Normally, this is the part of the week where I review an app and post the “App of the Week”. However, this past Monday, the computer lab where I work was inundated with Macs infected with the Flashback malware. So instead of writing a post about a cool app to install, I decided it would be better to write a tutorial on how to remove a certain unwanted “app” from your Mac.
WHAT IS FLASHBLOCK?
Flashblock is a malware known as a trojan, named after the Trojan Horse story in the Iliad. The trojan acts like an installer/updater for Adobe Flash, a common plugin used in multimedia players such as YouTube, Pandora, web ads, and more, and gets you to install the program. But instead of installing Flash, it installs the Flashback trojan. Earlier versions required your Administrator password to install the trojan, and later versions would uninstall itself if it detected certain anti-viruses running on your Mac. The most recent versions, however, can install without your password and without your knowledge.
Simply put, it steals your passwords: email, bank accounts, games, everything. If you type in a password, Flashback will steal it. Even if you do remove the virus, the bad guys could still have your private information.
HOW TO DETECT AND REMOVE
If you’ve been looking around the Internet for how to remove Flashback, you’ve probably run into Terminal commands for detecting it. Unfortunately, they don’t really work to well, and here’s why. The terminal isn’t actually looking for Flashback, but certain Java files that may indicate that Flashback may be on your system. Unfortunately if you have run anything with that is or requires Java, the terminal will output that you have some files. These may include MineCraft, Runescape, OpenOffice, LibreOffice, NeoOffice, Java coding utilities like BlueJ, Eclipse, and so on. You can run a tool like Flashback Detector from GitHub which runs these scripts. However, I ran the scripts both manually and with the automatic tools on the first three infected Macs I received and only one of them through either method returned a positive, even though all three were infected.
You can also check with Dr. Web’s online tester, which tests your Hardware ID number with its own records of what computers have been infected. This requires your Hardware UUID, which you can find by hitting the Apple logo in the top left hand corner of your Mac, and going to about this Mac. You can then hit “More Info” followed by “System Report” in Lion, or “More Info” on previous versions. Select Hardware in the left sidebar and find the Hardware UUID number. This checker will not tell you if you are still infected, but it will tell you when it was infected and the last time Flashback phoned home. This method seems to me as the better way to check for the Trojan. Kaspersky also has a handy web checker at http://www.flashbackcheck.com/ that essentially does the same thing as Dr. Web’s.
To remove the virus, using the Terminal to try to remove it may be problematic. There are tools out there that can help you remove the virus. However, for best results you will need the Internet.
If you have Internet access: First, update to Apple’s latest version of Java, which include a Flashback removal tool that removes “the most common variants” of the Flashback malware. You can download it through Apple’s software update, or by using this link. It only runs on OS 10.6 Snow Leopard and higher.
I recommend using Kaspersky’s removal tool that scans exclusively for all the variants of Flashback and any related files. It runs very fast, and is available for OS 10.5 and higher. However, occasionally I found it wouldn’t run, or needed an update, but reinstallation fixed nothing. You can also try F-Secure’s removal tool, which runs the same Terminal commands that the manual removal instructions recommend. You can download that from CNet here.
Whether it works or not, your next step is to download a copy of Sophos Anti-Virus for Mac Home Edition,
which is free from Sophos and is available for Macs running OS 10.4 (“Tiger”) or higher. Once installed, make sure you update it until you are sure you have the most recent definitions. You may wish to change Sophos’ setting to move the virus elsewhere rather than have it delete it automatically. Either way, once it finishes the scan, which should take an hour or two to scan the whole hard drive, hit the clean-up button, and you are done.
However, on a few infected Macs, I ran into an issue where Sophos could not detect the malware. I then used another tool from Dr. Web, the firm that initially sounded the alarm about Flashback and created the online checker mentioned above. They have a free tool in the Mac App Store called Dr. Web Light which can remove the trojan. However, since the tool is available only in the Mac App Store, it only works on Mac’s running OS 10.6 (“Snow Leopard”) or higher. You can put the tool onto a flash drive as well and run the scanner from the flash drive, which is nice. When it has finished scanning, you should see a Java file ending in .juschd , which is the trojan. Hit “Neutralize”, or tap the arrow on that file and click “Delete” to remove it from Mac. Once all that is done, it wouldn’t hurt to run any or all of these three scans again.
If you don’t have the Internet:
If you don’t have the Internet, you can’t use Dr. Web or Sophos because they will need to update their virus definitions before scanning. You can remove it manually by following F-Secure’s directions on how to remove Flashback manually. There are a couple of caveats: First, the virus is constantly changing, meaning that the directions you see will have to be updated. F-Secure has been updating these directions in a timely manner, and they do provide links to more recent directions. The bigger caveat is that the these directions require a lot of digging around in OSX’s system files and require use of the Terminal, so these are not for the faint of heart. If you don’t feel like removing it through this manual method, either take it to a Mac expert for them to work on, or get an Internet connection to run the tools mentioned above.
If you have access to a
computer that does have Internet access, or just have a friend that does, download Kaspersky’s removal tool that they just created. Since this doesn’t need any more updates to run after the initial download of the file, it makes for a really simple and effective tool to use.
Your last option, the one guaranteed to completely remove the trojan, is to do a clean install of your copy of OSX. You will need to grab your install disks, or boot into Lion’s recovery mode to reinstall the OS completely. This is really a last resort, but is 100% effective against removing Flashback.
Congratulations! You’ve removed Flashback, so now you can go about your merry way right? WRONG. Flashback got onto your Mac because you had a security hole in your system and it needs to be patched. Once you have an Internet connection, update you Mac until there is nothing left in your Software Update que to install. This especially applies to any updates that say OSX update, Java, and/or Security. Apple has already patched the hole in Java on OS 10.7 “Lion” and 10.6 “Snow Leopard”, but it will not be updating previous versions of OS 10, including 10.5 “Leopard”. They should get all of their update anyway, but will also need to keep running an antivirus.
Once you have finished updating your Mac, it wouldn’t hurt to scan again. However. You might think about just disabling Java if you don’t need it. This can be done on OS 10.5 and later systems. Go to your
Applications folder, open the Utilities folder, and open the Java Preferences app. Under the General Tab, uncheck the box that says “Enable Applet plug-in and Web Start applications,on Snow Leopard and Lion. On Leopard, disable all the versions of Java capable of running in the checklist. You should also go to the Network tab and clear the caches/delete temporary files, then uncheck the box that says, “Keep temporary files for fast access” . However, if you constantly use Java apps online, these steps shouldn’t be followed because you may not be able to run Java web programs, as well as certain desktop Java apps. For most people, this shouldn’t be a problem though.
The last step, and by far not the least is to change all of your passwords. As I stated before, Flashback is a password stealer and actively transmits your personal info back to its home base. Change any and every password that you used since you were infected. Better yet, change all of your passwords. Anything that deals with sensitive information or money, such as bank accounts, Facebook, email, etc. should be changed immediately. Several students were changing their passwords while their Macs were being repaired and noted that their various accounts were reporting about suspicious activity and access. For example, one student said his birth date on Facebook had been changed, while another reported that his email was last accessed in Japan (he had never been to Japan). You will also want to check with your bank and your emails for any transactions or messages sent that you don’t recognize ever doing. The sooner you can can report fraud, the sooner it can be stopped and the better off you will be.
What Flashback has proven, as well as MacDefender last year, is what I and others have been saying for a long time now: the Mac is not an impenetrable fortress, and it was only a matter of time before OSX would be attacked. Honestly, I wish I was wrong, and the amount of Windows malware is still drastically higher than that of Mac malware. Flashback doesn’t need to be a cause for mass panic in the Apple community, though. Nor does it make the Mac platform any worse; it only goes to show that no system is without flaws and that users of any computer system need to be vigilant about what they do online, where they go, and how secure they really are.
If you have any questions, comments, or suggestions about this or any other topic, leave a comment below or email me at firstname.lastname@example.org You can also check me out on Facebook, Twitter, and YouTube by hitting the buttons on the top of your screen. You can also check out my Google Plus. Thanks!
UPDATED: April 12 at 2:10 pm to link to the F-Secure removal tool.
UPDATED April 12 at 5:41 pm to cover Apple’s update new Java update and removal tool
Very useful blog. Keep up the good work.
Fantastic blog, very useful info. Thanks a bunch! 🙂
i run an old ibookG4 with OS 10.4.11 and i don’t think UUID exist on it..
i’m a little concerned because my bank’s website detected a “new computer” today when i tried to visit it so i didn’t enter my password and tried to get info about potential malware like flashback before i do anything.
is there any useful tool for such older versions of OS X?
thanks for the blog!
Unfortunately, Apple has stopped providing any significant updates to 10.4. There also aren’t many tools left that run on 10.4 because it is an older system. Upgrading to a newer machine might be in your future. OS 10.4 also doesn’t have a UUID, which wasn’t added until OS 10.5, so most of the online checking tool won’t work with your machine
All that being said, there are a few things you can do. First, make sure you do have all the updates for your system.
Second, to check for the malware, download and install Sophos Antivirus for Mac Home Edition. It’s free, and it’s one of the only free antiviruses that still runs on 10.4. Here’s the link: http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition/system-requirements.aspx
Third, you can change your DNS settings to something more secure. DNS is basically your Internet’s phonebook and some services have more secure DNS’s. Google provides one, but I like OpenDNS, which actively blocks against Flashback: Here’s how to change your DNS settings:
1. Go to System Preferences -> Network -> click “Advanced”
2. Click the “DNS” tab and then the “+”
3. Paste or type in 188.8.131.52 and 184.108.40.206.
4. Click the “+” under search domain and type or paste in “opendns.org”
Lastly, whether or not you have been infected, it wouldn’t be a bad idea after going through the above steps to go through and change your passwords, especially anything dealing with personal information: Bank accounts, email, Facebook, etc. If you happen to be infected, it would be better to wait until you’re clean again before changing this information. You can always use a tool like Lastpass to help you create or at least manage your passwords. You can look at it at lastpass.com.. Hope this helps!