OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Flashback infections becoming widespread

Published February 21st, 2012 at 10:16 AM EDT , modified February 29th, 2012 at 9:43 AM EDT

A little more than a week ago, I wrote about a new variant of Flashback that displays virus-like behavior, being able to infect the machine without user interaction, in Flashback using Java vulnerabilities.  I did not take this too seriously, since the current version of Java fixes the vulnerabilities that this relies on.  However, many users evidently still have outdated versions of Java installed, as there has been an explosion of users reporting symptoms of Flashback infection.  I cannot over-emphasize the fact that all Mac users need to immediately check the version of Java that they are running, and update if necessary!

The current version of Java that is available from Apple is 1.6.0_29.  You can determine the version of Java that you have by opening Java Preferences (found in the /Applications/Utilities folder) or by executing the “java -version” command in the Terminal.  In Mac OS X 10.7 (Lion), this may result in being asked to install Java (see image at right), as Java is no longer installed by default.  In this case, you can feel free to click Not Now and ignore this threat, as you are safe.

If you have a version of Java older than 1.6.0_29, you need to update ASAP!  Software Update should deliver the update to you, but if it doesn’t, you can manually update by downloading the Java for Mac OS X 10.6 Update 6 or Java for OS X Lion Update 1 (depending on the version of Mac OS X you are running).  Unfortunately, if you are running Mac OS X 10.5 (Leopard) or older, Apple does not have a Java update for you.

So how do you know if you are infected?  This variant of Flashback is a sneaky devil, but there is one characteristic symptom that has come to the surface over the last few days: some text labels and menu items in the Finder (at least) will be replaced by strange codes.  Some examples can be seen at right. If you see anything like this, you have been infected with Flashback.

What does being infected mean?  Unfortunately, the exact function of this malware is still somewhat unclear.  You can see some coverage of previous versions of Flashback that I have published here, but there is much left unsaid.  In summary, Flashback is known to do a number of nasty things: insert malicious code into other apps, install a backdoor, transmit personal information about you to a remote server and disable software that might protect you.  That’s all very bad, even if you don’t know the details of what information it is transmitting or how it is gathered.  If the idea of your personal information in the hands of hackers doesn’t concern you, there’s the obvious damage to the user interface shown in the examples here.  There is also the very real possibility of instability.  People are reporting that some or all of their apps will no longer open, among other problems.

Obviously you’ll want to get rid of this thing if you are infected.  The trick is figuring out how to do that.  Instructions for manually removing previous variants do not appear to work with this one.  Worse, even with previous variants, some damage done was not easily reversible, like the disabling of Apple’s XProtect software.  (XProtect is a part of the system in Mac OS X 10.6 and later that protects you against known malware.  Read more about XProtect in my Mac Malware Guide.)

At this point, I recommend nothing less than erasing the hard drive and reinstalling the system and all applications from scratch, as well as changing the passwords for all your online accounts.  (Note that you should not change those passwords from an infected machine!  Change them from an uninfected machine, or wait until you have cleaned up your system.)

It will be extremely important not to import anything other than user data from your backups.  Do not try to import applications from a backup of the infected system, as those applications may have malicious code inserted in them. Also, do not try to import preference data from the old system.  You want the cleanest possible system!  Migration Assistant and Setup Assistant could be your enemies here, as they could reinfect your system.

Update: Note that I strongly suggest turning off Java (not JavaScript, which is totally different) in your web browser’s security preferences!

Tags: , , , , ,

7 Comments

  • Peter Cowle says:

    Hi Thomas.

    Thanks for the usual clear and consise explanation.
    I will be sending a link of this page to all my fellow Mac users.
    Seems that this is one threat that we all should take seriously.

    Pete.

  • Anna says:

    Thanks Thomas for this excellent information. My MacBook is infected with this virus. I caught it without downloading anything, just by going to a dodgy website.

    The main signs were that Skype immediately stopped working and then later numbers started appearing in menus as you describe above. With the help of Intego I removed the .so file from my computer.

    Apple support don’t seem to know anything about this problem. I’m leaving my MacBook switched off until I can take it somewhere to get the hard drive wiped and rebooted. I’ve also changed my passwords via other computers.

  • Mark Hennon says:

    “Unfortunately, if you are running Mac OS X 10.5 (Leopard) or older, Apple does not have a Java update for you.”

    Would this help with Intel machines on 10.5.2+?
    http://support.apple.com/kb/TS3489

    –Mark

    • Thomas says:

      I don’t think that will help, from what I hear. But as I don’t have a machine capable of running 10.5 anymore, I can’t test it for sure. If you’ve got 10.5.x and have followed those instructions, check the version of Java as I described in the second paragraph above. If it’s not 1.6.0_29, you’re not safe. And even if it does, you could still be taken in by the certificate trick. Best to just turn off Java in your browser.

  • Jon says:

    Well this sucks… Would it be ok to back up safari bookmarks?

    • Thomas says:

      Did you get infected and you’re trying to back up prior to a clean reinstall? If so, yes, you can back up bookmarks.

  • Jon says:

    Yes, and thanks!

This post is more than 90 days old and has been locked. No further comments are allowed.