Update: There is yet another piece of malware called pubSab. This malware takes advantage of the exact same vulnerability as the flashback virus. Apple has released a removal tool for flashback , but not PubSab. I have written a package that uses Apples removal binary, but also a removal script for PubSab and MacKontrol. Installing this and running all software updates on your Mac should remove PubSab, Flashback, MacKontrol.
The Mac Flashback Virus:
In the endless debates between Apple and PC users, security has always been a contentious issue. Mac users and Apple itself are quick to bring up that there are far fewer viruses that attack Mac computers and, among some Mac users, there was a misconception that Macintosh products were completely invulnerable to virus infection in a way that PCs just could not compete with. This misconception, and the vulnerability of Apple products to viruses was demonstrated by the Flashback Trojan, a piece of malware for which Apple only recently released a fix, approximately 6 months after it became a problem. Mac OS X continues to be a highly resilient platform however, it must be recognized within the Mac OS X community that highly resistant does not equate to impervious.
The Trojan:
Flashback is among the many Trojans that make the computers they infect part of botnets. These are networks of compromised PCs and Macs that perform some sort of a service for Internet criminals. They may be part of a spam distribution network, they may be used to launch distributed denial of service attacks on servers or they may be used for most any other purpose. The important element is that the person or persons running the botnet has some significant control over the computers that make it up.
The Trojan attacked Macs though a Java vulnerability. Java is one of the most widely-used technologies in the world and, for that reason, it is a frequent target of attackers. The Flashback virus was loaded from a drive-by download website that infected the computer via an applet. This applet loaded an executable on the computer. That executable then downloaded the Trojan and made the computer part of the botnet.
Flashback is sophisticated. Every computer infected with this Trojan gets a unique ID on the botnet and it can switch the computer between servers. This level of sophistication is common for Internet attacks today.
Fixing the Flaw:
On April 3, 2012, Apple finally released a fix for the vulnerability in their Java version. This followed nearly 2 months behind Oracle—the company that makes the main version of Java—who released their security patch of February 14, 2012. Trojans and other malware almost always have variants and Flashback is no exception. Apple released a fix for those variants on April 12, 2012.
Currently, there are no fixes available for Mac OS versions prior to Lion and Snow Leopard. If you happen to be running one of these older versions, Apple recommends that you just turn off Java to avoid the problem which, of course, limits the user experience you’ll have with your computer.
In the end, approximately 600,000 Macintosh computers were infected with this virus. This number included many that were located in Cupertino, CA, where the Apple Corporation has its headquarters located.
This Trojan is potentially very dangerous to security. If you have a Macintosh computer and have not checked it for the Trojan or downloaded a fix, you should do so immediately. If you have an older version of Mac OS that is still vulnerable, turning off your Java or using a third-party app to remove the Trojan are your best options.
