Flashback Trojan: Making Sure Your Mac is Safe

| TMO Quick Tip

The Flashback Trojan poses a potential threat to Mac users with older version of Java installed, and according to the Russia-based antivirus company Dr. Web, over 600,000 Macs have been been infected. Avoiding the Trojan is fairly easy to do, and checking to see if you’ve fallen victim only takes a couple steps.

The Flashback Trojan originally tried to trick users into giving up their account login by posing as a Flash installer where it would then disable OS X’s built-in malware definition updater, opening the victim’s Mac to more potential attacks. A later version attempted to exploit a security flaw in older versions of Java to auto-install itself.

To avoid getting stung by Flashback, be sure the latest version of Java is installed on your Mac. Apple released a Java update on April 4 that addresses the vulnerabilities Flashback exploits.

Since you can fall victim to Flashback simply by visiting a maliciously crafted website, it’s a good idea to make sure you have the latest version of Java installed on your Mac right away. Apple’s Java update is available for OS X 10.6.8 and OS X 10.7.3 through the Software Update application, or as downloads from the Apple Support website.

Apple doesn’t include Adobe’s Flash player as part of the OS X installation, so if you need Flash, you have to download and install it yourself. Instead of clicking a link in a Web dialog that offers to install Flash for you — a common way to get hit by Flashback — go to the Adobe website and download the installer yourself.

If you think Flashback may have found its way onto your computer, the security company F-Secure offers steps to see if you are infected along with options for removing the malicious files from you Mac.

  • Start by launching Terminal. It’s in Applications/Utilities.
  • Enter this command: defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • Press Return
  • If Flashback isn’t present, you’ll see this message: The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
  • Now enter this command: defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • Press Return
  • If Flashback isn’t present, you’ll see this message: The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

Jeff's Mac is Flashback-freeJeff’s Mac is Flashback-free

If the responses you saw were different, it’s time to follow along with the instructions on the F-Secure website. Since it’s easy for hackers to make websites that look legit, be sure you’re Mac is up to date and if you must run Flash, grab the installer from Adobe’s website and no where else.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

18 Comments Leave Your Own

dlstarr7

How did they get the number 600,000?  I am always suspicious of ‘news’ from companies that provide antivirus protection.

Lee Dronick

Did not having Java enabled stop it from trying to install? I checked all of our Macs, no infections.

Lee Dronick

The local TV news at noon reported on this and as usual they got it about 80% incorrect. I shouldn’t blame the talking head, he was probably just reading copy from producer.

furbies

I’ve just had a Macbook Pro (10.6.x) come in for a diagnostic and it’s got the blighter…

After reading up on the FlashBack Trojan, it seems it’s not so difficult to get “idiot” users to click on the button marked “OK” and then enter their Admin password.

Denis Lee

I support about 80 macs. Tiger through Lion.
I haven’t found an infection yet.

furbies

I support about 80 macs. Tiger through Lion.
I haven?t found an infection yet.

Are your users allowed out on to the “net” ?
Do your users have admin privileges ?

The idiots I deal with, couldn’t find their way out of a brown paper bag….

Lee Dronick

Question for Furbies, Dennis, and other folks more tech than I. Does this Trojan require that Java be enabled?

furbies

require that Java be enabled?

From everything I’ve read, the trojan does require Java to be enabled/active for the Trojan to install…

(If I understand it all correctly)
The early versions of FlashBack masqueraded as a Flash installer, but later versions just required a user to visit a website that “hosts” the Java delivery system.

I’ve got Java disabled at the moment but CyberDuck needs it so I turn Java on for CyberDuck(ing) and then disable Java when I’m finished.

Java can be turned on/off at: /Applications/Utilities/Java Preferences.app

But if you have the latest Java updates installed then Apple is supposed to have fixed the vulnerability….......

Lee Dronick

Thanks Furbies.

From what I remember Apple no longer ships OSX with Java, the user can downloaded it if necessary. If that may explain why so few Macs are infected.

I have CyberDuck, and use it when not working in DreamWeaver, but don’t have Java enabled.

furbies

I have CyberDuck, and use it when not working in DreamWeaver, but don?t have Java enabled.

I’m still on 10.6 (I don’t completely like Lion, I do have it on a MBP Unibody)

Have you checked that Java is turned off (if you have it installed ?) cause CyberDuck chucks a wobbly if Java is off on my Mac Pro (with 10.6.8)

I get this error if java is off: (From Console)

Apr 7 01:24:44 MacPro [0x0-0x14e14e].ch.sudo.cyberduck[5180]: [JavaAppLauncher] Requested [1.5+], launching in [(null)] instead.
Apr 7 01:24:44 MacPro [0x0-0x14e14e].ch.sudo.cyberduck[5180]: [JavaAppLauncher Error] unable to find a version of Java to launch
Apr 7 01:24:44 MacPro com.apple.launchd.peruser.502[271] ([0x0-0x14e14e].ch.sudo.cyberduck[5180]): Exited with exit code: 1

Lee Dronick

Have you checked that Java is turned off (if you have it installed ?) cause CyberDuck chucks a wobbly if Java is off on my Mac Pro (with 10.6.8)

I just checked on my MacBook Pro. Java is installed, but turned off in Safari and CyberDuck runs fine.

furbies

I just checked on my MacBook Pro. Java is installed, but turned off in Safari and CyberDuck runs fine.

Bad news Lee….

If Java is enabled then a Mac is vulnerable, although if Java is off in Safari & FireFox you should be safe from malicious websites unless of course you downloaded a Java based app from the Net…..

edit:
Actually I should have said:
Unless Java is turned off, any App you download can exploit the Java vulnerability.
(I think. I’m not a security expert or a expert in general, I’m just going off what I’ve read online)

my $0.02 AUD worth….

Lee Dronick

If Java is enabled then a Mac is vulnerable, although if Java is off in Safari & FireFox you should be safe from malicious websites unless of course you downloaded a Java based app from the Net

Okay as someone who is more of an technical artist than an artistic technician how does one turn off Java outside of Safari?

furbies

how does one turn off Java outside of Safari?

Java can be turned on/off at: /Applications/Utilities/Java Preferences.app

hth

furbies

Lee Dronick

Thanks Furbies. I turned it off on all of our Macs.

And yes, CyberDuck now won’t run. I will look into buying Transmit or something, or just turn on Java if I need to use CyberDuck.

Annon

Those who are having issues with CyberDuck might want to try FileZilla
http://filezilla-project.org/download.php
I found it was significantly better at large FTP transfers, has the right price (free) and does some very nice things like mirrored browsing.

furbies

Thanks Furbies. I turned it off on all of our Macs.

Lee if you’re running 10.7 (Lion) and have installed the latest Java update(s) then you should be safe leaving Java turned on.

Well as safe as one can be, assuming that Apple has fixed the security holes and that the %$#@!&* that wrote the Flashback trojan haven’t got another vulnerability to exploit

Me, I have it turned off because I’m a member of the tinfoil hat wearing brigade, and really know that there are people after me…...

Look, here comes the Black Helicopter!

Lee Dronick

Yeah I am probably okay with Java turned on, but as far as I know CyberDuck is the only app I have that uses it. I will turn it on if necessary.

Just because we are paranoid doesn’t mean that they are not after us.

Log-in to comment