As reported last week, the nasty malware known as Flashback (aka Flashfake) has already done its damage to many vulnerable Macs, and after releasing a patch last week, Apple has now turned its attention to trying to clean up the large botnet. One prong of the counterattack is that Apple is working with ISPs around the world to take down the command-and-control servers of the botnet; unfortunately for the Moscow firm that first uncovered the worm and started tracking it, Dr. Web found itself on the list as one of the domains for which Apple had issued a take-down request, according to Apple Insider.
The domain in question was one of three Dr. Web was using to monitor the spread of Flashback in what researchers call a “sinkhole,” or a spoofed command and control server. This technique allowed the firm to first uncover the trojan that has so far rooted into an estimated 600,000 machines, more than one percent of all operating Macs.
Apple may have prematurely requested the shutdown, which is standard practice in this type of security scenario, before further investigating the background of the server and Sharov believes that the move was merely a mistake.
In last week’s post, I included the links to Apple’s patch releases and also a link to F-Secure’s steps to detect and remove the malware. CNET’s Topher Kessler also published a detailed detection-removal method, which you might want to check out. As you can see from this excerpt, the instructions are for advanced users, unafraid to use the Terminal:
Locate the files mentioned in the output of the above commands, and delete them. If you cannot locate them in the Finder, then for each first type “sudo rm” in the terminal followed by a single space, and then use your mouse cursor to select the full file path from the first command’s output, and use Command-C followed by Command-V to copy and paste it back into the Terminal. Then press Enter to execute the command and remove this file.
See the following screenshot for an example of how this should look:
After running the command and revealing the path to the malware file, copy the path to the “sudo rm” command on a new line as is shown here to have the system delete it. (Credit: Screenshot by Topher Kessler/CNET)
The second prong of Apple’s counterattack is to develop its own tool for users that will automatically detect and remove the malware, but the Apple Support blog does not suggest a time when it might be available.
[UPDATE 04-12-2012 5:25 pm ET]: Apple has made the Flashback malware removal tool available via Software Update. See the details from the Support page:
This Java security update removes the most common variants of the Flashback malware.
This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.
Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion.
This update is recommended for all Mac users with Java installed.