Disable Java in Safari

The attacks are still just trojan horses. Just don't give your password to a website you don't trust.

The safari preferences are independent of whether java is installed or not. It doesn't check for the presence of java. If checked off in safari then safari will know not to try to use java (although it might complain that it is off if it needs it, or maybe not, I don't know). If checked on then safari will try to use java. If java isn't installed (or disabled by Java Preferences) then safari is going to be "unhappy" and complain or cause some "please install or enable" java message.

Disable it in the browser and see what happens (for Safari it's the Security preferences). If you still get a prompt that way then, no, I don't know of a way to stop it. You could try using another browser. There's plenty to choose from.

If you disable it you wont have to worry about it and also update your Mac for the solution to not get it. If you previously had snow leopard then it was already on your computer and pushed with lion.

A trojan horse would mean the applet would have to gain access only if a person did a real stupid thing. Always make sure your Toolbar is shown with the view menu, so you can know first hand if the site you visit is the site you intend to visit.

Any attempted trojan horse would show the http:// address as something totally different from what you would expect. For instance you would expect to see https://www.amazon.com/ for every secure website in Amazon. And you'd certainly expect to see a lock in the upper right in any website for any site you'd put your credit card number in. If you don't, then you know what you are visiting isn't secure. The key when visiting the Net is to learn to distinguish a secure site from a non-secure site. If you think you may be visiting a non-secure site trying to hack into your computer, go to Safari menu -> Preferences -> Privacy and remove cookies for those sites you don't trust. That way, if you visit them again, they won't know you visited them in the past. The Details button under Remove all website data let you control which cookies you keep.

a brody wrote:

The attacks are still just trojan horses. Just don't give your password to a website you don't trust.

The attacks are still just trojan horses, if you have java disabled. The variants in this most recent outbreak do not require any user interaction if Java is enabled and you happen to visit a site with a malicious Applet. No password required for infection. It will ask for a password for a fake certificate or some other kind of fake notice if Java is disabled. Then it relies on traditional social engineering.

And how does it actually "infect" Macs? Does it just leave a residual trace it was there? Or does it actually do something that would make the Mac misbehave?

http://www.f-secure.com/weblog/archives/00002336.html

http://www.f-secure.com/weblog/archives/00002341.html

It's up to at least version N by now. Probably much more than that as it mutates several times a day.

Basically all this says, is don't install Flash from a site you don't trust. http://www.adobe.com/ is the only one you should ever install Flash from. If some website you get asks you to install Flash, go to Adobe and check you have the most current version.

I hope this won't be accused as being typical "press hysterics," as a similar link was in another thread to which I posted.

http://www.macworld.com/article/1166254/what_you_need_to_know_about_the_flashbac k_trojan.html

Check out these threads in the 10.6 forum.

https://discussions.apple.com/thread/3825457?answerId=18040781022#18040781022

https://discussions.apple.com/thread/3844172?answerId=18061232022#18061232022

Trojan-Downloader:OSX/Flashback.I is dropped by malicious Java applets that exploit the known CVE-2011-3544 vulnerability.

On execution, the malware will prompt the unsuspecting user for the administrator password. Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done.

If infection is successful, the malware will modify the contents of certain webpages displayed by web browsers; the specific webpages targeted and changes made are determined based on configuration information retrieved by the malware from a remote server.

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Note: this was from before the most recent Java patch for CVE-2011-3544

There is a very simple test described by the link you gave that will tell you if you are infected. In fact you can find out right away if you are infected by type 1 version of the Infection by doing the following:

Open Applications -> Utilities -> Terminal

cd /Applications/Safari.app/Contents/

more Info.plist

/s LSE

(every command line is followed by a Return key)

As long as it can't find a string, you have no infection of Type 1.

When done with the search, just hit the letter q to exit the search window.

As long as you don't use Microsoft Office or Skype, you don't have a Type 2 infection, and don't need to test for it.

If you do have one of these applications, you may have to check for

ls /Users/Shared/.libgmalloc.dylib

(every command line is followed by a Return key)

Type the word exit followed by the Return key

to Quit from the Terminal window. Quit the Terminal application from the Terminal menu.

OpenOffice & Neo Office are excellent alternatives to Microsoft Office.