Normally, this is the part of the week where I review an app and post the “App of the Week”. However, this past Monday, the computer lab where I work was inundated with Macs infected with the Flashback malware. So instead of writing a post about a cool app to install, I decided it would be better to write a tutorial on how to remove a certain unwanted “app” from your Mac.
WHAT IS FLASHBLOCK?
Flashblock is a malware known as a trojan, named after the Trojan Horse story in the Iliad. The trojan acts like an installer/updater for Adobe Flash, a common plugin used in multimedia players such as YouTube, Pandora, web ads, and more, and gets you to install the program. But instead of installing Flash, it installs the Flashback trojan. Earlier versions required your Administrator password to install the trojan, and later versions would uninstall itself if it detected certain anti-viruses running on your Mac. The most recent versions, however, can install without your password and without your knowledge.
Simply put, it steals your passwords: email, bank accounts, games, everything. If you type in a password, Flashback will steal it. Even if you do remove the virus, the bad guys could still have your private information.
HOW TO DETECT AND REMOVE
If you’ve been looking around the Internet for how to remove Flashback, you’ve probably run into Terminal commands for detecting it. Unfortunately, they don’t really work to well, and here’s why. The terminal isn’t actually looking for Flashback, but certain Java files that may indicate that Flashback may be on your system. Unfortunately if you have run anything with that is or requires Java, the terminal will output that you have some files. These may include MineCraft, Runescape, OpenOffice, LibreOffice, NeoOffice, Java coding utilities like BlueJ, Eclipse, and so on. You can run a tool like Flashback Detector from GitHub which runs these scripts. However, I ran the scripts both manually and with the automatic tools on the first three infected Macs I received and only one of them through either method returned a positive, even though all three were infected.
You can also check with Dr. Web’s online tester, which tests your Hardware ID number with its own records of what computers have been infected. This requires your Hardware UUID, which you can find by hitting the Apple logo in the top left hand corner of your Mac, and going to about this Mac. You can then hit “More Info” followed by “System Report” in Lion, or “More Info” on previous versions. Select Hardware in the left sidebar and find the Hardware UUID number. This checker will not tell you if you are still infected, but it will tell you when it was infected and the last time Flashback phoned home. This method seems to me as the better way to check for the Trojan. Kaspersky also has a handy web checker at http://www.flashbackcheck.com/ that essentially does the same thing as Dr. Web’s.
To remove the virus, using the Terminal to try to remove it may be problematic. There are tools out there that can help you remove the virus. However, for best results you will need the Internet.
If you have Internet access: First, update to Apple’s latest version of Java, which include a Flashback removal tool that removes “the most common variants” of the Flashback malware. You can download it through Apple’s software update, or by using this link. It only runs on OS 10.6 Snow Leopard and higher.
I recommend using Kaspersky’s removal tool that scans exclusively for all the variants of Flashback and any related files. It runs very fast, and is available for OS 10.5 and higher. However, occasionally I found it wouldn’t run, or needed an update, but reinstallation fixed nothing. You can also try F-Secure’s removal tool, which runs the same Terminal commands that the manual removal instructions recommend. You can download that from CNet here.
Whether it works or not, your next step is to download a copy of Sophos Anti-Virus for Mac Home Edition,
which is free from Sophos and is available for Macs running OS 10.4 (“Tiger”) or higher. Once installed, make sure you update it until you are sure you have the most recent definitions. You may wish to change Sophos’ setting to move the virus elsewhere rather than have it delete it automatically. Either way, once it finishes the scan, which should take an hour or two to scan the whole hard drive, hit the clean-up button, and you are done.
However, on a few infected Macs, I ran into an issue where Sophos could not detect the malware. I then used another tool from Dr. Web, the firm that initially sounded the alarm about Flashback and created the online checker mentioned above. They have a free tool in the Mac App Store called Dr. Web Light which can remove the trojan. However, since the tool is available only in the Mac App Store, it only works on Mac’s running OS 10.6 (“Snow Leopard”) or higher. You can put the tool onto a flash drive as well and run the scanner from the flash drive, which is nice. When it has finished scanning, you should see a Java file ending in .juschd , which is the trojan. Hit “Neutralize”, or tap the arrow on that file and click “Delete” to remove it from Mac. Once all that is done, it wouldn’t hurt to run any or all of these three scans again.
If you don’t have the Internet:
If you don’t have the Internet, you can’t use Dr. Web or Sophos because they will need to update their virus definitions before scanning. You can remove it manually by following F-Secure’s directions on how to remove Flashback manually. There are a couple of caveats: First, the virus is constantly changing, meaning that the directions you see will have to be updated. F-Secure has been updating these directions in a timely manner, and they do provide links to more recent directions. The bigger caveat is that the these directions require a lot of digging around in OSX’s system files and require use of the Terminal, so these are not for the faint of heart. If you don’t feel like removing it through this manual method, either take it to a Mac expert for them to work on, or get an Internet connection to run the tools mentioned above.
If you have access to a
computer that does have Internet access, or just have a friend that does, download Kaspersky’s removal tool that they just created. Since this doesn’t need any more updates to run after the initial download of the file, it makes for a really simple and effective tool to use.
Your last option, the one guaranteed to completely remove the trojan, is to do a clean install of your copy of OSX. You will need to grab your install disks, or boot into Lion’s recovery mode to reinstall the OS completely. This is really a last resort, but is 100% effective against removing Flashback.
Congratulations! You’ve removed Flashback, so now you can go about your merry way right? WRONG. Flashback got onto your Mac because you had a security hole in your system and it needs to be patched. Once you have an Internet connection, update you Mac until there is nothing left in your Software Update que to install. This especially applies to any updates that say OSX update, Java, and/or Security. Apple has already patched the hole in Java on OS 10.7 “Lion” and 10.6 “Snow Leopard”, but it will not be updating previous versions of OS 10, including 10.5 “Leopard”. They should get all of their update anyway, but will also need to keep running an antivirus.
Once you have finished updating your Mac, it wouldn’t hurt to scan again. However. You might think about just disabling Java if you don’t need it. This can be done on OS 10.5 and later systems. Go to your
Applications folder, open the Utilities folder, and open the Java Preferences app. Under the General Tab, uncheck the box that says “Enable Applet plug-in and Web Start applications,on Snow Leopard and Lion. On Leopard, disable all the versions of Java capable of running in the checklist. You should also go to the Network tab and clear the caches/delete temporary files, then uncheck the box that says, “Keep temporary files for fast access” . However, if you constantly use Java apps online, these steps shouldn’t be followed because you may not be able to run Java web programs, as well as certain desktop Java apps. For most people, this shouldn’t be a problem though.
The last step, and by far not the least is to change all of your passwords. As I stated before, Flashback is a password stealer and actively transmits your personal info back to its home base. Change any and every password that you used since you were infected. Better yet, change all of your passwords. Anything that deals with sensitive information or money, such as bank accounts, Facebook, email, etc. should be changed immediately. Several students were changing their passwords while their Macs were being repaired and noted that their various accounts were reporting about suspicious activity and access. For example, one student said his birth date on Facebook had been changed, while another reported that his email was last accessed in Japan (he had never been to Japan). You will also want to check with your bank and your emails for any transactions or messages sent that you don’t recognize ever doing. The sooner you can can report fraud, the sooner it can be stopped and the better off you will be.
What Flashback has proven, as well as MacDefender last year, is what I and others have been saying for a long time now: the Mac is not an impenetrable fortress, and it was only a matter of time before OSX would be attacked. Honestly, I wish I was wrong, and the amount of Windows malware is still drastically higher than that of Mac malware. Flashback doesn’t need to be a cause for mass panic in the Apple community, though. Nor does it make the Mac platform any worse; it only goes to show that no system is without flaws and that users of any computer system need to be vigilant about what they do online, where they go, and how secure they really are.
If you have any questions, comments, or suggestions about this or any other topic, leave a comment below or email me at firstname.lastname@example.org You can also check me out on Facebook, Twitter, and YouTube by hitting the buttons on the top of your screen. You can also check out my Google Plus. Thanks!
UPDATED: April 12 at 2:10 pm to link to the F-Secure removal tool.
UPDATED April 12 at 5:41 pm to cover Apple’s update new Java update and removal tool