Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Releases Java Update to Remove Flashback Malware
- Thread starter MacRumors
- Start date
- Sort by reaction score
It says all Macs with Java installed.
But my 10.5 has nothing new. So Leopard: no update. I don't know about Snow Leopard.
But my 10.5 has nothing new. So Leopard: no update. I don't know about Snow Leopard.
Exactly the same happened for me, even though I checked last week using there Terminal method and appeared to be clear.
I have Xcode installed(one of the things that apparently stopped the installation of the trojan), and I'd checked in terminal a few times over the last few days to see if I had it -all came up clean.
Now when I installed the java/security update it says flashback was 'found and removed', should I be worried?
Should I be running to change all my passwords?
Jesus christ, this is like going back to the bad old days of constant reinstallations on my PC when I got malware.
I can't believe I got infected, I'm the most careful, paranoid guy out there - I've never visisted any 'dodgy' sites and only install updates from vendor sites - ie adobe.com for flash etc.
Sigh...
Now when I installed the java/security update it says flashback was 'found and removed', should I be worried?
Should I be running to change all my passwords?
Jesus christ, this is like going back to the bad old days of constant reinstallations on my PC when I got malware.
I can't believe I got infected, I'm the most careful, paranoid guy out there - I've never visisted any 'dodgy' sites and only install updates from vendor sites - ie adobe.com for flash etc.
Sigh...
I thought OS X has had trojans, malware and other nasties in the past. But no viruses. As far as I know. But I do know OS X can be infected still by various nasties. A lot less then windows cause of OS X base structure but even OS X is not impenetrable.
I Installed the update and had the message that it removed the malware from my computer even though I have MS Office 2008 installed?
When I check this site AFTER having ran the Apple update earlier, it still says my Mac is affected...
This Flashback trojan has several variants, some of which were recently released. The "Terminal removal detection and removal instructions" and the list of programs that the trojan would refuse to install upon detecting is outdated in my opinion, as confirmed by so many people that thought "they were clean" of this trojan, yet Apple's latest Java update notified them that it had detected and removed the Flashback trojan code.
New variants of this trojan seem to be installing regardless of what other programs are on the user's Mac, and seem to be hiding themselves from being removed and/or detected by the Terminal Trojan Removal Instructions that previously has been released by F-Secure and others.
I had this trojan when it first came out, and it exploited the Java vulnerability to get into my Mac without me knowing about it. I started seeing strange things happening in the background (like a lot of data transfer being reported by my ISP) even after I followed the Terminal Removal instructions from F-Secure.
Someone suggested I install "Little Snitch" which monitors and reports on any program out of the ordinary trying to send data out onto The Internet from my Mac. I installed "Little Snitch" and it reported that several Flashback trojan programs masquerading as hidden files and/or configuration files for valid Mac apps were trying to send data out to strangely named botnet servers without my consent. I Googled the domains they were trying to access and the filenames the trojan was masquerading as, and found on Apple discussion forums that other others were seeing the same trojan behavior with these infected files and botnet domains/websites.
I manually removed these trojan infected hidden files and configuration files, and have had no more problems reported by Little Snitch. Also Apple's latest Java update did not report that it found any traces of this Flashback trojan on my Mac, when I installed it, unlike many other people who reported that the update said that it had removed infected Flashback files from their system.
So I believe that every Mac user running Lion should install Apple's latest Java update (for Lion), and all Mac users should install the Little Snitch app (which runs for 3 hours free in demo mode). It can be restarted after 3 hours as many times as necessary. This way you should detect if any remnants of this trojan are trying to run and contact their command and control botnet servers.
All Mac users should also verify that Java is disabled from running in Safari's Security Preferences panel, as an extra precaution.
Hope this helps...
Last edited:
Has this update killed anyone's Black Macbook 4,1 other than mine? My display worked fine before install, but after install, my display gets about 98% dim. The screen will be bright, then go dim. The only way to restore the brightness is to put the computer to sleep and wake it up, or to use the F1 and F2 keys to dim it all the way first and then brighten. This is clearly a software issue and not a hardware issue. Based on how the dimming and restoration works, as well as the timing of the install, it has to be caused by this Java update.
Anyone else?
Anyone else?
I am wondering about something:
I have an iMac running Lion and a MacBook running Lion. Both do not have Java installed, but did have Java enabled in Safari up until recently. I ran the terminal codes and came up clean. I have also not noticed any unusual behavior. I am under the impression that by never having Java installed that I could not have gotten this Trojan. What I am unclear of is that although I don't have Java installed, can the fact that I had Java enabled in Safari previously still have caused me to get this Trojan? Any info is appreciated.
I also have a PPC iMac running Leopard which has Java installed by default and had Java enabled in Safari up until recently. I ran the terminal codes on it and came up clean. There hasn't been any odd behavior although I am still weary of assuming I am ok.
Since there are a few variants of this Trojan, is there anything I can do that doesn't involve installing software to check if I have this Trojan? Again, if I never had Java installed on my 2 Macs running Lion but had Java enabled in Safari could those 2 machines still have been infected?
On my PPC iMac running Leopard I noticed that when I disabled Java in Java Preferences in Utilities certain websites like Gmail weren't working properly. So I had to leave it enabled but I disabled it in Safari.
I have also enabled my firewalls and changed my DNS to OpenDNS and disabled Java in Safari on all my Macs. Even though none of my Macs are acting any differently I would still like to know what else I can do to officially know if any of my Macs have this Trojan. Sorry for such a long post and if I sound confusing. Any help/advice/suggestions/feedback is appreciated, thank you.
I have an iMac running Lion and a MacBook running Lion. Both do not have Java installed, but did have Java enabled in Safari up until recently. I ran the terminal codes and came up clean. I have also not noticed any unusual behavior. I am under the impression that by never having Java installed that I could not have gotten this Trojan. What I am unclear of is that although I don't have Java installed, can the fact that I had Java enabled in Safari previously still have caused me to get this Trojan? Any info is appreciated.
I also have a PPC iMac running Leopard which has Java installed by default and had Java enabled in Safari up until recently. I ran the terminal codes on it and came up clean. There hasn't been any odd behavior although I am still weary of assuming I am ok.
Since there are a few variants of this Trojan, is there anything I can do that doesn't involve installing software to check if I have this Trojan? Again, if I never had Java installed on my 2 Macs running Lion but had Java enabled in Safari could those 2 machines still have been infected?
On my PPC iMac running Leopard I noticed that when I disabled Java in Java Preferences in Utilities certain websites like Gmail weren't working properly. So I had to leave it enabled but I disabled it in Safari.
I have also enabled my firewalls and changed my DNS to OpenDNS and disabled Java in Safari on all my Macs. Even though none of my Macs are acting any differently I would still like to know what else I can do to officially know if any of my Macs have this Trojan. Sorry for such a long post and if I sound confusing. Any help/advice/suggestions/feedback is appreciated, thank you.
It is ? News to me. What UNIX are you talking about exactly ?
----------
inherent security.
There's nothing "inherent" about OS X as far as security goes. In fact, OS X compromises on security in quite a few areas (especially filesystem ACLs) for convenience's sake.
----------
What Apple said they would stop is at producing a version of Java 7 and beyond. They left that up to Oracle, and the project is underway under the OpenJDK banner :
http://openjdk.java.net/projects/macosx-port/
They however still maintain their J2SE 6 implementation.
I wish people would quit propagating this.
Yes, you are protected from this specific variant, but there is no inherent protection in having them installed. For whatever reason this variant chose not to install itself if those apps were present. The next variant may not.
Telling people they're protected and therefore don't need other tools, is negligent.
You are absolutely correct. I should have been more specific. If you have any of those apps installed you are inadvertently protected against this variant, but there is nothing about those apps that provides defense against malware. It just happened that this particular trojan uninstalled itself if it found a path to one of those apps present.... it didn't even require that the app be installed.... only that the path existed. There is no assurance that having any particular app installed, including any antivirus app, will protect you from future variants or other future malware. Thanks for pointing that out!
The "Enable Java" setting in Safari Preferences doesn't install Java if you don't have it on your system. It only enables it in Safari if it is installed. If you don't have Java on your system, you couldn't get this trojan unless you entered your admin password to allow it.
You don't need to disable Java in Java preferences. You only need to disable it in Safari preferences. Websites like Gmail will work perfectly fine with Java disabled in Safari.
For any Mac running Snow Leopard or Lion, apply the Java updates by running the Software Update utility. For Macs running Leopard, follow the detection and removal instructions provided by F-Secure.
That website is just a lookup to their database of affected UUIDs. If your system has ever contacted their sinkhole, it will always be listed as affected, even when it's been cleaned. So nothing to worry about.
Cool, thanks for the info. I didn't have any Java updates through the software Update utility on any of my Macs. It should be due to the fact that I don't have Java installed on my system's running Lion and my PPC running Leopard isn't supported by this update. I also don't recall any instances that I was asked for my admin password that seemed out of the ordinary. I ran the codes in Terminal and came up clean. Whenever Adobe alerts me of a Flash update I always go to the site to make sure there is a newer version out. However, I am still unsure of how to update Flash through Adobe's site and have been using their own update installer when I notice I am not running the current version because it always has that distinct look. I do want to learn how to update through Adobe's site though.
I've got the same Macbook, running 10.6.8. The update ran fine with no side effects. I've tested it both on battery and powered.
Have you checked the Energy Saver System Preferences, to see if they have changed recently? This sounds like screen dimming just prior to putting the machine to sleep and there are specific settings for that.
Unfortunately, Apple's patches are only protecting 80% of their Customer base.
YMMV, but I not say that 20% represents a "very small" percentage.
As per Hitslink stats, 20% of Mac users are running Leopard or older versions of OS X.
Apple hasn't issued any Java security patch for Leopard (or older), so this leaves 20% of the current Mac user base as vulnerable.
Do note that Snow Leopard only superceded Leopard on 28 August 2009 ... that's only 2 years & 7.5 months ago, so its not particularly credible to claim that Leopard is so ancient that it shouldn't be supported.
...especially for security patches.
-hh