In its ongoing battle to clean up the Flashback malware mess, Apple has now released a standalone removal tool.
The downloadable utility is available exclusively for Mac owners running OS X Lion. It will not run on Mac OS X 10.6 (Snow Leopard) or earlier versions.
A description and download link are available here. The accompanying security bulletin says “This update is recommended for all OS X Lion users without Java installed.”
A Java update released on Friday, in separate downloads for OS X Lion and Snow Leopard, includes the ability to remove the malware from systems where Java is present, while simultaneously fixing the underlying vulnerability. Java for Mac OS X 10.6 Update 8 is the only Apple-supported method for removing Flashback from systems running Snow Leopard, where Java is installed automatically and cannot be removed.
This standalone tool is intended for users of OS X Lion who never installed Java but might have become infected anyway, perhaps by one of the earlier Flashback variants. Versions of the Flashback malware in circulation last fall were delivered using social engineering, with the malware installer disguised as a fake Flash updater. The widespread version that infected the large number of Macs this year installs silently without any user interaction when the user visits a compromised web page. The exploit takes advantage of an unpatched vulnerability in Apple's Java runtime engine.
The text of the security update is here:
About Flashback malware removal toolThis Flashback malware removal tool that will remove the most common variants of the Flashback malware.
If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed.
In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware.
This update is recommended for all OS X Lion users without Java installed.
The Flashback malware removal tool can be obtained using Software Update as well.
The download file is named FlashbackMalwareRemover.dmg. Its SHA-1 digest is d4372b9bb14387a20567817ab7e03ea103fdffc2.
So far, Apple has confined its communication on Flashback exclusively to support pages. There is no mention of the malware on its home page, and the company has not issued any press releases. An earlier support bulletin, "About Flashback malware," has been updated to include a mention of the standalone removal tool. It also notes Apple's separate efforts to disable the network of control servers for the Flashback botnet:
In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.
Apple has not officially acknowledged the discontinuation of support for users of pre-Snow Leopard versions of OS X. Under the "Additional information" heading in its bulletin describing the Flashback malware, the company says: "For Macs running Mac OS X v10.5 or earlier, you can better protect yourself from this malware by disabling Java in your web browser(s) preferences."
Several security companies have reported the discovery of a different malware variant that appears to attack the same Java vulnerability. Like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as “Backdoor.OSX.SabPub.a” while Sophos calls it at “SX/Sabpab-A.”