April 12, 2012
A lot of noise has flooded into the net over the last few days surrounding a piece of malware called “Flashback.” Here’s what you need to know:
1 – What is it?
– First things first, it is NOT a virus. Computer viruses are malicious programs capable of copying themselves across networks. The user doesn’t have to do anything to get infected.
– It is, however, a trojan. Trojans (named after the famous horse in Homer’s writings) get on your computer by pretending to be, or hiding themselves in, some software you want to install. You get tricked into running some software, such as an update to Flash Player as in this case, and the malware gets installed instead.
– This particular trojan installs a back-door into your Mac, that allows malware writers to check in with websites and download other software you don’t want onto your machine over time. It does this by forcing your web browsers to load pages any time they are opened up (and silently); and it forces the browsers to open up just in case you weren’t planning on doing that yourself.
– More insidiously, the malware disables the native, limited, virus protection system in OS X, and therefore this program can render your machine vulnerable to older, known threats.
– Both Snow Leopard and Lion are vulnerable if you installed Java. Since many applications use Java, the Java runtimes are most likely already installed on your Mac.
2 – How do I get it?
Flashback is downloaded from websites where you see alerts that you need to update Adobe Flash Player (which is where it gets its name). Since the malware has been carefully built to look like an Adobe Flash installer, many users think they’re just getting updated software and authorize the installer with their Administrator Password.
That’s all it takes, as once the trojan has your admin password, it has free rein to do whatever it wants.
3 – How do I know if I have it?
Finding Flashback is a little tricky. There are some apps that seem to be able to detect it, but that means downloading and installing another app, which may not be the best method. Instead, look in the Utilities folder in your Applications folder and look for the Terminal app.
Then, in Terminal, copy and paste the following three commands, hitting the Enter key after each one:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
After you run each command, you should see a message that ends in “… does not exist” If you have any other response except one that ends with that phrase (does not exist) then you have most likely got a Flashback infection. Thanks to Wired.com for the instructions
4 – How do I get rid of it?
Removal of Flashback is not easy or automated. There will be a removal app from Apple in the near future, but you should not wait. F-Secure has a set of instructions for manual removal that you can perform today, but they’re not a set of simple point-and-click things. You’ll have to use Terminal, and keep a notepad handy to keep track of information.
Reach out to an expert if you need assistance, as you definitely don’t want this hanging out on your Mac until Apple finally releases the automated Flashback Remover app.
5 – OK, my Mac is clean (or I cleaned it up), now what?
First, make sure you update your Mac with the latest OS X software. Click the Apple menu and choose “Software Updates…” to check for new software and tools from Apple. The latest updates for Snow Leopard and Lion have security updates to Java that block Flashback from being able to install. I do this once a week, though it’s very rare that Apple releases more than one set of updates per month.
Next, install anti-malware software. We all know that Macs are not immune from malware, and you need to protect yourself. Sophos, Intego and others make great anti-malware software for Macs. Sophos Anti-Virus for Mac (which I’m currently using) is even free for home use.
Also, get a two-way firewall package if you can afford it. For example, Little-Snitch is a great tool that is very user-friendly and lets you know when things on your Mac are trying to talk to the outside world. You can choose to allow the connection once, forever, or block it if you think it shouldn’t be phoning home.
Little-Snitch is so good at its job that the makers of Flashback wrote a special routine into the software to look for it, and give up trying to install if L-S is installed. It’s not free (it’s about US$30) but definitely worth it if you have the funds available.
Finally, always remember to only accept application updates from one of three sources:
1 – You used the “Check for Updates” system inside the application itself.
2 – The update is delivered via the “Software Updates…” system in OS X
3 – You went to the vendor’s site manually (not via a link or in an email) and download the update directly from them
Any other time software wants to update, or install for that matter, cancel out and seek that software from one of the three sources above.
Stay clam, stay safe, and remember that every OS can be hit with malware. This isn’t the first time it’s happened on a Mac, and it certainly won’t be the last.