A friend once asked me this question – “Is it true that Apple products are virus free?“. Well the answer to the question is not far-fetched. Russian anti-virus company Dr. Web recently reported that more than 600,000 macs got attacked by a malware as a result of users unknowingly installing the software.
So what exactly is Flashback?
Flashback is a form of malware designed to grab passwords and other information from users through their Web browser and other applications such as Skype. A user typically mistakes it for a legitimate browser plug-in while visiting a malicious Web site. At that point, the software installs code designed to gather personal information and send it back to remote servers. In its most recent incarnations, the software can install itself without user interaction.
When did it first appear?
Flashback as we know it now appeared near the end of September last year, pretending to be an installer for Adobe’s Flash, a widely used plug-in for streaming video and interactive applications that Apple no longer ships on its computers. The malware evolved to target the Java runtime on OS X, where users visiting malicious sites would then be prompted to install it on their machine in order to view Web content. More advanced versions would install quietly in the background with no password needed
How did it infect so many computers?
The simple answer is that the software was designed to do exactly that. In its initial incarnation, the malware looked very similar to Adobe’s Flash installer. It didn’t help that Apple hasn’t shipped Flash on its computers for well over a year, arguably creating a pool of users more likely to run the installer in order to view popular Web sites that run on Flash. In its newer Java-related variants, the software could install itself without the user having to click on anything or provide it with a password.
What also didn’t help is the way that Apple deals with Java. Instead of simply using Java’s current public release, the company creates and maintains its own versions. As it turns out, the malware writers exploited one particular vulnerability that Oracle patched in February. Apple didn’t get around to fixing its own Java version until last week.
What has Apple done about it?
Apple has its own malware scanner built into OS X called XProtect. Since Flashback’s launch, the security tool has been updated — two times now — to identify and protect against a handful of Flashback variants.
A more recent version of the malware, however, got around XProtect by executing its files through Java. Apple closed off the malware’s main entry point with a Java update on April 3.
Of note, the Java security fixes are only available on Mac OS X 10.6.8 and later, so if you’re running OS X 10.5 or earlier, you will still be vulnerable. Apple has stopped supplying software updates for these operating systems.
How do I tell if I have it?
Right now the easiest way to tell if your computer has been infected is to go to Dr. Web’s online Web utility. It cross-checks your Mac’s unique hardware with its own database of machines that have been compromised. If it doesn’t find your machine, you’re in the clear. Jeremiah Grossman, Chief Technology Officer at White Hat Security, told CNET via e-mail that in normal situations, it’s not a good idea to share your Mac’s unique hardware identifier, but in this case it’s safe. “Dr. Web already has a list of UUIDs, particularly of those who are infected. And that’s all they are asking the user to supply to do a simple look-up. They don’t seem to be asking for any personal information of any kind,” he wrote.
Alternately, you can run a trio of commands in Terminal, a piece of software you’ll find in the Utilities folder in your Mac’s Applications folder. If you want to find it without digging, just do a Spotlight search for “Terminal.”
Once there, copy and paste each one of the code strings below into the terminal window. The command will run automatically:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment defaults read /Applications/Firefox.app/Contents/Info LSEnvironment defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
If your system is clean, the commands will tell you that those domain/default pairs “does not exist.” If you’re infected, it will spit up the patch for where that malware has installed itself on your system.
To manually remove it. kindly visit this link for a walkthrough.
Sources: Dr.Web, Google, f-secure and Cnet News