JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

How to find and remove Mac Flashback infections

Date

Brian Krebs

Zoom in on this story. Explore all there is to know.

The stories we published about the Flashback Trojan having infected more than 600,000 Mac OS X systems generated many reader enquiries. Most people wanted to know how they could detect whether their systems were infected with Flashback — and if so — how to remove the malware. Brian Krebs covers both of those questions.

Since the discovery last month of the Flashback Trojan having infected more than 600,000 Mac OS X, Apple and several security firms have released tools to help detect and clean up Flashback infections.

Dr.Web, the Russian antivirus vendor that first sounded the alarm about the outbreak, has published a free online service that lets users tell whether their systems have been seen phoning home to Flashback's control servers (those servers have since been hijacked by researchers). The service requires users to enter their Mac's hardware unique user ID (HW-UUID), because this is how the miscreants who were running the botnet kept track of their infections.

F-Secure, the Finnish security firm that worked with Dr.Web to more accurately gauge the true number of Flashback-infected Macs, has a Flashback Removal Tool available for download from its website.

Apple released its own Flashback Trojan removal tool on Friday, after advising it was working on it.

Flashback attacks a well-known Java flaw, but it's worth noting that Apple released the Java patch only after Flashback had begun infecting hundreds of thousands of Macs.

Apple has also now released a new version of Java that includes a Flashback remover. Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion.

It includes no new security fixes, but it adopts a novel approach to the debate over whether to temporarily disable or remove Java: "It configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application." If the Java web plug-in detects that no applets have been run for at least 35 days, it will again disable Java applets.

It is not clear if the fixes address the latest infection, identified by Kaspersky Labs as SabPub — or more formally, Backdoor.OSX.SabPub.a — which is different from Flashback but spreads via Java.

KrebsOnSecurity

twitter   Follow IT Pro on Twitter

11 comments so far

  • So let's see....to solve this possible problem you want people who are already possibly compromised and tech unsavy to put into another 'unconfirmed' website a computers personal ID number? What so the new pary can gain control of your computer at a future date?

    Commenter
    Andy
    Location
    Elwood
    Date and time
    April 17, 2012, 2:47PM
    • That's a very long way of saying "Run software update on your Mac".

      Commenter
      Currawong
      Date and time
      April 17, 2012, 3:44PM
      • So, can someone confirm (or otherwise) that this is solely a problem for OS Lion? Are older OS Macs safe? If that is the case I am holding off from upgrading Leopard for a bit longer.

        Commenter
        Albervin
        Date and time
        April 17, 2012, 4:14PM
        • a) upgrade to SL or Lion, or
          b) delete Java (google it)

          Commenter
          Nick
          Location
          syd
          Date and time
          April 17, 2012, 4:47PM
      • Wow - if a Mac gets a virus it's BIG news. I bet the people who made the 'fix' made the virus because they were losing $ as Windozers decline.

        Commenter
        geektard
        Date and time
        April 17, 2012, 4:17PM
        • > Most people wanted to know how they could detect whether their systems were infected with Flashback — and if so — how to remove the malware.

          It took reader feedback for @theage to realise this? There's another article all over theage.com.au today with a 'responsibly alarmist' tone but provides zero useful or helpful information.

          Commenter
          m0g
          Date and time
          April 17, 2012, 4:28PM
          • But all my Mac using friends still insist "Macs don't get viruses"

            Commenter
            Drwevil
            Date and time
            April 18, 2012, 5:20AM
            • just run some sort of anti virus software,keep your mac updated and you shouldn't have to worry about. there is many free options on line,just do some research before going into a panic mode.
              yes mac computers are prone to viruses but 10000000000000 percent less than windows, saying this the possibility of getting infected is 1in 1000000000000000000000000000000!!!!

              Commenter
              wogstar
              Location
              sydney
              Date and time
              April 18, 2012, 10:13AM
              • Using your logic with 600,000 infected Mac computers and an infection probability of 1 in 1 nonillion (10^30), there must be 6 undecillion (10^36) Mac computers in the world!!

                Commenter
                Michael
                Location
                Brisbane
                Date and time
                April 18, 2012, 1:10PM
            • Great advice Brian! If I have trouble with my Mac the first place I will seek assistance from now on will be Russian software companies. BTW Brian soon you will be getting a call from "the IT department" in India. They are experts in computer security, just follow their instructions (and I'm sure that you will) then everthing will be OK.

              Commenter
              Aidan
              Location
              Tweed
              Date and time
              April 18, 2012, 12:30PM

              More comments

              Make a comment

              You are logged in as [Logout]

              All information entered below may be published.

              Error: Please enter your screen name.

              Error: Your Screen Name must be less than 255 characters.

              Error: Your Location must be less than 255 characters.

              Error: Please enter your comment.

              Error: Your Message must be less than 300 words.

              Post to

              You need to have read and accepted the Conditions of Use.

              Thank you

              Your comment has been submitted for approval.

              Comments are moderated and are generally published if they are on-topic and not abusive.