With ref. to FlashBack Trojan - "disable" Open Safe Files in Safari?

I would leave it checked. It doesn't mean files automatically download, what it does is to automatically open safe files after download. Unsafe files will not be opened. Note that this isn't related to the current malware issue, although Apple has updated the malware protection software in OS X.

Helpful Links Regarding Flashback Trojan

A link to a great User Tip about the trojan: Flashback Trojan User Tip

A related link in the tip to a checker: Malware Checker Dowload Link

A Google search can reveal a variety of alternatives on how the remove the trojan should your computer get infected. This can get you started.

For now I recommend the User Tip from etressoft to detect and remove:

Checking for and removing the "Flashback" trojan

Kaspersky Flashback Trojan Site:Flashback Trojan Detection and Removal

Also see Apple's article About Flashback malware.

Please note that the AppleScript based methods (including the Malware Checker Dowload Link) may produce false positives (indicate an infection when none is present and/or prompt users to delete something they should not) or not detect every type of infection.

I also recommend that users be wary of downloading anything "opaque" like an AppleScript set to read only that can't be examined to make sure it is what it says it is, unless it comes from a verifiable & trusted source.

Unfortunately, it is all too likely that some people will try to take advantage of the confusion & fear surrounding the recent FlashBack outbreak to run their own social exploits like "trojan horses" pretending to be something they are not.

The "Open Safe Files" option is not related to this particular malware. Flashback uses a weakness in older versions of Java to sneak in the back door, so that option would have no effect.

The last major malware outbreak, in May of last year, did involve that option, though. At the time, Apple installer files were considered safe files, since opening them did not actually execute any third-party code. However, the creators of the MacDefender malware created a trojan that downloaded an installer file automatically, and on machines with that option turned on, the installer opened immediately. That in itself was not a threat, as it could not install itself, but many people thought that this was an update or important software from Apple, because of how it opened up by itself, and proceeded with the installation.

I'm not sure whether Apple has tightened down the definition of a "safe" file at this point, but regardless, I'd hate to one day discover that someone had figured out how to get malware installed using a "safe" file. For example, if a Microsoft Word file is considered safe, there's malware that appeared recently, taking advantage of an old vulnerability in Microsoft Word 2004 and 2008 to install itself automatically once a malicious document is opened. That would be a bad thing to have downloaded automatically by a JavaScript and then opened automatically by Safari, infecting your machine with no user interaction needed, all just from visiting a web site!

Thus, I recommend leaving that option off.

For more on these kinds of issues, see my Mac Malware Guide.

(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

The source for the Malware Checker is etresoft's user tip, so I don't think one need worry about that one.

Kappy wrote:

The source for the Malware Checker is etresoft's user tip, so I don't think one need worry about that one.

It is still susceptible to false positive & incomplete detection issues, which should be a real concern to anyone who takes the threat seriously. Plus, since the package's AppleScript is saved as read only, there is no way to know how good it is, other than to take etresoft's word for it.

And with all due respect to him, his comments in his user tip about his lack of familiarity with AppleScript do not inspire much confidence in that respect.

The comment was with respect to whether it was a fake utility. If you wish to critique his Applescripting skills then you should limit remarks to that.

Frankly, my Applescripting skills aren't great but I could write the script he wrote without much difficulty. Perhaps you should comment to him directly.

Kappy wrote:

The comment was with respect to whether it was a fake utility. If you wish to critique his Applescripting skills then you should limit remarks to that.

It may not have been obvious but my intent was not to limit my remarks to any one person's code, whether it was written using AppleScript or anything else, or even to "fake" code pretending to be something other than what it is.

Reliably detecting or removing the increasingly sophisticated & rapidly evolving malware OS X users are now exposed to is difficult, even for A-V companies with decades of experience. The basic problem is the bad guys aren't starting from zero; they are also leveraging decades of experience. They have access not just to whatever info is made public here but also to tools & techniques most Mac users have never heard of or have paid no attention to until very recently.

Simply put, these well meaning user efforts are like advertising to the world that you are bringing a knife to a gunfight.

I think that's over-simplifying. Especially when until yesterday or the day before there were no other alternatives. Had there been no "well meaning user efforts" there would have been no efforts at all.

https://discussions.apple.com/docs/DOC-3291

Kappy wrote:

I think that's over-simplifying. Especially when until yesterday or the day before there were no other alternatives. Had there been no "well meaning user efforts" there would have been no efforts at all.

There were alternatives: the A-V software most Mac users have said for years that we don't need. Because of the similarities to the earlier variants, some of these products didn't even need an update to detect the FlashBack variants that exploited the Java vulnerability that Apple finally patched. In fact, it has been widely reported that these latest variants were written to self-destruct rather than try to infect if they detected the presence of a few of these products on the targeted Mac. At the least, running a properly maintained A-V app would have reduced the "zero day" exposure to weeks less than those relying on Apple alone for protection.

After all, it was a few of these companies that made us aware of FlashBack to begin with, & then of its change from a purely social engineering based exploit to the far more dangerous Java-based "drive by" one. Plus, it is information from at least one of these companies that users have relied on heavily in their own efforts to try to detect or remove it.

It is unpleasant to think about but Mac users are now demonstrably the targets of criminal gangs with considerable computer skills. If you can accept that, it doesn't make any more sense to me to ignore the help & advice of professionals with years of experience in fighting them than it would if these were street gangs that were trying to move into my neighborhood.