F-Secure provides anti-Flashback tool for Macs

The software automatically detects and quarantines the Trojan thought to have infected up to 600,000 Macs, according to F-Secure, which has said it is surprised Apple has not moved to counter the OS X botnet more comprehensively

F-Secure has created a free tool to help Mac users remove the Flashback Trojan from their computers, after reports that the malware had infected more than half a million Apple systems.

The security company released the software, which automatically detects and quarantines the malware, on Wednesday. Apple is building its own Flashback removal tool but has not delivered it yet.

"The tool creates a log file on [the] current user's desktop," F-Secure chief research officer Mikko Hypponen wrote in a blog post. "If any infections are found, they are quarantined into an encrypted ZIP file to the current user's home folder. The ZIP is encrypted with the password 'infected'."

Flashback appeared late last year as a social-engineering scam, trying to fool Mac OS X users into downloading phoney Flash updates. More recently, it started to exploit a Java vulnerability instead.

Last week, Russian antivirus firm Dr Web said a Flashback botnet had developed across 600,000 Macs — by far the biggest malware scare to hit Apple's desktop operating system yet. However, Symantec suggested on Wednesday that the number of active infections has halved since then.

In his blog post, Hypponen suggested that Apple could be doing more to protect its users. The Mac maker has released Java patches for its most recent OS X versions — Lion and Snow Leopard — but not for earlier generations.

Quite surprisingly, Apple hasn't added detection for Flashback to the built-in Xprotect OS X antivirus tool.

– Mikko Hypponen, F-Secure

"Quite surprisingly, Apple hasn't added detection for Flashback — by far the most widespread OS X malware ever — to the built-in Xprotect OS X antivirus tool," Hypponen said. "Also note that Apple has not provided a patch for the Java vulnerability used by Flashback for OS X v10.5 (or earlier). More than 16 percent of Macs still run OS X 10.5."

Dr Web's attempts to warn Apple of the botnet's emergence had been met by silence, the company's chief executive Boris Sharov told Forbes on Monday. He said Apple had tried to have Dr Web's registrar shut down one of its domains, which was being used as a 'sinkhole' to monitor and analyse the botnet, and which would have appeared to have been controlling part of it.

"They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren't the ones controlling it and not doing any harm to users," Sharov told Forbes. "This seems to mean that Apple is not considering our work as a help. It's just annoying them."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All