Apple's Downloads site:


http://support.apple.com/kb/DL1517


Here is Apple's description of the Flashback malware removal tool:

About Flashback malware removal tool 

This update removes the most common variants of the Flashback malware. This update contains the same malware removal tool as Java for OS X 2012-003.If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed. 

In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware. 

This update is recommended for all OS X Lion users without Java installed.

Why does the description say 'without' Java installed? Because there have been quite a few versions of the Flashback malware that did not involve Java. Mac users who do not have Java installed (which is the default starting with Mac OS X 10.7) would never have been offered Java for OS X 2012-003 via Software update and therefore would never have run Flashback Malware Remover on their Macs via that update. Rather than leaving those users out in the cold, Apple have provided the Remover as a standalone installer application.


NOTE: The Remover only runs on Mac OS 10.7. I checked.


What is confusing about the Remover is that Apple have NOT provided an actual application tool. Instead Apple has provided an 'installer' package that runs within their Installer program and that is ALL that it does. 

Essentially, Apple took the Java for OS X 2012-003 installer and removed everything except the Remover process from the installation. In other words: NOTHING is installed on your Mac. Not-a-thing. And yes, that is freaky. The installer is the Remover. Get it? This is going to freak out and confuse quite a few Mac users. This has already been proven to be the case up on Apple's Discussion forums at their Support site. I can't blame them! It makes no sense, except that Apple had the Remover handy inside their Java for OS X 2012-003 installer, so they sped the Remover out the door within that same format.


Don't worry about it! Just run the installer and the Remover will run. Keep the .dmg file if you would like to run it again in the future. This is a great idea because the older Trojan horse versions of Flashback (of which there are reportedly 13 versions that don't use Java) are going to remain out in the wild on the Internet.


Please refer back to my previous article for details about how to avoid being infected with Trojan horse malware, along with other security rules and tips:

The Rules of Computing: Keeping Your Mac Secure

The Numbers:


Adding up all the Macs infected with ALL the variations of the Flashback malware, apparently well over 600,000 Macs were affected:

Kaspersky Lab Confirms Flashfake / Flashback Botnet Infected more than 600,000 Mac OS X Computers, Describes Ramifications and Remedies

After Apple's three Java updates, the last of which included the Remover, the number dropped to half, less than 300,000 infected Macs:

Apple releases Flashback removal tool, infections drop to 270,000

Who's left in the Flashback botnet?

1) Users with Mac OS X 10.6 or 10.7 with Java installed who have not run the most recent updater or Apple's separate Flashback Malware Remover.

2) Users with Mac OS X 10.7 who never installed Java and have not yet run Apple's Flashback Malware Remover.

3) Anyone using Mac OS X 10.5 on Intel Macs. From the data of which I am aware, the Flashback malware code is directly ONLY at Intel Macs, making PPC Macs immune. It is not clear whether there has been infection of Mac OS X 10.4 Intel Macs. However, I continue to suspect there have. The Java security hole exploited by Malware.OSX.Flashback.N, the latest version (according to Intego) is apparently present in the last Java update for that version of Mac OS X.

Kaspersky has provided a web page where you can check if your specific Mac was infected with Flashback. However, I can't recommend it as the page requires you to enter your Mac's hardware UUID (Universally Unique Identifier). That's a bit like giving away your social security number and could be used by hackers to fake being you on the Internet. I suggest you only give it away to people you know and trust. Therefore, I'm not going to link Kaspersky's Flashback infection checking page here. If you'd like to use it, go digging around at the Kaspersky.com website.

Is this the time to buy Mac Anti-Malware software?

(Often wrongly called 'Anti-Virus' software). 

Probably not, unless you are dealing with the 'LUSER Factor' or unless you have an Intel Mac with Mac OS X 10.5 or 10.4. Even then, I suggest you first download and use Mark Allan's ClamXav software. It's FREE. My Mac Security friends and I work to keep the ClamAV open source project up-to-date with the latest Mac malware definitions. Install it, update its malware definitions and have it scan your entire boot drive.

There are also a number of free scanner versions of commercial anti-malware apps. I'd suggest checking out Sophos Free Anti-Virus for Mac. (I can no longer recommend the free PC Tools iAntiVirus app, which is drastically out-of-date).

If you'd like to buy the best Anti-Malware program, I continue to recommend Intego's VirusBarrier. They have a 30 trial version. I own it, use it and like it. It ships with excellent bells and whistles including its own firewall, Internet website protection, good background scanning that doesn't eat your CPU, and its own reverse firewall (similar to the renowned Little Snitch software). The only drawback is the yearly fee for malware definitions. I pay it and don't mind.

I have friends who like F-Secure Anti-Virus. They offer free online tools and a 30 day free trial. (Use the 'campaign code' on their AV page). The only reason I avoid F-Secure is that they are FUD mongers, attempting to scare Mac users with exaggerated reports about Mac malware. I don't deal with that.

Sophos is the best if you are running a small business or enterprise network of Macs. They also offer a free trial. I also like their free Sophos Security Monitor app for iOS devices. It provides timely computer security information.

The other anti-malware providers can be anywhere from OK to total CRAP. The crap includes (IMHO of course) anything from ZeoBIT and Symantec. IOW: Run away from MacKeeper and Norton Anti-Virus. 


Coming Up:


Over at my MacSmarticles blog, I will be posting an article about ZeoBIT paying their users to bombard Mac software review sites, a grotesque abuse of marketing.

Here at the Mac-Security blog, I will be providing a list of my favorite Mac security information sources.

--

Intego VirusBarrier Review Part II

--
My friend and former employer Michael Flaminio posted a very nice video review of Intego VirusBarrier version 10.6 over at Insanely-Great Mac. You can also access it at YouTube. I could not provide any improvement over Michael's review, so please give it a viewing! VirusBarrier is the only Mac OS X anti-malware program I can recommend for individual users. See my Part I review for further details and opinions regarding the program.

This past week someone told me that FUD mongers Symantec have finally gotten their act together, allowing their Norton Anti-Virus program to work properly without damaging your hard drive. Imagine that! I am seeking verification that this is indeed the case, if anyone would please let me know. Much obliged. If I get enough happy shiny smiley stories I may dare to perform some testing on the latest version myself.

Happy spring to the northern hemisphere! Happy fall to the southern hemisphere. (-_^)
--

Intego VirusBarrier Version 10.6 Review:Part I

--
Let's start with the GOOD NEWS:

Intego VirusBarrier is the only anti-malware program I can recommend for Mac OS X. Its interface and features are unmatched by any similar program. The signature updates are regular and reliable. Intego stay right up-to-date with all Mac OS X malware. The program is 100% compatible with Snow Leopard. Ignore all reports to the contrary. For Mac users who want a top notch single-user anti-malware program, this is the only one. Nothing compares, except perhaps Sophos, which is only designed for network users.

The new VirusBarrier 10.6 version adds a bunch of new security features worth the upgrade price. Some features are redundant to those already in Safari and FireFox. The reverse firewall is the only new feature I care about. Reverse Firewalls stop dead any way to zombie your Mac. They also stop all software from 'phoning home'. I've been using Little Snitch for years and love it. The reverse firewall in VirusBarrier 10.6 is not as good as Little Snitch. But it's there and it's useful.

A new single user license for VirusBarrier costs $49.95 and protects two Macs. A new family license is $69.95 and protects five Macs.The 10.6 upgrade is potentially free for those who purchased VirusBarrier 10.5 on or after November 25, 2009 through April 13, 2010. See Intego for details. Otherwise, the upgrade is $34.95 for single users. A family pack upgrade is $59.95 for protecting five Macs. Every new or upgrade license includes a year's subscription of malware signatures.

Intego also provide an occasionally useful and intelligent Mac Security Blog.

Now the BAD NEWS:

1) Accompanying the 10.6 update is a new advertising campaign that makes several wrong and ridiculous claims consisting of what is traditionally called BULL SHITE or FUD. Enjoy:

"More and more malware is discovered every day. Macintosh computers face threats from viruses, Trojan horses, worms and more."

Incorrect! There are ONLY Trojan horses for Mac OS X. Period. The End. If you believe otherwise, you've been duped.

"VirusBarrier X6, the Lowest-Priced Mac Antivirus"

No. FREE would be 'The Lowest-Priced Mac Antivirus', and there are a few of those to choose from. See below.

"... simply visiting a booby-trapped web page can compromise your Mac."

This has never happened on Mac OS X in the wild or in a 'Crack A Mac' competition without an account user providing deliberate sabotage assistance. However it 'could' happen if a JavaScript or Java security hole wasn't patched in your web browser or operating system. (Readers of my posts know what contempt I have for the state of JavaScript).


I hope Intego have brains enough to dump the false advertising before they get sued. I despise FUD and would hate to have to put Intego on a par with Symantec, the renowned masters of anti-Mac security FUD and makers of easily the worst anti-malware for Mac.



2) Yearly malware subscriptions for VirusBarrier are required and expensive. $29.95 for one year. Yikes! A two year subscription is 50% off the second year at $44.90. If you're up for renewal and are using version 10.5, you might as well upgrade to 10.6 at $34.95 and get the included one year subscription, saving yourself $25.

3) Intego outright refuse to provide a list of malware detected and removed by VirusBarrier. That's idiotic and I've directly told them so. They don't care. Instead, I follow the imperfect but useful Threats Database provided by the PC Tools site, the makers of the up and coming competitor program iAntiVirus.

4) And of course, if you turn on the Real-Time Scanner feature, expect VirusBarrier to eat your CPU. So turn it off. You don't need it unless you're dealing with LUSERs, in which case all you have to do is prevent them from having access to an administrator account and password. It's seriously that simple.

CONCLUSION:

So what is VirusBarrier for? It protects you from LUSER behavior and lets you find and wipe out Windows malware you may be passing along to Windows users.

If you're a conscientious Mac user who checks the validity of all software you install, you don't need VirusBarrier to protect your Mac. There are less reliable free alternatives if you want to try them out, such as ClamXav and iAntiVirus. (Avoid MacScan, which is ultra-lame).

I'll be posting a detailed feature review in Part II after I test the new VirusBarrier 10.6.3 update.
--

Adobe Shockwave Player v11.5.0.600 & Apple vs. Java Insecurity

--
In its recent attempt to get serious about application security, last week Adobe released Shockwave Player v11.5.0.600 for Mac. Oddly, they released the Windows version a week later. I say oddly because Mac versions of Adobe software are almost always late. It's amusing to see a swap for a change. Now if only Adobe would release the many years delayed 64 bit versions of their applications. Hint hint Adobe.

MacWorld messed up today (6/24) and reported that the Adobe security bulletin about the Windows version 11.5.0.600 of Shockwave Player had anything to do with the Mac version. So I posted a reply comment, which you'll find below. After I posted my comment I visited the Adobe site to find any news about the Mac version. There isn't any. I did however learn that Shockwave Player is compatible with Mac OS X Tiger. That's good to know. I dug around in the installer package and found nothing there as well. If you find anything relevant to Mac security improvements in Shockwave Player v11.5.0.600, please leave a comment.

Here is my comment to MacWorld regarding Adobe Shockwave Player. It is also relevant to Apple's slow poke response to Java security problems:

A couple points:

1) The Adobe Security Bulletin (it's not a blog) is specific to the Windows version ONLY, which apparently was just finished and released. The Mac version of Adobe Shockwave Player v11.5.0.600 was released a week ago on June 16th. Adobe didn't post a security bulletin for the Mac version. And that means what?!

2) bousozoku sez: "Adobe seems to be the only company slower than Apple at taking care of security concerns."

Adobe's attention to security went into deep decline until this past month.

In the meantime, Apple have been improving their attention to security exponentially over the last couple years. It appears to be in response to both the moronic anti-Apple security FUD-fest instigated by Symantec in August 2005, and the White Hat focus on Apple security bugs and vulnerabilities. As is typical with Apple, drag them through the press and they respond.

Where Apple recently fell on their face was with regards to a slew of vulnerabilities in the mess known as Java. Apple were over 6 months behind in Java patches. Sadly, Apple's incredibly slow response to Java updates is consistent. Never has Apple had a serious Java team. Of course one reason is that Apple has to do ALL the work to provide Mac OS X Java updates. Sun provides nothing.

Meanwhile, despite Microsoft's outright hatred of all things Java, to the extent that they were found guilty in court of attempting to destroy Java via their J++ monstrosity, Sun Microsystems write and provide all Windows Java updates. Microsoft never has to lift a finger. That is the single sole reason Windows gets Java updates before Mac OS X. Hey thanks Sun. Sorry you're dead.

--

Microsoft Senior Security Architect Said WHAT?!

Someone needs a good spanking and a time out for bad behavior. He's considered to be a professional computer security expert, (so it's not me!).

This afternoon I was checking out the Intego Mac Security Blog and read about interviews ZDNet Australia had done with security specialists regarding the question "Do Mac Users Need Antivirus Software?" (They got the software category wrong as usual. It's anti-malware, not 'anti-virus'. I'll go down in history as the curmudgeon who chanted this fact to the grave, and nobody cared. Poor me). So I clicked over to ZDNet OZ, read their article and watched the video, found HERE.

In the video, note the fellow in the white shirt with a British accent. That's Greg Singh from RSA. As Intego point out, Singh is incorrect to say Mac users will have to get used to the degradation in performance caused by anti-malware applications. He could be talking specifically about Symantec's Norton Antivirus for Mac, in which case no one could argue with him. He also insinuates that Apple have said Mac OS X is not susceptible to 'viruses'. Oops, I think he got his Apples mixed up. He must have meant Apple Corps, the folks who make Beatles CDs. Yeah, I'd agree that Beatles recordings are not susceptible to viruses. **snicker**

Then there's the guy in the black t-shirt and hat reading 'ULTIMATE-DEFENCE". That's Rocky Heckman from Microsoft. He has the title of "Microsoft Senior Security Architect". I was freaked at what was coming out of his mouth. First he thinks BSD is something new to Mac OS X Tiger. He was born yesterday. Then he says that because BSD is part of Mac OS X, hackers are now realizing they can write 'viruses' for it, "and there have been a couple out there." He's from the Bizarro World. There are no viruses for Mac OS X. There are only Trojans, and he knows the difference. I wrote a ripping comment about Mr. Heckman over at the ZDNet OZ site. See below.

Then there's an Australian fellow in a white striped shirt with a big pad and marker hanging around his neck. I don't know his name, sorry. His odd statement, if you listen carefully, is that anti-malware products for Mac OS X are 'immature'. Based on what information? Based on ignorance. Very strange.

OK, so where were all these incorrect people when they were interviewed? The AusCERT 2009 IT Security Conference. The mind boggles.

Here is the concerned comment I wrote to ZDNet Australia regarding the statements of Mr. Heckman from Microsoft:

Microsoft Senior Security Architect Said WHAT?!

"Microsoft senior security architect Rocky Heckman said AV became necessary when Apple in 2001 decided to underpin OS X Tiger with the BSD operating system because it made Macs an easier platform to write malicious code for."

Why did anyone ask Mr. Heckman his opinion? We certainly have no reason to care. Windows is the single LEAST secure operating system, commercial or Open Source, available on the planet.

Why Heckman's opinion is lunatic:

1) Apple didn't decide to underpin Tiger with BSD. NeXT decided to underpin NeXTStep with BSD decades ago! Mac OS X inherited it when Apple decided to make NeXTStep/OpenStep the foundation for Rhapsody, which was then developed into Mac OS X.

2) The three most secure operating systems on the planet have been repeatedly proven to be:
A) OpenBSD
B) FreeBSD
C) Mac OS X
Mac OS X incorporates elements of both OpenBSD and FreeBSD into it's core OS called Darwin OS. So what Mr. Heckman it talking about is incomprehensible. He is either a blithering idiot or is pulling a FUD manoeuvre by telling the opposite of the truth in order to fool the public that black is white, war is peace, hate is love, the usual doublespeak routine from the book '1984'. Shame on Mr. Heckman.

This has to be one of the most dishonest statements from a Microsoft executive of all time. It's running neck-and-neck with Bill Gates' moronic statement that Mac OS X is exploited everyday, when it fact it is HIS operating system that is exploited every day.

Or maybe there's lead in the water over at Redmond. (o_0)

--

Multiple Symantec Software Vulnerabilities Found

--
This isn't so much a useful article as a thumb in the eye of my least favorite anti-Mac security FUD monger, Symantec. Have an *evil laugh* along with me if you like:

Digging around at the F-Secure site tonight I happened up on this article from a few days back:

Symantec Brightmail Gateway Control Center Multiple Vulnerabilities

Summary

Some vulnerabilities have been reported in Symantec Brightmail Gateway, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to bypass certain security restrictions.

Detailed Description

Some vulnerabilities have been reported in Symantec Brightmail Gateway, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to bypass certain security restrictions.

1) Certain unspecified input passed to the Control Center is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) An error when processing unspecified console functions can be exploited by a Control Center user to gain administrative privileges.

The vulnerabilities are reported in versions prior to 8.0.1.

The vulnerabilities were discovered by Secunia.

They were NOT discovered by Symantec.

So next time Symantec strike one of their Overlords Of Security poses, just laugh at them.

;-D
--

Symantec Massive Booboo, Again

I suspect this post will come off as snotty. But the fact is that Symantec have consistently been the #1 purveyor of anti-Mac security FUD since 2005. They pulled another FUD attack just this past month.

As ever, FUD is used as a propaganda tactic in order to frighten people into doing your bidding. Our current USA federal executive branch is using FUD to drive a war machine for the purpose of their special interests, as opposed to the actual interests of the citizens they are supposed to be representing. Their particular FUD phrase is 'The Long War' referring to the non-existant 'war' on terrorism.

What has been Symantec's purpose? They want to sell Norton Anti-Virus to Mac users. Not surprisingly their FUD started precisely at the time when it became blatantly evident that Norton AV was one of the single most buggy applications available for Macintosh. Needless to say, Symantec's efforts so far have been rebuffed. The usual response is that Mac users are deliberately ignorant about security. In actuality I think we can all agree that Mac users will very much become knowledgeable about Mac security at such time as it proves to be of actual importance.

Payback is a bitch. And Symantec pulled quite a booboo this past week. You can read all about it here:

http://www.pcmag.com/article2/0,2704,2229576,00.asp

To quote PC Magazine:

Update: Symantec Screwup Is 'Worse Than Any Virus'
12.06.07
By Chloe Albanesius

A routine update from Symantec Security Response wreaked havoc on a California company's clientele this week when it inadvertently tagged a program produced by Solid Oak Software as a virus and cut off the Internet access of Solid Oak customers.

. . .

Solid Oak customers including schools, libraries and personal accounts, were not provided with a recovery mechanism and subsequently lost Internet access. Solid Oak did not have an exact number of those affected, but it likely numbers in the tens of thousands, according to a spokeswoman.

Customers have had to re-install entire operating systems and software, she said.

. . .

This is the third time in less than a year that Symantec's Norton products have caused severe damage to computers running CYBERsitter software offerings, said Brian Milburn, president of Solid Oak Software, in a statement. "In my opinion, Norton products are worse than any virus I can think of," he said.

"We have thousands of users with no Internet access and all Symantec has done is to provide our mutual customers with a non-functioning support number that tell them to use on-line support," Milburn added. "The problem is even worse because [it's] the holiday season. Users are trying to order gifts on-line and they can't."

. . .

The situation is "embarrassing" for Solid Oak, Solid Oak's spokeswoman said. The company has been forced to pass along to customers instructions from Symantec, but nothing is working as of Thursday, she said. "People are upset," she said.

Solid Oak received an e-mail from Kevin Haley, Symantec's director of product management for Security Response, at 11 a.m. PST Thursday but no further instructions were relayed at the original time of this story's publication, according to Solid Oak.


Happily Symantec issued a solution this Friday.

Personal blether-fest related to the subject:

As I tell everyone, we are still in 'The Stone Age Of Computing.' Software development in particular is remarkably primitive, a PITA, consistently unreliable, and still requires drastic improvements in user-friendliness. Essentially, the software development task, using the crummy tools and coding philosophies we have at this time, is well beyond the comprehension of any one human being. And as usual, once you get into the process of coding by committee, you can break up a project into pieces, but getting the pieces to all be of the same quality and getting them all to work together properly is just about impossible.

A great example to watch right now is the progress of Mac OS X 10.5 Leopard. Undoubtedly it is the best OS on the market. But new bugs are discovered every single day. It clearly is suffering from what is called the '1.0' effect where the first publicly released version of any program is not-ready-for-prime-time. Why this effect happens so consistently is a complicated matter I may discuss some other time. Suffice it to say that it is expected and eventually works itself out. But nothing is perfect.

Much as I love Mac OS X Tiger, even at the 11th revision it still has bugs. Example: Have you noticed that even in 10.4.11 you still have the icons of some of the files in a folder disappear from time to time? It is because of flaws in the Finder. You can find a freeware tool called Refresh Finder to help overcome this nonsense at:

http://www.soderhavet.com/refresh/


CONCLUSION: Every software company consistently makes mistakes. It is part of our times. But it is particularly satisfying, in a mean-spirited kind of way I must admit, when a lying, fear-mongering company like Symantec fall of their face due to their own incompetence and arrogance. Let's hope we all learn from our mistakes and learn to treat each other with more understanding and respect.