Apple Developing Mac App to Remove Flashback Infections

| News

Apple Flashback MalwareImage via Shutterstock.

Apple is developing a tool to detect and remove the Flashback malware, the company announced via its support page today (via The Loop).

The Flashback malware, a trojan horse, struck Mac OS X systems in force late February, taking advantage of a vulnerability in the version of Java that comes embedded in OS X. The malware first made its appearance in September 2011, masquerading as an installer for the Adobe Flash Player before the new Java variant surfaced in February.

Apple released two Java updates last week to patch the vulnerability in Java and prevent new infections, but could not remove the infection if it already existed on the Mac. Users who have already been infected must remove the trojan manually.

Now Apple states that official software is coming from the company that will “detect and remove the Flashback malware,” although the company did not indicate an expected release date. They also claim to be “working with ISPs worldwide” to disable the remote servers which control the infected computers.

Russian antivirus company Dr. Web estimated last week that over 600,000 Macs have been infected thus far, making this one of the largest and most significant security issues in the Mac’s history.

Dr. Web had been using “spoofed” command and control servers to communicate with infected computers in an effort to monitor the spread of the infection. In a heavily criticized move, Apple attempted to shut down the Dr. Web servers, as the Cupertino company was unable to distinguish them from the actual malevolent command and control servers.

While Apple’s shut down request is being viewed by most as an “honest mistake,” some are pointing to the move as a dangerous example of Apple’s inexperience when it comes to security issues. Boris Sharov, CEO of Dr. Web, noted that his company maintains close ties with Microsoft’s security teams, but that they “don’t know the antivirus group inside Apple.”

“These are not pleasant days for them,” Mr. Sharov said. “They’re not thinking about us. The safety of Macintosh computers is going down very quickly, and they’re thinking what to do next. They’re thinking about how to manage a future where the Mac is no longer safe.”

Mac users with OS X 10.6 and 10.7 should run Software Update to ensure that they have the latest Java updates from Apple, and should follow the instructions found here to ensure that they have not unknowingly become infected.

Apple has not released a Java update for OS X 10.5 and earlier, and recommends that users on those versions of OS X disable the Java web plug-in in their Web browser.

Popular TMO Stories



If Apple is “too little too late”, then what in the name of all that is digital is Microsoft and the problems that Windows users have been subjected to for years and years?

Is this Flashback Infection event a problem? Not sure. I am not infected. Ran all of the possible tests - both apple script tests and terminal command line tests and I am clean.

So, I just hope most newbies to the Mac world pay attention to the 3 basic rules of internet browsing:

Do not download anything from a website you do not know,

Do not allow any application to automatically install.

Do not use your admin account as your main account - period!


Lee Dronick

Is this Flashback Infection event a problem? Not sure.

Supposedly they are sure that 600,000 Macs were infected, but what is that percentage of total Macs online? I think what helped keep the numbers down is that Macs no longer ship with Java installed. One of the regulars here who manages quite a few Macs found an infected one.

I am curious about what websites were delivering Flashback.


apple script tests

YankInOz can you point me to the Apple Scripts ?


furbies (in Oz)


“Users who have already been infected must remove the trojan manually.”

This makes it much less severe than most Windows viruses, which install themselves so deeply in the OS that you can’t remove them. Manually removing the trojan is a simple matter of running a couple of commands and deleting a couple of files. Apple’s naked OS is still pretty secure, though of course not perfect.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account