How to Remove the Flashback Malware

Normally, this is the part of the week where I review an app and post the “App of the Week”. However, this past Monday, the computer lab where I work was inundated with Macs infected with the Flashback malware. So instead of writing a post about a cool app to install, I decided it would be better to write a tutorial on how to remove a certain unwanted “app” from your Mac.

WHAT IS FLASHBLOCK?
Flashblock is a malware known as a trojan, named after the Trojan Horse story in the Iliad.  The trojan acts like an installer/updater for Adobe Flash, a common plugin used in multimedia players such as YouTube, Pandora, web ads, and more, and gets you to install the program. But instead of installing Flash, it installs the Flashback trojan. Earlier versions required your Administrator password to install the trojan, and later versions would uninstall itself if it detected certain anti-viruses running on your Mac. The most recent versions, however, can install without your password and without your knowledge.

ITS PURPOSE
Simply put, it steals your passwords: email, bank accounts, games, everything. If you type in a password, Flashback will steal it. Even if you do remove the virus, the bad guys could still have your private information.

HOW TO DETECT AND REMOVE
If you’ve been looking around the Internet for how to remove Flashback, you’ve probably run into Terminal commands for detecting it. Unfortunately, they don’t really work to well, and here’s why. The terminal isn’t actually looking for Flashback, but certain Java files that may indicate that Flashback may be on your system. Unfortunately if you have run anything with that is or requires Java, the terminal will output that you have some files. These may include MineCraft, Runescape, OpenOffice, LibreOffice, NeoOffice, Java coding utilities like BlueJ, Eclipse, and so on. You can run a tool like Flashback Detector from GitHub which runs these scripts. However, I ran the scripts both manually and with the automatic tools on the first three infected Macs I received and only one of them through either method returned a positive, even though all three were infected.

You can also check with Dr. Web’s online tester, which tests your Hardware ID number with its own records of what computers have been infected. This requires your Hardware UUID, which you can find by hitting the Apple logo in the top left hand corner of your Mac, and going to about this Mac. You can then hit “More Info” followed by “System Report” in Lion, or “More Info” on previous versions.   Select Hardware in the left sidebar and find the Hardware UUID number. This checker will not tell you if you are still infected, but it will tell you when it was infected and the last time Flashback phoned home. This method seems to me as the better way to check for the Trojan.  Kaspersky also has a handy web checker at http://www.flashbackcheck.com/ that essentially does the same thing as Dr. Web’s.

To remove the virus, using the Terminal to try to remove it may be problematic. There are tools out there that can help you remove the virus. However, for best results you will need the Internet.

If you have Internet access: First, update to Apple’s latest version of Java, which include a Flashback removal tool that removes “the most common variants” of the Flashback malware.  You can download it through Apple’s software update, or by using this link.  It only runs on OS 10.6 Snow Leopard and higher.

I recommend using Kaspersky’s removal tool that scans exclusively for all the variants of Flashback and any related files.  It runs very fast, and is available for OS 10.5 and higher.  However, occasionally I found it wouldn’t run, or needed an update, but reinstallation fixed nothing.  You can also try F-Secure’s removal tool, which runs the same Terminal commands that the manual removal instructions recommend.  You can download that from CNet here.

Whether it works or not, your next step is to download a copy of Sophos Anti-Virus for Mac Home Edition,

Sophos Antivirus for Mac 8.0

which is free from Sophos and is available for Macs running OS 10.4 (“Tiger”) or higher. Once installed, make sure you update it until you are sure you have the most recent definitions. You may wish to change Sophos’ setting to move the virus elsewhere rather than have it delete it automatically. Either way, once it finishes the scan, which should take an hour or two to scan the whole hard drive, hit the clean-up button, and you are done.

However, on a few infected Macs, I ran into an issue where Sophos could not detect the malware. I then used another tool from Dr. Web, the firm that initially sounded the alarm about Flashback and created the online checker mentioned above. They have a free tool in the Mac App Store called Dr. Web Light which can remove the trojan. However, since the tool is available only in the Mac App Store, it only works on Mac’s running OS 10.6 (“Snow Leopard”) or higher. You can put the tool onto a flash drive as well and run the scanner from the flash drive, which is nice. When it has finished scanning, you should see a Java file ending in .juschd , which is the trojan. Hit “Neutralize”, or tap the arrow on that file and click “Delete” to remove it from Mac. Once all that is done, it wouldn’t hurt to run any or all of these three scans again.

If you don’t have the Internet:
If you don’t have the Internet, you can’t use Dr. Web or Sophos because they will need to update their virus definitions before scanning. You can remove it manually by following F-Secure’s directions on how to remove Flashback manually. There are a couple of caveats: First, the virus is constantly changing, meaning that the directions you see will have to be updated. F-Secure has been updating these directions in a timely manner, and they do provide links to more recent directions. The bigger caveat is that the these directions require a lot of digging around in OSX’s system files and require use of the Terminal, so these are not for the faint of heart. If you don’t feel like removing it through this manual method, either take it to a Mac expert for them to work on, or get an Internet connection to run the tools mentioned above.

If you have access to a

Kaspersky's Flashfake Removal Tool (Courtesy of Kaspersky)

computer that does have Internet access, or just have a friend that does, download Kaspersky’s removal tool that they just created.  Since this doesn’t need any more updates to run after the initial download of the file, it makes for a really simple and effective tool to use.

Your last option, the one guaranteed to completely remove the trojan, is to do a clean install of your copy of OSX. You will need to grab your install disks, or boot into Lion’s recovery mode to reinstall the OS completely. This is really a last resort, but is 100% effective against removing Flashback.

AFTERMATH
Congratulations! You’ve removed Flashback, so now you can go about your merry way right? WRONG. Flashback got onto your Mac because you had a security hole in your system and it needs to be patched. Once you have an Internet connection, update you Mac until there is nothing left in your Software Update que to install. This especially applies to any updates that say OSX update, Java, and/or Security. Apple has already patched the hole in Java on OS 10.7 “Lion” and 10.6 “Snow Leopard”, but it will not be updating previous versions of OS 10, including 10.5 “Leopard”. They should get all of their update anyway, but will also need to keep running an antivirus.

Once you have finished updating your Mac, it wouldn’t hurt to scan again. However. You might think about just disabling Java if you don’t need it. This can be done on OS 10.5 and later systems. Go to your

Java Preferences on Lion

Applications folder, open the Utilities folder, and open the Java Preferences app. Under the General Tab, uncheck the box that says “Enable Applet plug-in and Web Start applications,on Snow Leopard and Lion.  On Leopard, disable all the versions of Java capable of running in the checklist. You should also go to the Network tab and clear the caches/delete temporary files, then uncheck the box that says, “Keep temporary files for fast access” . However, if you constantly use Java apps online, these steps shouldn’t be followed because you may not be able to run Java web programs, as well as certain desktop Java apps.  For most people, this shouldn’t be a problem though.

The last step, and by far not the least is to change all of your passwords. As I stated before, Flashback is a password stealer and actively transmits your personal info back to its home base. Change any and every password that you used since you were infected.  Better yet, change all of your passwords. Anything that deals with sensitive information or money, such as bank accounts, Facebook, email, etc. should be changed immediately.  Several students were changing their passwords while their Macs were being repaired and noted that their various accounts were reporting about suspicious activity and access. For example, one student said his birth date on Facebook had been changed, while another reported that his email was last accessed in Japan (he had never been to Japan). You will also want to check with your bank and your emails for any transactions or messages sent that you don’t recognize ever doing. The sooner you can can report fraud, the sooner it can be stopped and the better off you will be.

What Flashback has proven, as well as MacDefender last year, is what I and others have been saying for a long time now: the Mac is not an impenetrable fortress, and it was only a matter of time before OSX would be attacked. Honestly, I wish I was wrong, and the amount of Windows malware is still drastically higher than that of Mac malware.  Flashback doesn’t need to be a cause for mass panic in the Apple community, though.  Nor does it make the Mac platform any worse; it only goes to show that no system is without flaws and that users of any computer system need to be vigilant about what they do online, where they go, and how secure they really are.

If you have any questions, comments, or suggestions about this or any other topic, leave a comment below or email me at easyosx@live.com  You can also check me out on Facebook, Twitter, and YouTube by hitting the buttons on the top of your screen.  You can also check out my Google Plus.  Thanks!

UPDATED: April 12 at 2:10 pm to link to the F-Secure removal tool.

UPDATED April 12 at 5:41 pm to cover Apple’s update new Java update and removal tool

What is iCloud?

With the release of iOS 5 and OSX 10.7.2, the two operating systems have bonded like never before with iCloud. But what exactly is it, and what does it do?

iCloud is Apple’s replacement to MobileMe. Through iCloud, you’ll use your Apple I.D. to sync data between your iOS 5 device and your Mac running 10.7.2 and iTunes 10.5 (or Windows XP or higher machine). Without all three of these, iCloud won’t work to the full extent. You’ll also be able to see your data on icloud.com. So what’s going to be synced? Well you’ll have the option to choose between all of these, some of these though will only be Mac specific, but we’ll get to that in a minute. You get 5 gigabytes of iCloud storage for free, though you can pay to go up to as much as 50. Paying also gives you iTunes Match, allowing iTunes to scan and match up to 25,000 songs you have in iTunes and stream that from the cloud.

Universal:

  • Apps: When you download apps, they’ll automatically be synced through iCloud to your Mac. When iTunes opens up, all the apps you’ve downloaded will be synced to it through the web. App data will also be synced, meaning that your 3 stars in Angry Birds will also be stored.
  • Photos: With iOS 5’s Photo Stream enabled, you can have photos taken on your iDevice or from your computer streamed and synced from the cloud. These are synced across all your iCloud enabled devices. Not every picture you take is automatically sent to the cloud, only if you enable Photo Stream. 1000 are stored at any given time in iCloud.
  • Music: Through iCloud, all your iTunes music is available for download on all your devices. Any music your purchase on one device can be automatically synced, or you can selectively choose what songs sync to what device. You can also redownload past purchases you’ve made through iTunes onto your devices. For iTunes Match, where you can stream your songs from the cloud, will be $24.99 a year.
  • Books: Any books you’ve downloaded through iBooks will be synced through iCloud and available on all your devices, as well as any book marks and the last place you were in a particular book.
  • Contacts and Calendar: Contacts and calendars on iOS 5 will be synced through iCloud, available on the website, and synced to your main computer. On Mac these will be synced to Address Book and iCal respectively, while on Windows it will sync to Microsoft Outlook.
  • Mail: Signing up through your Apple I.D., you get a free @me.com. It will be synced through Apple’s Mail & iOS’s Mail App. You’ll also be able to check it on the iCloud website. That is also free, though it counts toward your storage.
  • Find my iPhone: Available since iPhone 4, Find My iPhone has moved to iCloud.com. You can still use another iOS 4 or higher device to track your missing device, but now iCloud is the web home of tracking your iDevice
  • Notes, Reminders: Notes and Reminders from your iDevice will also be synced through iCloud, You won’t be able to see them outside of your iDevice, but they will sync across your iDevices.
  • Backup: iCloud lets you back your iPhone into your iCloud account, just like it does when you plug your iDevice into your Mac and run the sync feature in iTunes. Next time you get a new iDevice running iOS 5 or later, all your stuff will be downloaded onto that new device through the Wifi.
Mac specific: Of course, Apple included some special bonds between iOS and OSX Lion. Here are some of the new powers
  • Safari Bookmarks: You can sync your bookmarks in the desktop Safari with the mobile Safari, and vice versa.
  • Documents in the Cloud: Using iWork for iOS and iWork for Desktop (Pages, Keynote, and Numbers), users can sync, read, and work on documents by sending them through iCloud. You can also check them out by logging into icloud.com. This does count toward your 5 gigabyte limit.

While iCloud is still new and the real test will come in the near future as more people use it, iCloud still seems like a worthy and logical upgrade for all iOS users.