1 2 Previous Next 18 Replies Latest reply: Apr 19, 2012 12:32 AM by MadMacs0 Go to original post
  • 15. Re: Could I still have Flashback if everything comes back negative?
    Derek Currie Level 1 Level 1 (90 points)

    Let me attempt to clarify the situation with 'Flashback' (or 'Flashfake' according to Kaspersky).

     

    There are reportedly 14 different variations of the Flashback malware. The first 13 versions were Trojan horses. The most recent version (listed as Malware.OSX.Flashback.N by Intego, and .K by some others) is the one that became famous, the one that uses what was an unpatched Java exploit, able to use a drive-by infection to install the initial malware package without any user password permission. That security hole was patched by Apple in their recent series of Java updates for Mac OS X 10.6 and 10.7. Also available to 10.7 users who never installed Java is Apple's Flashback Malware Remover app.

     

    MEANWHILE: The previous 13 variants are still around and people may well continue to become infected. Also, Apple's Flashback Malware Remover (10.7 only) does NOT remove all variants of Flashback. It only removes 'the most common variants'. Therefore, even after running Apple's Remover tool, you may STILL be infected with a variant of Flashback.

     

    How does the school know you're infected? The most likely answer is that they see your specific IP address performing behavior characteristic of the Flashback botnet. ALL variants of Flashback install bot malware onto your Mac and connect it to the overall Flashback botnet. There is a set group of IP destination addresses being used by the Flashback botnet. If your computer is regularly connecting to one or all of those IP addresses, you're infected.

     

    What ELSE can you do to detect and kill off the Flashback malware? There are a number of FREE malware detection programs. Some of them include malware removal tools as well. I suggest you try both of the following:

     

    1) ClamXav. This is a free program that makes use of the ClamAV open source project. Mark Allan provides a Mac GUI on top of ClamAV that makes it easy to use and schedule. You can read about it and get it here:

     

    http://www.clamxav.com/

     

    I am involved with a number of people interested in Mac security who do our best to keep ClamAV up-to-date with the latest Mac malware definitions.

     

    2) Sophos Free AntiVirus for Mac. Sophos writes anti-malware software for small business and enterprise Mac users. But they also offer this free tool that is kept automatically up-to-date with the latest malware definitions. You can read about it and get it here:

     

    http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-ed ition.aspx

     

    Both of the free anti-malware tools include removal of malware. Just be certain to keep them up-to-date at all times.

     

    If you would like a full featured, bells and whistles commercial anti-malware program, the best IMHO is Intego's VirusBarrier X6. I own it, use it and like it. They offer a full featured 30-day trial version here:

     

    http://www.intego.com/demo

     

    VirusBarrier costs $50 with charges after the first year for further malware definition updates. You can currently purchase it for $40 via CNET here:

     

    https://www.trialpay.com/cart/?pp=DfSfSo8P&c=7a328be

     

    Take your pick of these three. They all can remove all the variants of Flashback and get you off the Flashback botnet.

     

    :-Derek

  • 16. Re: Could I still have Flashback if everything comes back negative?
    Exsiss Level 1 Level 1 (0 points)

    I'm not really sure what happened, but after doing the newest software update, its gone. Not sure if the update wasn't successful when I did it a few days ago or if this is a newer update that solved the problem that the first update wasn't able to solve. Thank you everyone for your help!

  • 17. Re: Could I still have Flashback if everything comes back negative?
    MadMacs0 Level 4 Level 4 (3,735 points)

    Exsiss wrote:

     

    I'm not really sure what happened, but after doing the newest software update, its gone.

    Did you see my last two posts from yesterday? I believe you still have one more file aboard. It's not dangerous and only takes up a fraction of your login time to post an error in the log, but it will tell you when you were infected and it doesn't need to be there.

  • 18. Re: Could I still have Flashback if everything comes back negative?
    MadMacs0 Level 4 Level 4 (3,735 points)

    Exsiss wrote:

     

    I'm not really sure what happened, but after doing the newest software update, its gone.

    Sorry to keep bugging you about this, but you are the first user that was proven to have been still infected after the latest update, so I wanted to make sure that Apple got feedback if the update did not work properly.

     

    What I think I am hearing now is that you ran a Java update a few days ago, but had not yet run that latest one which contained the Malware Removal Tool, is that correct?

     

    You can refresh your memory by opening System Preferences->Software Update->Installed Updates tab and it will tell you the date/time you installed each update and version.

     

    My guess is the first update was Java for OS X Lion 2012-002 and the one you just ran was Java for OS X Lion 2012-003. If that is correct then everything is as it should be and you should be clean going forward.  If my assumptions are incorrect please let me know so that I can get accurate information fed back to Apple on this.

     

    One last word of caution, in case you were ever fully infected and had privacy information harvested from your computer. Watch all your financial institutions carefully for unauthorized transactions. I've only heard of one user who complained of Credit Card fraud immediately after being infected, but you never know. Also change all of your internet passwords (especially financially related ones) for all the sites visited since the date of infection, if you were ever able to figure that out. If you use the same password for other sites, change them, as well.

1 2 Previous Next