Last October we reported Flashback, (Fake Adobe Updater), which poses as an update to Adobe Flash, but really installs a “backdoor” to allow someone to access your system from remote. This allows them to set up a series of computers in a “botnet,” which can be triggered to attack a web site all at once. Originally, it required the user to enter their administrator password to install, but since its initial discovery this nasty little package is now capable of installing itself without the user authenticating the installer.
As much as Adobe Flash attracts negative press on the Mac platform, Flashback is not actually a Flash vulnerability. Rather, it takes advantage of a security hole in Java (not to be confused with JavaScript.) Flashback can affect versions of Java up to 1.6.0_31. Apple recently patched OS X to close this hole, but a lot of people have been infected already; not only did Apple take a month to release the patch but many people simply do not install Security Updates when they are released.
How do you tell what version of Java you are running on your Mac? One way is to open Terminal (Applications -> Utilities) and simply type the command:
java -version
The output will list the version on your machine. If Java is not installed, it will launch an installer. If you do not already have Java on your machine, you most likely do not need it, as any app that requires it will prompt you to install it.
Next question is, how do you tell if you are infected? F-Secure gives us a few terminal commands that will tell you if Flashback has created libraries in your browser applications. For simplicity, Safari is the browser we are choosing to look into. The commands are as follows:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
and
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
If the result of running these commands ends in “does not exist,” the Flashback Trojan has not been installed on your machine. If you do find that your system is infected, you can find steps for manually removing Flashback at F-Secure’s website. You can also download Sophos Free AntiVirus for Mac, which will detect and remove Flashback.
For those of you that are local, Small Dog is offering a removal service for $29.99.
Note that updating your version of Java will secure you against the injection of the code on your machine, but it will not remove the Trojan from your machine should it already be installed.