The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


About the Flashback malware

Published April 7th, 2012 at 2:37 PM EST, modified January 12th, 2013 at 8:08 AM EST

What is Flashback?

Flashback first appeared back in September of 2011, as a simple trojan.  It would be downloaded from web sites that displayed a warning that your Adobe Flash player had crashed and needed to be updated.  Of course, the “update” would actually be malware, which would install some code that would be inserted into applications like Safari, with the purpose of sniffing out data you transmit, such as credit card numbers or financial site passwords.  It wasn’t to big a threat to the wary web surfer, though…  especially English-speaking folks, who would be tipped off immediately by text like “Update fix a crush of Adobe Flash player.”

More variants appeared over time, including one that would disable the XProtect system in Mac OS X, which is meant to protect you against malware.  Some of those early variants are still not recognized by a number of anti-virus programs today.  None, however, were serious threats.  Some people became infected, of course, but not on a large scale.  Part of that may be due to the fact that Flashback refused to install itself on systems with certain security programs installed, such as several common anti-virus programs, Little Snitch (a firewall program) or Apple’s XCode programming software.

All that changed in February of 2012, when a new variant of Flashback appeared.  This new variant was no longer entirely a trojan, as it used bugs in Java to install itself behind the scenes, rather than tricking the user into installing it.  All you had to do was visit the wrong site and the malware would be installed.  The Java vulnerabilities that it relied on had already been patched by Apple, but many people never install security updates, so the infection rate began to rise.  In addition, on Macs that had installed those Java updates, there were a couple other tricks it employed to fool the user into installing it.  It would either show a very official-looking window asking you to accept a certificate from Apple or it would show another very official-looking window asking for a password for Software Update, but accepting either one would install the malware.  Even on vulnerable systems, some variants asked for a password so that it could be installed more deeply in the system, though if you refused at that point you were infected already, so it made little difference.

Then, in April, Flashback began utilizing another bug in Java that Apple had not yet patched.  All systems with Java were suddenly vulnerable (unless they had one of the programs that Flashback tried to avoid).  Apple released a patch that closed those vulnerabilities the day after the first discovery of this new malware, but of course, many people still didn’t install it.  Further, some who tried were unable to, as the patch was rushed a bit and exhibited problems for a number of people.

What is Java?

Java is a cross-platform environment for running applications or “applets” (little Java apps found on web pages).  The advantage of Java is that most code just needed to be written once, and then could be run on many different platforms.  Java applications rely on a Java “virtual machine” that allows them to run.  Oracle is currently responsible for the development of the Java virtual machines, although Apple creates their own versions for use on Macs.  Apple is trying to end that arrangement, making Oracle solely responsible for future versions of Java and not installing Java by default on the system.  (Mac OS X 10.7, aka Lion, does not come with Java pre-installed, as previous versions of Mac OS X did.)

Java applets are fairly rare on web sites these days, so most people will not miss Java if they turn it off or don’t install it.  And it is important to note that Java and JavaScript are two completely different and unrelated things.  JavaScript is not the issue in this case.

What are the symptoms of Flashback?

There are a variety of possible symptoms.  One common symptom is that certain apps, such as Safari and other web browsers, or even all apps, will start crashing out of the blue.  This is apparently especially common on older PowerPC Macs, where one variant of the malware accidentally injects Intel code into those apps.  Of course, there are many other possible reasons for applications to crash, so you can’t assume that crashes are caused by Flashback.  However, if the crash is accompanied by an error message reading “Safari quit unexpectedly while using the [insert file name here] plugin,” that’s a sure sign of Flashback!  The file name varies, and usually ends in .so, though some recent reports have been appearing in which the file name ends in .tmp.  Regardless of the file name, if you don’t recognize it as a plugin that you have installed, be suspicious.

Another symptom is seeing strange codes in menus and other interface elements.  (Some examples are shown.)  That was caused by a buggy variant of Flashback.  That was a rather unacceptable bug for malware that’s supposed to be sneaky, though, so the hackers behind it fixed the problem.  I haven’t seen a case like this recently, but if you’ve been suffering in silence with this problem for a while, now you know why.

Some variants of Flashback have also been documented to redirect to scam websites.  This is generally used for phishing, by causing attempts to load legitimate sites to be redirected to scam sites that look similar.  The idea is that you don’t notice the change, and enter your login information or other sensitive personal information (such as a credit card number) on the scam site.  Of course, there are many other reasons that you might see these kinds of redirects, so this is not a guarantee that you have been infected with Flashback.

Unfortunately, though, for many people, there are no symptoms.  You might very easily be infected and have absolutely no clue.  That’s a bit of a problem, huh?

How do I check for and remove Flashback?

Apple has released three updates: Java for OS X Lion 2012-003, Flashback malware removal toolJava for Mac OS X 10.6 Update 8.  The first is for users of Lion who have Java installed, the second for users of Lion who do not have Java installed and the third is for users of Snow Leopard.  The correct update for your machine will also show up in Software Update (accessible through the Apple menu), and each one will remove Flashback if you happen to be infected.  (Note that the updates themselves remove the malware, they do not install a tool that needs to be run separately to remove the malware.)  They will also ensure that you have the most recent version of Java (if it is installed), and will modify some of your Java settings to ensure that your computer is a bit safer in the future from any other potential Java exploits that may be discovered at a later date.  I recommend installing these updates immediately.

If you are running an older system that Apple has not released an update for, you could use F-Secure’s removal toolSophos Anti-Virus for Mac Home Edition or ClamXav to remove the malware.  You could also check your machine with these tools after installing the updates, if you’re paranoid.  That should not be necessary, and I have no reason to recommend it at this point, but it can’t really hurt.

If you are really paranoid, you could reinstall your system from scratch.  I definitely do not recommend that at this point.  Still, if you choose to go that route, the first thing you will want is a backup of anything you want to keep.  The best approach would be to clone your entire hard drive to an external drive, using a tool like Carbon Copy Cloner or SuperDuper.  Once you’ve got your backup, you can start the reinstall process.

If you are using Mac OS X 10.6 or earlier, you’ll need to reboot from your Mac OS X install disk by inserting it, restarting and holding down ‘c’ at startup.  Once the installer appears, select your language and then choose Disk Utility from the Utilities menu.  If you are using Mac OS X 10.7, hold down command-R at startup to enter Recovery Mode, and choose Disk Utility from the options presented to you.

In Disk Utility, select your hard drive (not the backup you just made!), click the Erase tab and then click the Erase button.  This will destroy everything on the hard drive, so just be sure you’ve got backups before proceeding!  Once the process is done, quit Disk Utility and proceed with installing the system on the newly-cleaned drive.  When asked, though, if you want to import data from a backup or an older computer, decline.  Setup Assistant does not provide granular control over what it imports, so it may unintentionally reinstall the malware from your backup!

Once the installation is done and you have started up from your new system for the first time, the first thing you should do is run Software Update (found in the Apple menu) and install all updates.  After it’s finished, run Software Update one more time…  sometimes things will show up after all those updates that didn’t show up before.

When your system is fully up-do-date, then you can start reinstalling applications.  Do not try to copy them from your backups!  Reinstall them from the original disks, or if they were downloaded from a web site, re-download them.  (Note that applications that are downloaded from peer-to-peer sharing sites or through torrents should never be installed, for a variety of reasons ranging from illegality to probability of the app containing malware.  Get your apps from legitimate sources only!)

Once your apps are installed, you can start copying data from your backups, but carefully!  Only copy documents, and don’t copy anything from the Library folder in your user folder in the backup unless you know exactly what it is.  (That Library folder is one place that this malware installs itself.)  If you need to restore your Apple Mail settings and mailboxes, the items you need to restore are:

~/Library/Mail/
~/Library/Preferences/com.apple.mail.plist

Your Address Book data is in:

~/Library/Application Support/AddressBook/

Your iCal data is in:

~/Library/Calendars/

If you have other data that you don’t know how to locate, try searching on Google.  There are undoubtedly instructions out there somewhere.

How do I protect myself from Flashback?

Protecting yourself from the recent variants of Flashback is actually fairly simple: just turn off Java in your web browser.  (Or, even better, don’t install it in the first place if you’re using Lion.)  In Safari, this is done by unchecking Enable Java in the Security pane of the preferences window (accessed by choosing Preferences from the Safari menu):

In Firefox, select Add-ons from the Tools menu, and in the Plugins pane, disable anything related to Java:

If you cannot disable Java in your web browser for some reason – for example, if your work requires Java or you’re a hopeless Runescape addict – then my advice is to keep it turned off except when you are visiting sites that you absolutely need Java for, and that you trust.  Of course, that could require lots of trips to the preferences in your browser to turn Java on and off.  It may be more convenient to use a secondary browser.  Keep Java turned on in one browser and use it only for trusted sites that require Java.  Use your other browser for all other sites.

Of course, it should also go without mention that you should install all Java security updates available in Software Update.  This is especially important to people who will need to have Java turned on sometimes.  Remember: security updates are important!  Flashback is a great example of why you shouldn’t skip them.

Unfortunately, people who are running Mac OS X 10.5.x (Leopard) or older cannot obtain patched versions of Java from Apple.  Those systems are no longer supported.  So, if you are the unlucky user of an unsupported version of Mac OS X, you will need to simply keep Java turned off at all times.  It is simply too dangerous at this point to use Java on a vulnerable system.

Should I use anti-virus software?

Despite this new threat, the answer to that question is still only “maybe.”  Anti-virus software is not necessary to protect yourself from Flashback.  You can visit my Mac Malware Guide to find a full discussion of all threats currently known and how anti-virus software fits into a protection plan.  But if you only take one thing away from that discussion, it should be that no anti-virus software can protect you if you make poor choices with your computer.  Educate yourself and learn how to avoid malware first and foremost, and use anti-virus software at most as a back-up safety net.

If you do choose to use anti-virus software, see my recommendations in Mac anti-virus detection rates.

Updates

June 3, 2012: There have not been any further Flashback sightings in about a month.  Further, it has been reported that the hackers behind Flashback were only able to rack up $14,000 in click fraud (displaying additional advertisements in your web browser so that clicks on those ads pay them), and that they have been unable to actually collect that money.  So I think Flashback is dead at this point.  Unfortunately, if rumors are true that the hackers behind Flashback were also behind last year’s MacDefender outbreak, that means they have probably simply moved on to development of some new malware.

 


This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.