Apple Patches Java To Block Flashback Trojan Affecting 600,000 Macs Globally

Apple’s Mac platform is always promoted as one of the safest platform than the competition. But the scenario is changing soon as Macs market share is growing. With its growth, the platform is now becoming a target just like its competition.

According to two independent security companies, Dr. Web and Kaspersky, an estimated 600,000 Mac computers worldwide are infected by the Flashback Trojan. Most infected Macs are based in the United States (around 55%), Canada (around 20%) and the UK (around 13%). The trojan is designed to steal personal information and disguises itself as the popular Adobe Flash browser plug-in.

flashback trojan stats

Flashback Trojan Stats, Image Credits: Dr. Web

Apparently, the trojan, BackDoor.FlashBack.39 or Trojan-Downloader.OSX.Flashfake.ab, is distributed via infected websites as a Java applet disguising itself as an update for the popular Adobe Flash Player. Once a user visits the infected website, the Java applet executes the first stage downloader that later downloads and installs the main part of the Trojan. According to Kaspersky, the main part downloaded is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute.

Apple has released a Java 1.6.0_31 update for OS X on Tuesday that claims to deliver “improved compatibility, security, and reliability.” The patch closes multiple vulnerabilities found in Java 1.6.0_29 including the vulnerability which allows malicious code to be executed when a user visits a compromised website. The update is available through Software Update on any Mac running Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, and Lion Server v10.7.3.

The trojan horse designed to exploit vulnerabilities in Java on OS X has been around since September of last year. Oracle, the developers of Java, patched up the security issue back in February. But, why Apple took so long to patch Java on its Mac platform is question which is now raised by many. Apple has not only reacted to the security issue late but they have done so only after the vulnerabilities were exploited and more than 600,000 Macs were infected. Apple needs to react more proactively like its competition if they want to protect its users from security vulnerabilities and exploits like this.

How to know if my Mac is infected already with Flashback Trojan and how to remove it?

What are Flashback Trojan symptoms when infected?

The FlashBack trojan only affects Macs with Java installed. So, if you don’t have Java installed on your Mac, then you don’t need to worry. If you’ve Java installed, the easiest way to find if your Mac has been infected with the Flashback Trojan is by running Dr. Web’s online Web utility. The online utility cross-checks your Macs unique hardware with its own database of machines that have been compromised. If it doesn’t matches, your Mac is apparently clean and is not infected. You should right away update your Mac with the Java 1.6.0_31 update released by Apple.

Josh Lowensohn from CNET provides some commands to manually check for infections by running the following three commands in the Terminal. You’ll find Terminal in the Utilities folder in your Macs Applications folder. Once you’ve started Terminal, copy and paste each one of the commands below into the terminal window. The command will run automatically:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If your system is clean, the commands will tell you that those domain/default pairs “does not exist.” If you’re infected, it will spit up the path for where that malware has installed itself on your system.

Update: Kaspersky has made an online utility to check if your Mac is infected by the Flashback Trojan. Visit http://flashbackcheck.com and paste your Mac’s UUID to see if your computer is infected or not. The site will also check your Java version to test if you are running a vulnerable version or not. If its finds you’re using a vulnerable version it recommends you to run system update.

How to remove Flashback Trojan from my Mac?

If your Mac is infected already by the trojan, F-Secure antivirus company has step-by-step instructions for removing the Flashback trojan from your Mac.

Update: If you are found to be infected, you can also use Kaspersky’s free FlashFake removal tool.

This widespread infection asks us all some critical questions now. Is the Mac platform now becoming more vulnerable everyday? Why Apple took so long to react to the situation? Were you affected by the FlashBack trojan? Share your thoughts and experiences in the comments section below.

You may also like...