Skip navigation

With ref. to FlashBack Trojan - "disable" Open Safe Files in Safari?

912 Views 13 Replies Latest reply: Apr 13, 2012 11:04 AM by bettyfromst. george RSS
bettyfromst. george Level 1 Level 1 (0 points)
Currently Being Moderated
Apr 11, 2012 10:53 AM

Sorry if this question is posting a second time.  I'm not sure if I did it correctly the first fime.

 

Anyway, I have 'disabled' Java in Systems Preferences and in Safari because of the FlashBack Trojan.  But then I someone wrote that the "Open Safe" Files in Safari should also be disabled.

 

I know what when I bought my MacBook Pro, the Open Safe Files box was "checked" by default.

 

I would like some feedback from the Community.  Should it be "unchecked"?  If if I do, does it mean any and all files will automatically download? ? ?

 

Thanks for your help.

Mac OS X (10.7)
  • Kappy Level 10 Level 10 (221,060 points)

    I would leave it checked. It doesn't mean files automatically download, what it does is to automatically open safe files after download. Unsafe files will not be opened. Note that this isn't related to the current malware issue, although Apple has updated the malware protection software in OS X.

     

    Helpful Links Regarding Flashback Trojan

     

    A link to a great User Tip about the trojan: Flashback Trojan User Tip

    A related link in the tip to a checker: Malware Checker Dowload Link

     

    A Google search can reveal a variety of alternatives on how the remove the trojan should your computer get infected. This can get you started.

     

    For now I recommend the User Tip from etressoft to detect and remove:

     

    Checking for and removing the "Flashback" trojan

    Kaspersky Flashback Trojan Site:Flashback Trojan Detection and Removal

     

    Also see Apple's article About Flashback malware.

  • R C-R Level 6 Level 6 (13,835 points)

    Please note that the AppleScript based methods (including the Malware Checker Dowload Link) may produce false positives (indicate an infection when none is present and/or prompt users to delete something they should not) or not detect every type of infection.

     

    I also recommend that users be wary of downloading anything "opaque" like an AppleScript set to read only that can't be examined to make sure it is what it says it is, unless it comes from a verifiable & trusted source.

     

    Unfortunately, it is all too likely that some people will try to take advantage of the confusion & fear surrounding the recent FlashBack outbreak to run their own social exploits like "trojan horses" pretending to be something they are not.

  • thomas_r. Level 7 Level 7 (26,970 points)

    The "Open Safe Files" option is not related to this particular malware.  Flashback uses a weakness in older versions of Java to sneak in the back door, so that option would have no effect.

     

    The last major malware outbreak, in May of last year, did involve that option, though.  At the time, Apple installer files were considered safe files, since opening them did not actually execute any third-party code.  However, the creators of the MacDefender malware created a trojan that downloaded an installer file automatically, and on machines with that option turned on, the installer opened immediately.  That in itself was not a threat, as it could not install itself, but many people thought that this was an update or important software from Apple, because of how it opened up by itself, and proceeded with the installation.

     

    I'm not sure whether Apple has tightened down the definition of a "safe" file at this point, but regardless, I'd hate to one day discover that someone had figured out how to get malware installed using a "safe" file.  For example, if a Microsoft Word file is considered safe, there's malware that appeared recently, taking advantage of an old vulnerability in Microsoft Word 2004 and 2008 to install itself automatically once a malicious document is opened.  That would be a bad thing to have downloaded automatically by a JavaScript and then opened automatically by Safari, infecting your machine with no user interaction needed, all just from visiting a web site!

     

    Thus, I recommend leaving that option off.

     

    For more on these kinds of issues, see my Mac Malware Guide.

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

  • Kappy Level 10 Level 10 (221,060 points)

    The source for the Malware Checker is etresoft's user tip, so I don't think one need worry about that one.

  • R C-R Level 6 Level 6 (13,835 points)

    Kappy wrote:

     

    The source for the Malware Checker is etresoft's user tip, so I don't think one need worry about that one.

    It is still susceptible to false positive & incomplete detection issues, which should be a real concern to anyone who takes the threat seriously. Plus, since the package's AppleScript is saved as read only, there is no way to know how good it is, other than to take etresoft's word for it.

     

    And with all due respect to him, his comments in his user tip about his lack of familiarity with AppleScript do not inspire much confidence in that respect.

  • Kappy Level 10 Level 10 (221,060 points)

    The comment was with respect to whether it was a fake utility. If you wish to critique his Applescripting skills then you should limit remarks to that.

     

    Frankly, my Applescripting skills aren't great but I could write the script he wrote without much difficulty. Perhaps you should comment to him directly.

  • R C-R Level 6 Level 6 (13,835 points)

    Kappy wrote:

     

    The comment was with respect to whether it was a fake utility. If you wish to critique his Applescripting skills then you should limit remarks to that.

    It may not have been obvious but my intent was not to limit my remarks to any one person's code, whether it was written using AppleScript or anything else, or even to "fake" code pretending to be something other than what it is.

     

    Reliably detecting or removing the increasingly sophisticated & rapidly evolving malware OS X users are now exposed to is difficult, even for A-V companies with decades of experience. The basic problem is the bad guys aren't starting from zero; they are also leveraging decades of experience. They have access not just to whatever info is made public here but also to tools & techniques most Mac users have never heard of or have paid no attention to until very recently.

     

    Simply put, these well meaning user efforts are like advertising to the world that you are bringing a knife to a gunfight.

  • Kappy Level 10 Level 10 (221,060 points)

    I think that's over-simplifying. Especially when until yesterday or the day before there were no other alternatives. Had there been no "well meaning user efforts" there would have been no efforts at all.

  • ds store Level 7 Level 7 (30,305 points)
  • R C-R Level 6 Level 6 (13,835 points)

    Kappy wrote:

    I think that's over-simplifying. Especially when until yesterday or the day before there were no other alternatives. Had there been no "well meaning user efforts" there would have been no efforts at all.

    There were alternatives: the A-V software most Mac users have said for years that we don't need. Because of the similarities to the earlier variants, some of these products didn't even need an update to detect the FlashBack variants that exploited the Java vulnerability that Apple finally patched. In fact, it has been widely reported that these latest variants were written to self-destruct rather than try to infect if they detected the presence of a few of these products on the targeted Mac. At the least, running a properly maintained A-V app would have reduced the "zero day" exposure to weeks less than those relying on Apple alone for protection.

     

    After all, it was a few of these companies that made us aware of FlashBack to begin with, & then of its change from a purely social engineering based exploit to the far more dangerous Java-based "drive by" one. Plus, it is information from at least one of these companies that users have relied on heavily in their own efforts to try to detect or remove it.

     

    It is unpleasant to think about but Mac users are now demonstrably the targets of criminal gangs with considerable computer skills. If you can accept that, it doesn't make any more sense to me to ignore the help & advice of professionals with years of experience in fighting them than it would if these were street gangs that were trying to move into my neighborhood.

Actions

More Like This

  • Retrieving data ...

Related Articles

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.