This article originally appeared in TidBITS on 2012-04-12 at 2:23 p.m.
The permanent URL for this article is: http://tidbits.com/article/12934
Include images: Off

Apple Releases Flashback Malware Removal Tools

by Glenn Fleishman and Rich Mogull

A pair of Java updates from Apple [1] — Java for OS X Lion 2012-003 [2] and Java for Mac OS X 10.6 Update 8 [3] — remove the most common variants of the Flashback malware from Mac OS X 10.7 Lion and 10.6 Snow Leopard (see “How to Detect and Protect Against Updated Flashback Malware [4],” 5 April 2012). The Lion update also temporarily disables Java applets in Web pages. You can use Software Update to install the appropriate update or download it directly.

Since the Java updates by definition require Java, which is optional in Lion, Apple separately released a Flashback removal tool [5] for Lion users that you can run even if Java has never been installed. It must be downloaded [6] and run manually.

When you install the appropriate Java update, the Flashback removal tool runs automatically in the background and notifies you if a Flashback malware variant is found and removed; otherwise, the installation proceeds without comment.

Apple also says that, in Lion, the update immediately disables [7] the Java browser plug-in and Java Web Start, effectively preventing the unintentional use of Java applets in a Web browser. Since the restriction is enforced within the Java browser plug-in itself, it applies to all installed Web browsers in Lion, not just Safari.

To re-enable Java for use in Web pages, you must use the Java Preferences program, found in /Applications/Utilities. But even after you re-enable Web page use, Lion disables Java again after 35 days if it isn’t used at least once on a Web page during that time. Apple’s intent is to prevent Java from being used as a drive-by vector for malware infection among users who don’t need Java active for Web pages.

Although Apple labeled these updates as pertaining to Java, their sole purpose is to remove Flashback and disable the browser plug-in; the rest of Java appears to be unaffected.

If you use Firefox, you may receive an error when you check whether the Java plug-in is up to date after applying Apple’s update. This is a cosmetic caching problem that doesn’t affect security. To learn more about Firefox’s incorrect reporting of the installed Java plug-in version, see “Fix Firefox to Show Updated Java Plug-In [8]” (10 April 2012).

Estimates from anti-malware vendors put Flashback infections at over 600,000 at their height on 6 April 2012. Symantec said [9] that it measured fewer than 300,000 infected machines on 11 April 2012, due to the use of manual removal instructions and automated tools. Apple was tardy in releasing an update in its version of Java for the bug exploited by Flashback’s programmers, which Oracle had patched in the main Java tree for other platforms about two months prior.

Apple provided protection against earlier versions of Flashback using an anti-malware feature built into Lion and Snow Leopard. Called XProtect, this feature checks downloaded programs on first launch (using Launch Services) for signatures matching known malware based on a list Apple maintains. Since the current version of Flashback exploits Java directly and circumvents Launch Services, XProtect is unable to stop this particular infection.

[1]: http://support.apple.com/kb/HT5247
[2]: http://support.apple.com/kb/DL1515
[3]: http://support.apple.com/kb/DL1516
[4]: http://tidbits.com/article/12918
[5]: http://support.apple.com/kb/HT5254
[6]: http://support.apple.com/kb/DL1517
[7]: http://support.apple.com/kb/HT5242
[8]: http://tidbits.com/article/12929
[9]: http://www.macworld.com/article/1166330/flashback_mac_botnet_shrinks_says_symantec.html