Apple releases Flashback malware removal tool, for OS X Lion only

Apple releases Flashback malware removal tool, for OS X Lion only

Summary: In its ongoing battle against the widespread Flashback malware attack, Apple has released a standalone removal tool. The utility is available only for users of the most recent version of OS X who have chosen not to install Java.

SHARE:

In its ongoing battle to clean up the Flashback malware mess, Apple has now released a standalone removal tool.

The downloadable utility is available exclusively for Mac owners running OS X Lion. It will not run on Mac OS X 10.6 (Snow Leopard) or earlier versions.

A description and download link are available here. The accompanying security bulletin says “This update is recommended for all OS X Lion users without Java installed.”

A Java update released on Friday, in separate downloads for OS X Lion and Snow Leopard, includes the ability to remove the malware from systems where Java is present, while simultaneously fixing the underlying vulnerability. Java for Mac OS X 10.6 Update 8 is the only Apple-supported method for removing Flashback from systems running Snow Leopard, where Java is installed automatically and cannot be removed.

This standalone tool is intended for users of OS X Lion who never installed Java but might have become infected anyway, perhaps by one of the earlier Flashback variants. Versions of the Flashback malware in circulation last fall were delivered using social engineering, with the malware installer disguised as a fake Flash updater. The widespread version that infected the large number of Macs this year installs silently without any user interaction when the user visits a compromised web page. The exploit takes advantage of an unpatched vulnerability in Apple's Java runtime engine.

The text of the security update is here:

About Flashback malware removal tool

This Flashback malware removal tool that will remove the most common variants of the Flashback malware.

If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed.

In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware.

This update is recommended for all OS X Lion users without Java installed.

The Flashback malware removal tool can be obtained using Software Update as well.

The download file is named FlashbackMalwareRemover.dmg. Its SHA-1 digest is d4372b9bb14387a20567817ab7e03ea103fdffc2.

So far, Apple has confined its communication on Flashback exclusively to support pages. There is no mention of the malware on its home page, and the company has not issued any press releases. An earlier support bulletin, "About Flashback malware," has been updated to include a mention of the standalone removal tool. It also notes Apple's separate efforts to disable the network of control servers for the Flashback botnet:

In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.

Apple has not officially acknowledged the discontinuation of support for users of pre-Snow Leopard versions of OS X. Under the "Additional information" heading in its bulletin describing the Flashback malware, the company says: "For Macs running Mac OS X v10.5 or earlier, you can better protect yourself from this malware by disabling Java in your web browser(s) preferences."

Several security companies have reported the discovery of a different malware variant that appears to attack the same Java vulnerability. Like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as “Backdoor.OSX.SabPub.a” while Sophos calls it at “SX/Sabpab-A.”

Related:

Topics: Malware, Apple, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments
Log in or register to join the discussion
  • Honestly

    I think those of us who use Macs have to realize that we are second class citizens of the iOS crowd in Apple's eyes.
    slickjim
    • A Sad Reality

      Ostrasized.

      SL updated.... Now back to my pc....... :|
      rhonin
  • Apple needs their own Malicious Software Removal Tool (TM) for OS X

    [i]This standalone tool is intended for users of OS X Lion who never installed Java but might have become infected anyway, perhaps by one of the earlier Flashback variants. Versions of the Flashback malware in circulation last fall were delivered using social engineering, with the malware installer disguised as a fake Flash updater.[/i]

    So, a subpopulation of OS X users duped by a Flashback social engineering attack have been using their infected OS X systems since last Fall (2011). That's close to six (6) months.

    Microsoft released their Malicious Software Removal Tool (TM) in 2005 which runs every patch Tuesday as part of Windows (and Microsoft) Update to automate the removal of malware infections on Windows PCs. The tool also supports on-demand scanning.

    Looks like Apple needs similar capability so that they don't have to keep crafting custom tools to remove the infection of the month.
    Rabid Howler Monkey
    • Error

      Error
      Mikael_z
    • Or go to a package repository..

      ...like Linux does.
      ScorpioBlack
  • Is Ed Bott the Rush Limbaugh of Computing?

    This story reads like one of those political attack ads we are all tired of seeing. While nothing is false, what is included and excluded appears presented in a way that creates a bad impression of Apple. The reader is left to draw conclusions with critical information missing. For example, the new removal tool is only provided for OS X.7 because OS X.6 is already fully covered by Apple's previously provided update. There is no evil behind Apple's actions. Shame on Ed Bott!
    TXOXY
    • Did you READ the post?

      Fer crying out loud, how much clearer could this be?

      "A Java update released on Friday, in separate downloads for OS X Lion and Snow Leopard, includes the ability to remove the malware from systems where it's present, while simultaneously fixing the underlying vulnerability. Java for Mac OS X 10.6 Update 8 is the only Apple-supported method for removing Flashback from systems running Snow Leopard, where Java is installed automatically and cannot be removed.

      "This standalone tool is intended for users of OS X Lion who never installed Java but might have become infected anyway, perhaps by one of the earlier Flashback variants..."
      Ed Bott
      • I read your post carefully and several times.

        I wanted to be fair, even if you were not.

        Example, you wrote: "The utility is available only for users of the most recent version of OS X who have chosen not to install Java."

        Technically, nothing false here, but the accurate/useful way to write it would be "The utility is needed only by users of the most recent version of OS X who have chosen not to install Java."

        Using the word "available" implied that Apple was withholding something. The reality is that the utility provides nothing useful to those running OS X.6 or OS X.7 + Java. They had already been taken care of on Friday.
        TXOXY
      • It's not good for business to let people know

        @TXOXY
        that it's not the Mac which is all that remarkable but MS Windows which is terrible in so many ways like with security. Microsoft should retire their OS business entirely and leave room for the superior alternatives like the Mac, but I believe that the more or less natural market forces will take care of this anyway. Microsoft isn't all that successful with their Windows phones, just to give a hint of things to come (probably)...
        Mikael_z
      • @Mikael_z

        That has got to be the biggest amount of BS I have ever heard of in my entire life.
        The one and only, Cylon Centurion
      • Is the statement that

        @Cylon Centurion
        Microsoft Windows is the platform with the biggest problems with malware ever in IT history complete BS too perhaps? This is exactly why we read fishy articles here about aleged Mac malware.
        Mikael_z
      • Wow Mikael_z, what a insightfull statement

        [i]Microsoft Windows is the platform with the biggest problems with malware ever in IT history[/i]

        It's also the biggest platform in history, so I guess you're stating what, the obvious?

        Well, DUH!!
        William Farrel
      • @TXOXY and @Mikael_z...

        ...sounds like a Windows fanboy playing sock puppet games. ;)
        ScorpioBlack
    • Ahem

      @TXOXY
      The previous update merely closed the (current) infection vector. If your Mac has already been infected, patching the Java vulnerability does nothing to prevent the malicious application from running.

      Your allegiance to Apple is admirable (Defend the hive!), but I think you somehow have to come to terms with them not being perfect.
      honeymonster
      • Not true

        The Thursday (4/12) Java updates, 003 for Lion and Update 8 for SL, WILL remove most common variants of the Flashback malware. The initial updates from several days earlier (001/002 and Update 7, respectively) did not have removal capability built in.
        Ed Bott
      • Wow, really?

        You are obviously new here. Ed Bott is anything but an Apple fanboy. He is the only one around here that will report on any Apple related security issues. Everyone else on ZDNet is too busy figuring out how they can regurgitate the same iPad/iPhone story so that they can come up with a new fluffy iHeadline while ignoring anything and everything that could make Apple look bad.

        Who doesn't know that?

        Here is a classic example:
        http://www.computerworld.com/s/article/9196118/Apple_smashes_patch_record_with_gigantic_update

        So in that case, Apple broke all security records yet ZDNet forgot to write a single blog about it. None. Whatsoever. Unfortunately that happened before Ed started reporting on Apple related issues that everyone else conveniently forget to mention.

        To Ed: Keep up the good work. BTW, do you know if we get ZDNet stories for each patch that Apple releases? If not, we should. Apple certainly releases a lot of patches yet it feels we never hear anything about it:

        http://support.apple.com/kb/HT1222

        I mean, this is done for each patch MS releases, why not each patch Apple releases? And you'll get a lot of clicks as the Apple fans try to spin each patch into something Magical.
        Qbt
  • Blank

    error
    dwb124
  • Apple say they care about security, that's in big letters on their homepage

    Of course it's not on their homepage, they'd have to publicly admit Macs can and do get malware then.

    It's also very poor this removal tool only works with Lion. How are Snow Leopard and Leopard users supposed to get rid of the malware if infected?
    bradavon
    • See what I mean, Ed?

      Bradavon writes: "How are Snow Leopard and Leopard users supposed to get rid of the malware if infected?" That is exactly what I was calling you out for. A very false impression created by your choice of words.
      TXOXY
      • That's not my fault, it's Apple's fault

        Apple is the one that released a removal tool only for Lion. In their descriptive text, they don't mention that other platforms don't need it. Maybe you should go squawk at them?

        For what it's worth, my peers who do support on Apple forums are annoyed that Apple released this the way they did. Like me, they have already been asked by many people where the one for Snow Leopard is, and this is BEFORE they even saw my post.

        I don't know what your agenda is, but I'm satisfied that I wrote an accurate and informative post. Sorry you disagree.
        Ed Bott