IT Pro


How to find and remove Mac Flashback infections

Show comments

The stories we published about the Flashback Trojan having infected more than 600,000 Mac OS X systems generated many reader enquiries. Most people wanted to know how they could detect whether their systems were infected with Flashback — and if so — how to remove the malware. Brian Krebs covers both of those questions.

Since the discovery last month of the Flashback Trojan having infected more than 600,000 Mac OS X, Apple and several security firms have released tools to help detect and clean up Flashback infections.

Dr.Web, the Russian antivirus vendor that first sounded the alarm about the outbreak, has published a free online service that lets users tell whether their systems have been seen phoning home to Flashback's control servers (those servers have since been hijacked by researchers). The service requires users to enter their Mac's hardware unique user ID (HW-UUID), because this is how the miscreants who were running the botnet kept track of their infections.

F-Secure, the Finnish security firm that worked with Dr.Web to more accurately gauge the true number of Flashback-infected Macs, has a Flashback Removal Tool available for download from its website.

Apple released its own Flashback Trojan removal tool on Friday, after advising it was working on it.

Flashback attacks a well-known Java flaw, but it's worth noting that Apple released the Java patch only after Flashback had begun infecting hundreds of thousands of Macs.


Apple has also now released a new version of Java that includes a Flashback remover. Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion.

It includes no new security fixes, but it adopts a novel approach to the debate over whether to temporarily disable or remove Java: "It configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application." If the Java web plug-in detects that no applets have been run for at least 35 days, it will again disable Java applets.

It is not clear if the fixes address the latest infection, identified by Kaspersky Labs as SabPub — or more formally, Backdoor.OSX.SabPub.a — which is different from Flashback but spreads via Java.


twitter   Follow IT Pro on Twitter