7 Replies Latest reply: May 15, 2012 11:40 AM by MadMacs0
Susan8230 Level 1 Level 1 (0 points)

My imac, running Leopard, has Flashback.  Since Apple is not supporting this problem on OS X 10.5, how do I get rid of it? 

I have since disabled JAVA and have improved dramatically the imac operation.


iMac, Mac OS X (10.5.8)
  • 1. Re: Getting rid of Flashback on Leopard
    BDAqua Level 10 Level 10 (116,475 points)

    Hello Susan,

     

    Disable Java in your Browser settings, not JavaScript.

     

    http://support.apple.com/kb/HT5241?viewlocale=en_US

    http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064

    http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets

     

    Little Snitch, stops/alerts outgoing stuff...

    http://www.obdev.at/products/littlesnitch/index.html

     

    Flashback - Detect and remove the uprising Mac OS X Trojan...

     

    http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html

     

    In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:

     

    /Library/Little Snitch

    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode

    /Applications/VirusBarrier X6.app

    /Applications/iAntiVirus/iAntiVirus.app

    /Applications/avast!.app

    /Applications/ClamXav.app

    /Applications/HTTPScoop.app

    /Applications/Packet Peeper.app

     

    If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.

     

    http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/

     

    http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660

     

    Open DNS also blocks the FlashBack thing...

     

    http://blog.opendns.com/2012/04/09/worried-about-mac-malware-just-set-up-opendns /

  • 2. Re: Getting rid of Flashback on Leopard
    MadMacs0 Level 4 Level 4 (3,725 points)

    Susan8230 wrote:

     

    My imac, running Leopard, has Flashback.  Since Apple is not supporting this problem on OS X 10.5, how do I get rid of it? 

    I have since disabled JAVA and have improved dramatically the imac operation.

    This script from F-Secure is the only one I'm currently recommending http://www.f-secure.com/weblog/archives/00002346.html

  • 3. Re: Getting rid of Flashback on Leopard
    Susan8230 Level 1 Level 1 (0 points)

    Thank you

  • 4. Re: Getting rid of Flashback on Leopard
    John Galt Level 8 Level 8 (36,365 points)

    ...  Since Apple is not supporting this problem on OS X 10.5, how do I get rid of it?

     

    They are now:

     

    Flashback Removal Security Update

     

     

    and

     

     

    Leopard Security Update 2012-003

     


  • 5. Re: Getting rid of Flashback on Leopard
    mctaylor Level 1 Level 1 (0 points)

    John,

     

    You have posted this in more than one area and it is not completely correct and misleading.

     

    Security Update 2012-003 does NOT pertain to Java, it pertains to Adobe Flash.

    The OP is referring to Flashback...it pertains to Java, not "Flash".

     

    Unfortunately, Apple seems to be taking a very risky stand in not updating "their" version of Java for OS X 10.5.8 and continuing to post this leads people to believe that if they apply 2012-003 that they are immune from Flashback when running OS X 10.5.8.  They must currently disable JAVA in their browsers - period.

     

    Too many are making statements such as "Just update your OS" or "It's outdated" when referring to OS X 10.5.8.

     

    The sad truth is that there are many businesses and users that still need OS X 10.5.8 for very specialized applications to run.  Especially since recent changes in the OS have "broken" some legacy applications with dependancies.

     

    The OS may only cost a few bucks, but some of the legacy software can cost in the thousands of dollars to upgrade or replace and that may be difficult or impossible for some.

     

    Bottom line is the bottom line and even Microsoft is still pushing XP security updates on an OS that will be over 14 years old at the EOL that has been announced.

     

    Apple needs to embrace and board the security train or face serious consequences now and in the immediate future.  Criminals don't care about Apple VS Microsoft, they only care about profit and exploiting machines where PII and other information resides and they surely don't care who serves it up to them.

     

    Michael Taylor.

  • 6. Re: Getting rid of Flashback on Leopard
    HandyMac Level 2 Level 2 (415 points)

    1) I have a PowerBook G4 running 10.5.8. Software Update didn't show either of these updates.

     

    2) When I downloaded these updates they wouldn't run.

     

    Clearly, they're for Intel Macs only. But another question comes to mind: Does the Flashback malware run on PPC Macs? If it involves any kind of "executable" application/program (and I should think it must) then it would have to be coded as "Universal". Given that expert malware coders have been trained and experienced entirely in the Intel environment, and that the number of PPC Macs, six years after the Big Transition, is a very small percentage of the target "audience", it would seem to be hardly worth their trouble to learn to code a Universal Mac app. So maybe there's not much to worry about for PPC Mac users.

     

    TenFourFox Development explores security for PPC Macs in a recent blog post: http://tenfourfox.blogspot.com/2012/05/security-blanket-blues.html: "...while no PowerPC machines were known to be exploited by the recent Flashback worm, our previous analysis shows that the flaw was real; it's just that the actual payload was Intel-only, so it could not run even though it was possible to gain the privileges it would have required to be successful." But there are other issues it seems; the article is worth a read.

     

    I don't use 10.5 regularly myself, nor PPC Macs, but for those who do, it's increasingly the sort of hobby that will require constant tweaking, like an old car.

  • 7. Re: Getting rid of Flashback on Leopard
    MadMacs0 Level 4 Level 4 (3,725 points)

    HandyMac wrote:

     

    Does the Flashback malware run on PPC Macs? If it involves any kind of "executable" application/program (and I should think it must) then it would have to be coded as "Universal". Given that expert malware coders have been trained and experienced entirely in the Intel environment, and that the number of PPC Macs, six years after the Big Transition, is a very small percentage of the target "audience", it would seem to be hardly worth their trouble to learn to code a Universal Mac app. So maybe there's not much to worry about for PPC Mac users.

    The Java exploit might run, but in every case where I attempted to visit a known poisoned site, I was not able to prove that it did. From the very first Flashback-A malware, it seemed to check my platform and either redirect me to another site or do nothing. Also, no PPC user I'm aware of has reported finding any of the executables.

     

    Every sample of executable that I've been able to collect from others has been intel only code. Again, that was from Flashback-A on.

    TenFourFox Development explores security for PPC Macs in a recent blog post:http://tenfourfox.blogspot.com/2012/05/security-blanket-blues.html: "...while no PowerPC machines were known to be exploited by the recent Flashback worm, our previous analysis shows that the flaw was real; it's just that the actual payload was Intel-only, so it could not run even though it was possible to gain the privileges it would have required to be successful." But there are other issues it seems; the article is worth a read.

    Thanks, I'll do that when I get some time.