Stuart French News, Security, Software, Tutorials

How to Remove the Flashback Malware

Normally, this is the part of the week where I review an app and post the “App of the Week”. However, this past Monday, the computer lab where I work was inundated with Macs infected with the Flashback malware. So instead of writing a post about a cool app to install, I decided it would be better to write a tutorial on how to remove a certain unwanted “app” from your Mac.

WHAT IS FLASHBLOCK?
Flashblock is a malware known as a trojan, named after the Trojan Horse story in the Iliad.  The trojan acts like an installer/updater for Adobe Flash, a common plugin used in multimedia players such as YouTube, Pandora, web ads, and more, and gets you to install the program. But instead of installing Flash, it installs the Flashback trojan. Earlier versions required your Administrator password to install the trojan, and later versions would uninstall itself if it detected certain anti-viruses running on your Mac. The most recent versions, however, can install without your password and without your knowledge.

ITS PURPOSE
Simply put, it steals your passwords: email, bank accounts, games, everything. If you type in a password, Flashback will steal it. Even if you do remove the virus, the bad guys could still have your private information.

HOW TO DETECT AND REMOVE
If you’ve been looking around the Internet for how to remove Flashback, you’ve probably run into Terminal commands for detecting it. Unfortunately, they don’t really work to well, and here’s why. The terminal isn’t actually looking for Flashback, but certain Java files that may indicate that Flashback may be on your system. Unfortunately if you have run anything with that is or requires Java, the terminal will output that you have some files. These may include MineCraft, Runescape, OpenOffice, LibreOffice, NeoOffice, Java coding utilities like BlueJ, Eclipse, and so on. You can run a tool like Flashback Detector from GitHub which runs these scripts. However, I ran the scripts both manually and with the automatic tools on the first three infected Macs I received and only one of them through either method returned a positive, even though all three were infected.

You can also check with Dr. Web’s online tester, which tests your Hardware ID number with its own records of what computers have been infected. This requires your Hardware UUID, which you can find by hitting the Apple logo in the top left hand corner of your Mac, and going to about this Mac. You can then hit “More Info” followed by “System Report” in Lion, or “More Info” on previous versions.   Select Hardware in the left sidebar and find the Hardware UUID number. This checker will not tell you if you are still infected, but it will tell you when it was infected and the last time Flashback phoned home. This method seems to me as the better way to check for the Trojan.  Kaspersky also has a handy web checker at http://www.flashbackcheck.com/ that essentially does the same thing as Dr. Web’s.

To remove the virus, using the Terminal to try to remove it may be problematic. There are tools out there that can help you remove the virus. However, for best results you will need the Internet.

If you have Internet access: First, update to Apple’s latest version of Java, which include a Flashback removal tool that removes “the most common variants” of the Flashback malware.  You can download it through Apple’s software update, or by using this link.  It only runs on OS 10.6 Snow Leopard and higher.

I recommend using Kaspersky’s removal tool that scans exclusively for all the variants of Flashback and any related files.  It runs very fast, and is available for OS 10.5 and higher.  However, occasionally I found it wouldn’t run, or needed an update, but reinstallation fixed nothing.  You can also try F-Secure’s removal tool, which runs the same Terminal commands that the manual removal instructions recommend.  You can download that from CNet here.

Whether it works or not, your next step is to download a copy of Sophos Anti-Virus for Mac Home Edition,

Sophos Antivirus for Mac 8.0

which is free from Sophos and is available for Macs running OS 10.4 (“Tiger”) or higher. Once installed, make sure you update it until you are sure you have the most recent definitions. You may wish to change Sophos’ setting to move the virus elsewhere rather than have it delete it automatically. Either way, once it finishes the scan, which should take an hour or two to scan the whole hard drive, hit the clean-up button, and you are done.

However, on a few infected Macs, I ran into an issue where Sophos could not detect the malware. I then used another tool from Dr. Web, the firm that initially sounded the alarm about Flashback and created the online checker mentioned above. They have a free tool in the Mac App Store called Dr. Web Light which can remove the trojan. However, since the tool is available only in the Mac App Store, it only works on Mac’s running OS 10.6 (“Snow Leopard”) or higher. You can put the tool onto a flash drive as well and run the scanner from the flash drive, which is nice. When it has finished scanning, you should see a Java file ending in .juschd , which is the trojan. Hit “Neutralize”, or tap the arrow on that file and click “Delete” to remove it from Mac. Once all that is done, it wouldn’t hurt to run any or all of these three scans again.

If you don’t have the Internet:
If you don’t have the Internet, you can’t use Dr. Web or Sophos because they will need to update their virus definitions before scanning. You can remove it manually by following F-Secure’s directions on how to remove Flashback manually. There are a couple of caveats: First, the virus is constantly changing, meaning that the directions you see will have to be updated. F-Secure has been updating these directions in a timely manner, and they do provide links to more recent directions. The bigger caveat is that the these directions require a lot of digging around in OSX’s system files and require use of the Terminal, so these are not for the faint of heart. If you don’t feel like removing it through this manual method, either take it to a Mac expert for them to work on, or get an Internet connection to run the tools mentioned above.

If you have access to a

Kaspersky's Flashfake Removal Tool (Courtesy of Kaspersky)

computer that does have Internet access, or just have a friend that does, download Kaspersky’s removal tool that they just created.  Since this doesn’t need any more updates to run after the initial download of the file, it makes for a really simple and effective tool to use.

Your last option, the one guaranteed to completely remove the trojan, is to do a clean install of your copy of OSX. You will need to grab your install disks, or boot into Lion’s recovery mode to reinstall the OS completely. This is really a last resort, but is 100% effective against removing Flashback.

AFTERMATH
Congratulations! You’ve removed Flashback, so now you can go about your merry way right? WRONG. Flashback got onto your Mac because you had a security hole in your system and it needs to be patched. Once you have an Internet connection, update you Mac until there is nothing left in your Software Update que to install. This especially applies to any updates that say OSX update, Java, and/or Security. Apple has already patched the hole in Java on OS 10.7 “Lion” and 10.6 “Snow Leopard”, but it will not be updating previous versions of OS 10, including 10.5 “Leopard”. They should get all of their update anyway, but will also need to keep running an antivirus.

Once you have finished updating your Mac, it wouldn’t hurt to scan again. However. You might think about just disabling Java if you don’t need it. This can be done on OS 10.5 and later systems. Go to your

Java Preferences on Lion

Applications folder, open the Utilities folder, and open the Java Preferences app. Under the General Tab, uncheck the box that says “Enable Applet plug-in and Web Start applications,on Snow Leopard and Lion.  On Leopard, disable all the versions of Java capable of running in the checklist. You should also go to the Network tab and clear the caches/delete temporary files, then uncheck the box that says, “Keep temporary files for fast access” . However, if you constantly use Java apps online, these steps shouldn’t be followed because you may not be able to run Java web programs, as well as certain desktop Java apps.  For most people, this shouldn’t be a problem though.

The last step, and by far not the least is to change all of your passwords. As I stated before, Flashback is a password stealer and actively transmits your personal info back to its home base. Change any and every password that you used since you were infected.  Better yet, change all of your passwords. Anything that deals with sensitive information or money, such as bank accounts, Facebook, email, etc. should be changed immediately.  Several students were changing their passwords while their Macs were being repaired and noted that their various accounts were reporting about suspicious activity and access. For example, one student said his birth date on Facebook had been changed, while another reported that his email was last accessed in Japan (he had never been to Japan). You will also want to check with your bank and your emails for any transactions or messages sent that you don’t recognize ever doing. The sooner you can can report fraud, the sooner it can be stopped and the better off you will be.

What Flashback has proven, as well as MacDefender last year, is what I and others have been saying for a long time now: the Mac is not an impenetrable fortress, and it was only a matter of time before OSX would be attacked. Honestly, I wish I was wrong, and the amount of Windows malware is still drastically higher than that of Mac malware.  Flashback doesn’t need to be a cause for mass panic in the Apple community, though.  Nor does it make the Mac platform any worse; it only goes to show that no system is without flaws and that users of any computer system need to be vigilant about what they do online, where they go, and how secure they really are.

If you have any questions, comments, or suggestions about this or any other topic, leave a comment below or email me at easyosx@live.com  You can also check me out on Facebook, Twitter, and YouTube by hitting the buttons on the top of your screen.  You can also check out my Google Plus.  Thanks!

UPDATED: April 12 at 2:10 pm to link to the F-Secure removal tool.

UPDATED April 12 at 5:41 pm to cover Apple’s update new Java update and removal tool

Stuart French App of the Week, Security

App of the Week: DNSCrypt

When talking about security, DNS and encryption have become two major discussion points. Encryption is making the information being sent look random to anyone on the outside staring in, while the people sending and receiving the information can read and write in it just fine (the same way people might send secret coded messages). DNS basically is like a phone book for the Internet. When you type in an Internet address, that name is actually tied to an IP address, the individual number tied to each Internet connected device. Whoever provides your DNS, usually your Internet provider, looks up what IP address is connected to what you entered, and then directs you to the website. It’s the same principle as if you wanted to call a person or business. If you look up the name of the person or business in a phone book, you can find what their phone number is, call them, and exchange whatever business, pleasantries, or other reason you had to call them.

DNS has become more of a talking point lately, as recent malware attacks on multiple operating systems have resulted in changing your DNS addresses to lead you to malicious sites, designed only to steal your information and/or give you more malware. Other holes in the DNS process have caused concern for the process itself. But since DNS is such an integral part of the way we connect to the web, there’s not a way just to turn it off without disconnecting from the web. So the wonderful people at OpenDNS have created DNSCrypt to help with these security problems. DNSCrypt works to encrypt the traffic flowing between you, your DNS provider, and the website you are trying to contact. It works to prevent your

DNSCrypt's Preference Pane

DNS traffic from being intercepted and maliciously changed. But wait! What if your DNS addresses have already been changed? DNSCrypt fixes that because it runs off of OpenDNS’s own DNS servers. Some people may be concerned about changing DNS servers, but DNSCrypt changes it automatically so that you don’t have to, and can change back automatically to your former DNS servers if something doesn’t work right. If you’re worried about OpenDNS’s security though, OpenDNS has award-winning security, and can even speed up your web browsing experience. To change your DNS to their servers is free, but they offer home and business plans for more efficient and even more secure use.

I have been using the program for about two weeks. With it booting up as a startup program, I noticed a small increase in my Mac’s startup time, but I have not noticed any decrease in the speed of my overall browsing. I can’t say how well it blocks DNS attacks (I tend not to go searching for sites that do that), but I trust OpenDNS and have used it for a while now. And OpenDNS has a nice menubar icon to let your know its status.

While DNSCrypt is going to be a great tool to use in anyone’s security arsenal, there are a few caveats I have with it. For one thing, the program is still in beta, so anyone worried about stability might want to stay away. I haven’t experienced any crashes with it, but I would still wait until the final version of the program before using it for corporate work. Another issue with the program is that when it initially starts up, encryption hasn’t been enabled. You have to manually enable encryption from within the app’s preference pane. OpenDNS acknowledges this and say that they are coming with an update soon to fix this. And as an ascetic touch, I wish the menubar icon would have a more Mac-like feel, rather than being a red, yellow, or green light in the menubar (but at least it’s easy to understand your status).

For those willing to try a beta program, and for those who want some extra security, check out DNSCrypt. You can download it at http://www.opendns.com/technology/dnscrypt/ for free. It runs on OS 10.5 and higher. If you have any questions, comments, or suggestions about this or any other topic, leave a comment below or email me at easyosx@live.com You can also check me out on Facebook, Twitter, and YouTube by hitting the buttons on the top of your screen. You can also check out my Google Plus Page at https://plus.google.com/107817518299218190319. Thanks!

Stuart French Security

6 (or 7) Great Free Security Apps for Mac:

In this video, I show several of my favorite free security apps for your Mac. You can find them the links to them in the video description box on Youtube (either double click this video, or hit the big Youtube button on top of the page).

Originally I had planned for this to be the end of my Secure Your Mac series for awhile, but I doubt it will be. It looks like I’ll be looking out for this for a while. At least, though, I plan to get some more of my regular tips, tricks, and videos out.

Thanks, and feel free to leave a comment, send me an email at easyosx@live.com, or hit me up on Twitter.

P.S. This is not the App of the Week post, if the title didn’t give it away.

Stuart French Security, Software, Tutorials

Securing Opera Web Browser (Part 2)

Here is the 2nd part of how to secure to Opera web browser. I hope to get another security based video or two out, but I’m working on some other non-security related stuff as well. Enjoy the video, and thanks for watching.

P.S. Send any tips, suggestions, or questions to me at easyosx@live.com, or on Twitter @EasyOSX.

Stuart French News, Security

Mac Defender Variant Bypassed OS X Anti-Malware Software Within Hours | Cult of Mac

While Apple’s new update feature will likely catch this in the next few days, it does show how stubborn these malware developers are going to be.

Mac Defender Variant Bypassed OS X Anti-Malware Software Within Hours | Cult of Mac.

Update: According to CNET, there is a bug in the new automatic security updates feature that may cause the checkbox to be unchecked if the Security Preference pane is left open for more than 30 seconds.
http://reviews.cnet.com/8301-13727_7-20067942-263.html?part=rss&tag=feed&subj=MacFixIt