- What is Flashback?
Flashback is commonly being referred to as a Trojan Horse. This isn't strictly true. A trojan horse tries to trick you into installing something on your Mac and requires action on your part. Unlike a trojan horse, your Mac can become infected by simply visiting a malicious website created to install Flashback on your Mac. Flashback installs itself without requiring an admin password which is unusual for malware. The best description I've seen to describe Flashback is "drive-by software."
- How does Flashback work?:
Flashback takes advantage of a security hole in Java which is a programming language used for some apps. Specially crafted websites run a program that uses Java's security hole to infect your Mac.
- Which websites can infect my Mac with Flashback?
A website has to be written with special code to be able to infect a Mac with Flashback. This means that all the major websites and all other legit websites are safe to visit. As with any trojan horse, beware of unknown or shady websites and beware of links in emails to banks or other sites you visit regularly that might actually be directing you to a look-alike site. Check out this tip for more info.
- What happens if my Mac becomes infected with Flashback?:
Interestingly, not one article I read in the mainstream media and almost none in the tech media actually tell what Flashback does. Nearly every article refers to Flashback as being part of a huge botnet but what the heck does that mean? After some digging I found the info below but with very little confirmation from multiple sources:
- Flashback can monitor your web browsing activity and get your usernames and passwords to the websites you visit.
- Flashback can redirect your web browsing to trick you into going to a malicious website that might try to trick you into giving even more personal information. (this is classic trojan horse behavior.)
- Flashback can disable OS X's built-in malware detection leaving you vulnerable to other malware down the line.
- Wikipedia's entry on botnets is clear as mud to me but the gist of it is that if a computer is part of a botnet the head of the botnet can steal a little bit of processing power from each infected computer to make a massive supercomputer that does even more evil things.
- What are my chances of being infected?
600,000 infections sounds like a lot, but with estimates of the number of Macs worldwide being being around 60 to 90 million, that puts your likelihood of infection at 1% or less. Not huge, but far better odds than winning the lottery. The world map shown above lists infection percentages for major countries. The map shows the US at about 57% with Canada and the UK running a distant second and third. These numbers represent the percentage of the 600,000 cases of Macs infected with Flashback for each country, NOT the percentage of TOTAL computers infected in each country as the map seems to imply.
- People always tell me that I don't need virus protection for my Mac. Has this changed?
This question gets asked more and more often these days and it is a fair question. Even with several malware scares in the past year, I still believe as I always have that anti-virus software isn't useful on the Mac. In the case of Flashback, it does check to see if you have certain anti-virus software installed and will not install itself if it finds it. However, anti-virus software vendors have been very quiet about Flashback and I think that most of them were caught unaware.
- How can I find out if I am infected?
Most of the tech media lists a set of Terminal commands that you can run to find out if your Mac is infected with Flashback. Many people find the Terminal intimidating and I generally recommend that people avoid it if they don't know what they are doing. (More about the Terminal later)
A kind soul has packaged the terminal commands into a very small app called Test4Flashback that you can download here. (NOTE: The name Test4Flashback is similar in format to the name Basics4Mac but I have nothing to do with this app.)
To run Test4Flashback:
- Click the link above to download the app to your Downloads folder.
- Depending on the security settings of your Mac you will either get the Test4Flashback app and Test4Flashback.zip files or just the Test4Flashback.zip file. If all you have if the Test4Flashback.zip file, double-click it to unzip the Test4Flashback app.
- Double-click the Test4Flashback app to run it.
- In about a half a second will get a small window that hopefully says "Your computer is *NOT* infected" in green text. Thankfully, I don't know what the text is if your Mac is infected by I'm guessing the text will be red and the meaning will be very clear.
NOTE: Hopefully you will be somewhat skeptical of downloading an unknown app to your Mac even if it is recommended by a nice guy like me. My source for the app is from this article from TidBITS which has the respect and trust of the entire Mac geek community. This article also lists the Terminal commands to run if you want to do the test manually.
- I'm not infected with Flashback. How do I protect myself moving forward?
Since Flashback uses Java as its attack vector, protection all revolves around Java.
Java isn't commonly used anymore so Lion doesn't even install it unless you try to run an app that needs it. However, if you installed Lion over an older version of OS X, Java will still be there. There is no simple way to remove Java once installed.
At the end of last week, Apple released an update to Java for Lion and Snow Leopard that closes the security hole that Flashback uses to infect Macs. Run Software Update from the Apple Menu and you are all set.
If you have an older version of OS X or you just want an extra level of protection against Flashback finding a new security hole in Java, you can turn off Java in your browser. There are two kinds of Java apps: ones that run as stand-alone apps in OS X and apps that run inside of your browser. Flashback can't touch stand-alone Java apps - it requires a Java app running in a browser.
To turn off Java in your browser:
- In Safari, to to Safari's Preferences / Security View and uncheck Enable Java.
- In Firefox, to to Tools / Add-ons from the Menu Bar and choose Plugins. Scroll through the list to Java Applet Plug-in and click the Disable button to the right.
- Other browsers: Google the name of the browser and turn off Java (i.e. "Chrome turn off Java")
- My Mac is infected with Flashback. How do I get rid of it?
Remarkably, after a week of strang and durm over Flashback, there is scant information on how to remove it. As of this writing, I've found one Applescript floating around that claims to remove Flashback but it has been met with some skepticism and I've not found it to be validated by any reliable source. The only verified instructions I've seen involve working in the Terminal.
Terminal is an app that takes you under the hood of OS X and is very powerful. Terminal can also be very dangerous and you can do quite a lot of damage to your Mac if you aren't careful.
Terminal instructions to remove Flashback can be found here. If you look at the instructions and want to give them a shot yourself, make sure that you have a good backup of your Mac just in case something goes wrong.
If the Terminal commands look intimidating, I don't recommend just jumping in and giving it a shot. If you mess up, at best you might not really remove Flashback and at worst you could end up with a Mac that won't even boot.
I've studied Flashback extensively and and know how to remove it using the Terminal. Even though I don't normally do phone support anymore, I am offering a special deal for $25 where I will log into your computer and remove the Flashback trojan. If you have run the Test4Flashback app from step VII above and gotten the message that your Mac is infected with Flashback, send me an email and we can set up a time to work together.