Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
To avoid future "infections".

Step 1. Remove Java, you probably don't need it.

Step 2. Remove Flashplayer, if you insist upon using flash run Chrome.

Step 3. Don't be a click-happy nut who passively submits to blissfully typing in the admin password.

---
There, future crisii averted...
 
I used this and it said it removed it and then when I restarted my mac i ran the web checker again and it said I still had it? hmmmmmm

Please someone verify if this is some sort or bad thing or not?

actually i use ran the downloaded remover and it said that the threat wasn't detected anymore so it def "could be" legit........still shifty about it though
 
Infection itself does nothing drastic. It may attempt to load another executable though which may attempt to do real harm but so far nothing has been reported on this.

To disinfect just find and remove files it installed - F-Secure has instructions how to do it: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

To be safe in the future disable or uninstall Java: http://reviews.cnet.com/8301-13727_7-57408841-263/how-to-check-for-and-disable-java-in-os-x/

Chances are you aren’t using Java software at all. If you do, consider exit strategy, as Java has been responsible for numerous exploits on Mac OS X over the years, and also Java programs for OS X do suck. It won’t magically become better tomorrow.
 
I used this and it said it removed it and then when I restarted my mac i ran the web checker again and it said I still had it? hmmmmmm

Please someone verify if this is some sort or bad thing or not?

my assumption with that one is that the because the server supposedly collected the UUID of infected computers, it just kept a list of all the computers that were infected. after the removal the server doesn't change because it's simply kept a list of computers that tried to contact it thru the malware, not a list of computers that are actually currently infected.
 
'infected' suggests its a virus. thought macs didnt get viruses. haha
They don't, since this isn't a virus. Viruses aren't the only form of malware that can infect computers.
I guess being too lazy and, frankly, cheap to spend that $29 seems pretty stupid now, doesn't it? :D
Choosing not to upgrade to Snow Leopard or Lion doesn't have anything to do with being lazy or cheap. There is no need to upgrade, simply for the sake of upgrading. Leopard still runs quite well for many users.
Company offers free antivirus software?
There are many free antivirus apps on both Windows and Mac platforms. It's nothing new.
Either way as I'm waiting to buy a new iMac I'm less than happy to hear about Mac viruses.
You can be happy again. This isn't a virus, and there never has been one since Mac OS X was released. This is a trojan, and not the first one.
I used this and it said it removed it and then when I restarted my mac i ran the web checker again and it said I still had it?
To be certain, just use the Terminal commands that have already been posted everywhere.


Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.
  1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall

  2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General

  3. Uncheck "Enable Java" in Safari > Preferences > Security. This will completely protect you from the Flashback malware. Leave this unchecked until you visit a trusted site that requires Java, then re-enable only for your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)

  4. Change your DNS servers to OpenDNS servers by reading this.

  5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.

  6. Never let someone else have access to install anything on your Mac.

  7. Don't open files that you receive from unknown or untrusted sources.

  8. Make sure all network, email, financial and other important passwords are complex, including upper and lower case letters, numbers and special characters.

  9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.
That's all you need to do to keep your Mac completely free of any virus, trojan, spyware, keylogger, or other malware. You don't need any 3rd party software to keep your Mac secure.

If you insist on running antivirus, ClamXav is one of the best choices, since it isn't a resource hog, detects both Mac and Windows malware and doesn't run with elevated privileges. You can run scans when you choose, rather than leaving it running all the time, slowing your system. ClamXav has a Sentry feature which, if enabled, will use significant system resources to constantly scan. Disable the Sentry feature. You don't need it. Also, when you first install ClamXav, as with many antivirus apps, it may perform an initial full system scan, which will consume resources. Once the initial scan is complete, periodic on-demand scans will have much lower demands on resources.
 
my assumption with that one is that the because the server supposedly collected the UUID of infected computers, it just kept a list of all the computers that were infected. after the removal the server doesn't change because it's simply kept a list of computers that tried to contact it thru the malware, not a list of computers that are actually currently infected.

It could be but it would be a poorly managed system. If they manage their virus database in similar way, I don't want to put their trust in them.

My skeptical side suspects that no matter what UUID you throw at it, the response will be "You had the malware and we removed it.".
 
From Twitter:

Screen%20shot%202012-04-10%20at%2016.09.47.jpg
 
I guess being too lazy and, frankly, cheap to spend that $29 seems pretty stupid now, doesn't it? :D
Because using Snow Leopard because I prefer the way it works to Lion which, frankly, is the same OS with some intrusive iOS overlays makes me stupid and cheap? Yeah... ok...
 
Not really, but ....

With this infection at least, it relies on a Java exploit. So if you remove Java on one of the older machines, that should seal up the vulnerability.

If you have an old 10.3 or 10.4 Mac for specific purposes, there's a good chance those programs you still use with it don't require Java....


Many machines still run even earlier versions of OSX including 10.4 and 10.3 to maintain specific functionality and compatibility. Do any of those tools address these (or even earlier) users?

Rocketman
 
With this infection at least, it relies on a Java exploit. So if you remove Java on one of the older machines, that should seal up the vulnerability.

If you have an old 10.3 or 10.4 Mac for specific purposes, there's a good chance those programs you still use with it don't require Java....
You don't even need to uninstall Java if you don't want to. Simply disable it in Safari preferences until you visit a trusted site that needs it, and you'll be fine.
 
To avoid future "infections".

Step 1. Remove Java, you probably don't need it.

Some older versions of Adobe Creative Suite might. Some bank web-sites might.

Step 2. Remove Flashplayer, if you insist upon using flash run Chrome.

Or install Click-To-Flash in Safari or Firefox.

Step 3. Don't be a click-happy nut who passively submits to blissfully typing in the admin password.

NOTABLY: This particular variant of Flashback was DRIVE-BY. And--- it may have been spreading through perfectly normal WordPress sites......
---
There, future crisii averted...

Smugness is unbecoming. :rolleyes:

Really. Let me repeat, you could become a Flashback victim by merely viewing a web-site, quite possibly a Wordpress blog.
 
Last edited:
Really. Let me repeat, you could become a Flashback victim by merely viewing a web-site, quite possibly a Wordpress blog.
There are a number of ways to avoid this trojan.

  • One simple way is to uncheck "Enable Java" in Safari preferences, whether you have the Java updates or not.
  • Use OpenDNS servers in your network and router settings.
  • Depending on which variant is involved, you can also be secure if you have one or more of the following apps installed, or simply have one of the following paths present on your computer (even without the app installed):
    /Applications/Microsoft Word.app
    /Applications/Microsoft Office 2008
    /Applications/Microsoft Office 2011
    /Applications/Skype.app
    /Library/Little Snitch
    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
    /Applications/VirusBarrier X6.app
    /Applications/iAntiVirus/iAntiVirus.app
    /Applications/avast!.app
    /Applications/ClamXav.app
    /Applications/HTTPScoop.app
    /Applications/Packet Peeper.app​
 
There are a number of ways to avoid this trojan. One simple way is to uncheck "Enable Java" in Safari preferences, whether you have the Java updates or not. Depending on which variant is involved, you can also be secure if you have one or more of the following apps installed, or simply have one of the following paths present on your computer (even without the app installed):
/Applications/Microsoft Word.app
/Applications/Microsoft Office 2008
/Applications/Microsoft Office 2011
/Applications/Skype.app
/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app​

Exactly, GGJ Studios has posted really pertinent information for Mac users. i read his advice about disabling Java in the browser at least a year ago. All good stuff to do and takes very little time.
 
Yeah, I wouldn't trust these companies at all. I do think the virus protection companies are the ones that infect your computers in the first place ( in the PC world, that is ). It's called job security. I'll wait for an Apple Approved app to test my Mac for a virus.

:p:p:p:p
 
And if you are infected, what is the effect exactly?

That information hasn't been posted in any of the Mac sites I've been looking at. However, Ars Technica posted an article today about a huge spike in DDoS activity in this first quarter, likely botnets, and it coincides with the Flashback variant hitting sometime in late January or early February. The targets were financial sites.

Anyway: http://arstechnica.com/business/news/2012/04/bad-bots-ddos-attacks-spike-in-first-quarter-outdoing-all-of-2011.ars
 
Last edited:
I don't trust that online UUID checker. My machine is not infected, yet the checker says I am. Don't trust it.
 
This scare mongering by the media and AV vendors is pathetic. The reports of shady removal tools and websites already is proof enough. It's to get you scared so you go and get their AV tools. A Java bug doesn't suddenly make it okay to turn over your whole computer/file system to an AV company. Yeah, go paste your UUID number everywhere... especially on a page that isn't even SSL encrypted. Sure looks trustworthy to me!

A whois on flashbackcheck.com doesn't even give you anything. Just domains by proxy.. which means whoever set this up didn't want you to see anything when you run a whois. A whois on Kapersky shows everything as it should be. Why would Kapersky have a normal whois on their own site but not on another site they have? Wouldn't you want your name on a malware checker? Not to mention the different IP's. Why not host it on the same server? Things aren't fitting together here...

These Java vulnerabilities have been known for a while and the only fault of Apple is not updating quickly enough- basically at the last minute shortly after the "news" broke about the "600,000" people infected, which I don't really believe. And Safari's defaulted "derp, allow Java all the time!" habit is annoying. Apple kinda asked for all this negative attention.


Firefox+Noscript= End of drive-by attacks.
 
Last edited:
I don't trust that online UUID checker. My machine is not infected, yet the checker says I am. Don't trust it.

This scare mongering by the media and AV vendors is pathetic. The reports of shady removal tools and websites already is proof enough. It's to get you scared so you go and get their AV tools. A Java bug doesn't suddenly make it okay to turn over your whole computer/file system to an AV company. Yeah, go paste your UUID number everywhere... especially on a page that isn't even SSL encrypted. Sure looks trustworthy to me!

maybe my skeptical side was right afterall:eek:
 
A few days ago I did the Terminal commands that F-Secure posted for checking for Flashback trojan (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml). Redid it today and both times came up negative.

I downloaded and used an app to do the same (https://github.com/jils/FlashbackChecker/wiki) and also the F-Secure Flashback Removal app. They both also came up negative.

I used the web-based checker in this article, put in the hardware UUID of my Mac and surprise, surprise, it came up positive.

I would have thought that MacRumours would've tested them and saw that the Kaspersky Lab web page is bogus!!!!

This is what I assumed they would be up to... :p
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.