Skip navigation

"What to do now if I had the Flashback Trojan?"

2076 Views 22 Replies Latest reply: May 3, 2012 5:18 PM by Maxwell’s Demon RSS
1 2 Previous Next
Maxwell’s Demon Level 1 Level 1 (0 points)
Currently Being Moderated
Apr 27, 2012 12:55 AM

I just did a software update (was overdue) that included the java security fix, and was immediately informed that the "OSX.FlashBack.iv" malware was found and removed.

 

 

Does anyone happen to know how serious a threat the malware presents, how to assess any potential damage it may have done, and what I might do to minimize any after-the-fact damage?

iMac, Mac OS X (10.6.8), 27", 3.2GHz Core i3-4GB RAM-1TB HDD
  • Carolyn Samit Level 10 Level 10 (84,015 points)

    Hi...

     

    As long as the malware was removed, your Mac should be fine.

     

    Good article to read regading malware >  Thomas' Corner : Mac Virus Guide

  • X423424X Level 6 Level 6 (14,190 points)

    There hasn't been too much information about exactly what these trojans are trying to do. 

     

    Here's one article on the subject:

     

    What’s the Worst the Mac Flashback Trojan Could Do?

  • MadMacs0 Level 4 Level 4 (3,315 points)

    Maxwell’s Demon wrote:

     

    I'm just concerned about what my exposure has been these past few weeks while the trojan was on my machine, and what I might do at this point to minimize any potential damage I might now be facing.

    Intego once seemed to be convinced that it was capturing username/password pairs and passing them on via Twitter, but I'm only aware of two people who claim to have experienced fraudulent credit card activity around the time of infection. With over 600,000 infected you would think there would be more people complaining of such issues.

     

    But, we also know the Trojan is capable of being updated for bigger and better things in the future.

  • petermac87 Level 5 Level 5 (4,065 points)

    Maxwell’s Demon wrote:

     

    OK. So the threat appears to be unknown (or at least no one knows for sure). The question I have boils down to this: What would you (or Carolyn, or X423424X, or MadMacs0) do — your "next steps" — if you had discovered, and then removed, OSX.FlashBack.iv from your Mac, knowing that it had been on your machine for several weeks prior to your finding it?

    Personnally I would keep an eye out for any suspicious activity in regards to my credit card transactions.But I would be pretty sure you will be safe but if you are worried about any other form of malware, then hurn off Enable Jave in Safari> Preferences>Security (don't turn off JavaScript though) and perhaps install ClamXav or Sophos for future protection, although hackers are usually a day in front of definition updates anyway.

     

    Also maybe install a program such a s Little Snitch which catch any strange ingoing or outgoing connections. Mind you, this is what I MIGHT consider if I had found found it on my system.

     

    Good Luck

     

    Pete

  • MadMacs0 Level 4 Level 4 (3,315 points)

    Maxwell’s Demon wrote:

     

    What would you do — your "next steps" — if you had discovered, and then removed, OSX.FlashBack.iv from your Mac, knowing that it had been on your machine for several weeks prior to your finding it?

    I'm pretty sure I would go to all the sites I could remember signing into that had significant financial data of mine on them and change my passwords. If I used the same password on multiple sites (I don't) I would change all those, as well. I already check all my transactions on a daily basis due to a mysterious Credit Card compromise a few months back, but if I wasn't, I would do that. A site called mint.com (run by Intuit) makes it easy to see everything at once, but the in order to do that I have to provide significant information to them.

     

    I would certainly endorse the use of Little Snitch as being worth the time, money and effort to install, setup and maintain. It's not for everyone, but I've used it for years to keep track of what information leaves my computer. During the period when it first alerted users to the existence of the Flashback "N" variant I gained new respect for it's capability.

  • MadMacs0 Level 4 Level 4 (3,315 points)

     

    Maxwell’s Demon wrote:

     

    Thinking about Little Snitch again...I think I read somewhere that FlashBack checks out the system it has targeted and doesn't install itself if it detects the presence of Little Snitch. (If true, I don't know how FlashBack got into my system.)

     

    There are at least two dozen variants of Flashback according to Intego.  Early versions disabled Little Snitch (LS) and several more recent ones eventually do check for it, but the "K" variant did not check soon enough. As a result, users that had LS active were warned early in the installation process which was covered by this 16 page thread .rserv wants to connect to cuojshtbohnt.com. I can't say for certain that F-Secure's "K" variant is Apple's Flashback.iv, but I believe it is. In that case, it would have installed the first two components after which LS should have told you of the requested connection. Only if you approved that would it have continued on to install the remaining components to accomplish whatever it strives to do. Unfortunately, Apple's MRT doesn't reveal exactly what it did or even what it is capable of doing, so unless there is a log entry we haven't discovered yet, you'll never know to what extent you were infected.

  • noondaywitch Level 6 Level 6 (8,130 points)

    Uninstalling is too tricky; you can turn it off completely by going to Java Preferences in the Utilities folder, and under the General tab uncheck the boxes for all versions shown.

  • noondaywitch Level 6 Level 6 (8,130 points)

    It doesn't need other applications; Java applets can be run directly on the Mac (or PC) if so selected in the preference pane.

     

    Disabling completely avoids anything slipping through unannounced.

     

    There are few websites actually using Java content these days. Unfortunately of the ones that do, it's usually banking sites! (at least in the US. I'm not aware of any European banks which do this).

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.