Welcome GuestLogin
Feed
 

OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
Some members may have come across excited news of this Java trojan, others may already have downloaded Apple's system patch posted on Wednesday 4th April.

The first tell-tale is a modified padlock picture in a system authorisation dialogue. If you see an odd-looking padlock, don't authorise. Prior to Lion OSX installed Java by default, and these users should take note.

If you are running Lion (and have not installed Java, or have always kept it switched "off" in Safari security prefs) there is little to worry about. Others may be interested in this article -- which looks intimidating but is simple enough when used to confirm that you DON'T have a problem. If you DO have a problem proceed with extra caution.

> http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml <

Make sure you have read the whole article thoroughly, including "Additional Details" and then follow the instructions carefully, copying and pasting each Terminal command, checking the results and then moving to the next instruction indicated.

Hopefully Apple will by now have used an automatic virus/trojan fix to your Mac for this malware.

(Note that if you want to look inside the Safari.app (and other app bundles) you need to control-click the Safari icon in Applications, and look for the menu item "See Package Contents").

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
CNET has posted a (slightly) more clear procedure (with a screen shot) for ridding infected Macs of the Flashback morph here:

> http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-malware-from-os-x/?tag=mncol;txt <

Happy Easter.

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Martin Spenceley
There's a another good article on Flashback here

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Thomas Maude
thanks Euan and Martin .....just reading now ....quick question .....in the preferences for both Safari and Firefox there is something call ' Javascript ' as well as 'Java' and a check box for both .......if I am going to turn off Java .....what about Javascript ?

cheers
Tom

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
It seems that the Flashback Trojan uses Java 'Applets', which in turn are Java Language programmes. Java 'Scripts' are embedded in web page HTML and carry out standard tasks such as collecting information on forms. Turning J-scripts off would be pretty limiting, whereas Java language is less immediately critical.

See this discussion among others:
http://www.htmlgoodies.com/beyond/javascript/article.php/3470971/Java-vs-JavaScript.htm

"The main difference is that Java can stand on its own while JavaScript must (primarily) be placed inside an HTML document to function. Java is a much larger and more complicated language that creates "standalone" applications. A Java "applet" (so-called because it is a little application) is a fully contained program. JavaScript is text that is fed into a browser that can interpret it and then it is enacted by the browser--although today's web apps are starting to blur the line between traditional desktop applications and those which are created using the traditional web technologies: JavaScript, HTML and CSS."

Apple's (double) system update should be a fix for the issue, so after making sure you don't have the Flashback trojan in your system (and getting rid of it if you have) make sure you have the system updates installed and keep an eye open for any further developments.

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Martin Spenceley
Java and Javascripts are totally different languages/technologies and have nothing in common except the usage of Java in their name.

Turning off Javascript is a bad idea since most web pages generally have some Javascript embedded in them so will make the webpage function 'weirdly'.

Turning off Java is a good idea since very few websites use it these days and as we've seen is a security risk.

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
TUAW have posted a simple utility to check whether Flashback.1 is present:

See Para 2 on this page "a simple utility". Click to download.

http://www.tuaw.com/2012/04/08/talkcast-tonight-10pm-et-fighting-flashback/

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Thomas Maude
are you sure it doesn't install it !! ( joke )

thanks for the link Euan

Tom

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Thomas Maude
Blistering Barnacles ! app works perfectly ..no virus found .........a thousand thanks for the link ....it's what numpty's like me need.....I had a go at the terminal command thing but couldn't do it.

cheers

Tom

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
There are now several Flashback.1 removal apps around, from f-secure, Kaspersky, etc. although the Kaspersly app has been temporarily withdrawn.

Meantime Apple has posted (software update) a new version of Java which does the removal and offers better security. This is the third Java-related Apple update for Lion. Further details here:
http://www.tuaw.com/2012/04/12/java-for-os-x-2012-003-update-kills-flashback-malware-available/

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
Although Java is not automatically installed with OS X Lion it seems that Flashback can affect it anyway. It may be a false assumption to think you are immune without Java.

Apple have posted this tool to check for and remove Flashback code from Lion (non Java) systems:

http://support.apple.com/kb/DL1517

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
This morning the world woke to find a new variant of Flashback trojan: Flashback.S
Credit: Intego anti-virus.

Details here http://www.computerworld.com/s/article/9226521/New_sneakier_Flashback_malware_infects_Macs

No formal fix yet, but if you have taken precautions already, hopefully it won't bring sudden death to your Mac.

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
Oracle are providing auto-updates for Java within OSX Lion from now on which should help malware resistance. See this article from ArsTechnica:

http://arstechnica.com/apple/news/2012/04/oracle-updates-java-to-se-7-for-os-x-brings-full-jdk-support.ars?comments=1#comments-bar

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
Oh dear oh dear. Yet another Java villain has arrived, this time it uses Python scripts:

http://nakedsecurity.sophos.com/2012/04/27/python-malware-mac/

If you have used your browser preferences to "stop" Java -- NB "JavaScript" is something quite different and is fine to use -- and have installed all the latest Apple updates there should be no problem. But note that Apple have NOT issued updates to close off these attacks in OSX versions earlier than 10.6 Snow Leopard.

The Sophos page offers a simple, quick check to see if you have been compromised, and also free anti-virus software from Sophos for home users:

http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

ClamXav is another free (open source) antivirus protector if you prefer to use that:

http://www.clamxav.com/download.php

The two AV software suites have been reviewed widely (see Google).

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
Anyone visiting the Oracle Mac Java update page may still find that it is under maintenance. It seems Apple are about to post two Java updates to bring themselves into line with the Oracle updater cycle:

http://www.appleinsider.com/articles/12/05/05/apple_readies_final_in_house_java_updates_ahead_of_oracle_handoff.html

"The updates, titled "Java for OS X 2012-004" and "Java for Mac OS X 10.6 Update 9," are to be the last Apple-tailored runtimes for OS X 10.6 and 10.7 before all Mac-centric Java development moves to Oracle."

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Trevor Hewson
Euan, does that mean that we will no longer be able to rely on Software Update to alert us when Java updates are needed? I know we can always rely on you of course :)

Re: OSX/Flashback.I (latest variant). Check and removal instructions from F-Secure.com

Avatar
Euan Williams
It seems so, which is a pity, but we may have to wait for Oracle to get things together. Many applications do auto-alerts for updates or check for them under a Help Menu item (Acrobat Reader, Onyx, etc.
 
Feed