How Remove The Flashback Trojan Mac OS X
Over 600, 000 Mac’s are infected with the Flashback Trojan. Find out how to remove, and protect your Mac OS X...
Once thought to be impervious to infection, the Mac OS X is under attack yet again this time from another variation of the Flashback Trojan.
The first onslaught of the Flashback virus surfaced in 2011 and since then several variations of the Trojan have been reported each one performing the same malicious acts on your system.
The latest, which is said to have infected over 600,000 Mac’s worldwide, is called the BackDoor.Flashback.39. This Trojan redirects users to a bogus site that prompts the installation of a malicious Java script. With the malicious script exploiting a security hole in Java, the Trojan begins stealing users personal data.
How to Protect Yourself from the Flashback Trojan For Mac OS X
The latest security patch for Java fixes these security issues. To make sure you’re protected manually run your Software Updater to check that everything is in check. If you’re in need of a new Java patch, it will be listed as ‘Java for OS X 2012‘ (pictured below).
FlashBack Trojan Poses as Java Update
Update [04/15/2012]: Apple has released a new update specifically tailored to counter the Flashback attack. The new update is labelled, ‘Java for OS X 2012-003’.
If Java is not up-to-date, it’s possible for these malicious sites to automatically open the install the Trojan without any user interaction. If you have Java correctly patched, it’s still possible to receive the bogus prompt but only if you’re browser is set to open files automatically, or if you execute the file by clicking it.
Luckily Firefox, Chrome and Internet Explorer are not set to automatically open downloaded files by default, which means you’ll need to respond to popup prompt, or physically open the file to begin the installation. Even then you’ll be asked to input your system password before any program can be installed.
However, if you use Safari, the browser’s default setting it configured to open ‘safe’ files as soon as they have downloaded. Apple’s definition of ‘safe’ includes ‘movies, pictures, PDF and text documents, and disk images and other archives’, which basically mean it will open anything it downloads, including viruses and malware.
To correct this, open Safari’s Preferences and in the General tab uncheck the ‘Open “safe” files after downloading’.
It’s only the installer that can be launched automatically, users will still be asked to enter their system password.
Update [04/15/2012]: Security firm F-Secure explained how the Trojan still attempts to access your computer, whether you enter your password or not: “On execution, the malware will prompt the unsuspecting user for the administrator password. Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done.”
To avoid infection from Flashback Trojan, or any other virus, be cautious of all pop up windows prompting you to install updates, even if they look legitimate. If you a presented with any popup you’re not sure about, simply run your Software Updater in OS X, or head directly to the website in question, and check for any updates. And never enter your password to authorise the installation of any software you are not quite sure about.
If you know you have previously followed a Java update prompt and are worried that you maybe infected with the Flashback Trojan, follow the steps below to remove the malicious software from your machine.
How to check if you’re infected with the Mac Flashback Trojan
Open Finder and navigate to the ‘Library’ folder, then open ‘LaunchAgents’
In this folder there will be one or more files, this is where the Flashback will be located. Open each one and check the text, it will look something like this:
How To Remove Flashback Trojan Mac OS X
Here you can clearly see my soundcard software by ‘Apogee’ set to run when the device is connected.
If you are infected with the Flashback Trojan, one of these files will contain text, which will read something like ‘BackDoor.Flashback.39, or BackDoor.Flashback.k’.
If the file is empty, it means you have no programs set to run automatically and are not infected.
How to remove the Flashback Virus for Mac OS X
To remove the virus, you can simple locate and delete the malicious files from your machine (and your trash).
If you are unsure if the files include the Flashback Trojan, you can run an anti virus program to detect and remove the files.
If you haven’t already got antivirus software on your Mac, below is a list of FREE antivirus applications for Mac OS X:
- Intego VirusBarrier X6
- Dr. Web Light
- Sophos Home Edition
If this doesn’t remove the Trojan, you can follow a more in-depth method described by F-Secure.com (advisable for advanced users only), or alternatively you may need to seek professional assistance.
- How to avoid or remove Mac Defender malware. Apple Support, 2012
- Harry McCracken: Okay, Maybe This Mac Security Problem Is Real. Time, 05/24/2011.