how to use Flashback malware removal tool

Actually, I need to make one correction. I didn't originally see that you included Leopard in (A). With any OS older than Snow Leopard, all bets are off. There's no official Apple solution to either protect you from getting infected or remove the infection. If anyone is using Leopard (or, potentially, earlier, though perhaps not), they have to rely on third-party detection/removal solutions, like the F-Secure removal tool or AV software, and turning Java off entirely for prevention.

But what I've was hearing yesterday was that the Flashback malware removal tool did not show up in Software Update and had to be manually downloaded. Was that incorrect or has it changed now?

My Lion system does not have Java installed, and I therefore never was offered the recent Java software update with its included Flashback Removal tool. This afternoon I ran Software Update without first having run the manual download version of the Flashback removal tool, and there was a "software update" available for the removal tool alone.

When I "installed" this "update" , nothing seemed to happen. I wasn't sure what was going on, and I then ran the manual downloaded version, It also "installed" with no further report, which I guess means it ran , didn't find anything, and deleted itself. When I then looked in System Preferences>Software Update>Installed Software, there was a record of both "installations".

So probably if one had run the manual download first, or if one had had Java installed and had run the recent Java update, then the system would have a record that the tool had already been run, and you would never see it in Software Update.

jsd2 wrote:

This afternoon I ran Software Update without first having run the manual download version of the Flashback removal tool, and there was a "software update" available for the removal tool alone.

Thanks for the feedback!

Apple must have thought this through and figured out that many people would not run it unless it was offered in SU.

When I "installed" this "update" , nothing seemed to happen. I wasn't sure what was going on, and I then ran the manual downloaded version, It also "installed" with no further report, which I guess means it ran , didn't find anything, and deleted itself. When I then looked in System Preferences>Software Update>Installed Software, there was a record of both "installations".

That's what everybody has been reporting. I was first told by somebody that it would remain resident, run at login and somehow be remotely updated with any new Malware removal instructions, but that is obviously bogus. My guess would be that they will post a new version whenever they need to update the removal instructions and it will show up in SU.

So probably if one had run the manual download first, or if one had had Java installed and had run the recent Java update, then the system would have a record that the tool had already been run, and you would never see it in Software Update.

I suppose so. Perhaps somebody here has run the download version will check SU and let us know. It would be an easy check for SU to see if there was already a receipt for MRT 1.0 or the Java Update and skip it.

Thomas A Reed wrote:

You install whichever of these shows up in Software Update, and it removes the malware (if present), updates Java (if present) and tightens up Java settings for the future. You could certainly download from Apple's web site as well, instead of using Software Update, but it's important you know which one to get, as the other two won't work for you.

Oops, can't believe I missed this.

According to the Security Release notes from Apple, only the Lion version tightens up Java settings automatically. With Snow Leopard you have to do it yourself. I'll quote all but the signature here:

APPLE-SA-2012-04-12-1 Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8

Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8 is now available and addresses the following:

Java

Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3

Impact: The Java browser plugin and Java Web Start are deactivated if they remain unused for 35 days

Description: As a security hardening measure, the Java browser plugin and Java Web Start are deactivated if they are unused for 35 days. Installing this update will automatically deactivate the Java browser plugin and Java Web Start. Users may re-enable Java if they encounter Java applets on a web page or Java Web Start applications.

Further information is available at http://support.apple.com/kb/HT5242

Java

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3

Impact: A Flashback malware removal tool will be run

Description: This update runs a malware removal tool that will remove the most common variants of the Flashback malware. If the

Flashback malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.

Note: These updates include the security content from Java for OS X 2012-002 and Java for Mac OS X 10.6 Update 7.

Java for OS X 2012-003 and Java for Mac OS X 10.6

Update 8 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

For Mac OS X v10.6 systems

The download file is named: JavaForMacOSX10.6.dmg Its SHA-1 digest is: e1da5dc40607eef88bff66a43ba5cdf6ac570225

For OS X Lion systems

The download file is named: JavaForOSX.dmg Its SHA-1 digest is: 4e6fce49e9a3e07533398af8d8b0327136feead5

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/

I've only had one SL user confirm that his settings were untouched, and I guess we have to wait for 35 days to see about that part, but you perhaps others can confirm.

Message was edited by: MadMacs0 to improve readability.

Unless I'm mistaken "Java Web Start" is a preference only available in Lion, so it can't be set in Snow Leopard.

MadMacs0 wrote:

I guess I missed seeing that. I can't imagine how installing Lion over a Snow Leopard installation would remove any of the malware components, with the possible exception of any injected into Safari.

Just a guess, but I think installing Lion over Snow Leopard leaves the Java components installed with SL in place, suggesting that this would not by itself remove all the parts of a preexisting infection. That might confuse some of the third party detection/removal scripts but running Software Update should bring the system up-to-date, removing any left over malware components.

R C-R wrote:

Just a guess, but I think installing Lion over Snow Leopard leaves the Java components installed with SL in place

Possibly, but I've had several confirmations that Java is at least completely disabled after Lion installation.

suggesting that this would not by itself remove all the parts of a preexisting infection.

And none of those parts have anything to do with or require Java (not counting the cache for the original applet which some speculate is destroyed after installing the "dropper"), so none of them would be removed, with, as I mentioned before, the possible exception of two files in Safari for Type 1 infections. There would be two parts in the users Home folder and one in /Users/Shared/. For Type 2 infections, all parts end up in the Home or /Users/Shared/.

thanks....seems it was only a coincidence that my internet speed went down...speakng of which there was this prompt regardin update for adobe flash tht i recievd quite sumtime back be4 this new varient of the malware was made public...but i luckyly didnt update then...but now i have this adobe flash in my applications .....dnt knw wether to delete it or leave it be.....since ive already updated the MRT in my mac

n regardin the adobe flash ....i dnt ever remember downloading it in the first place ....unless i mite have accidently clicked on it...nways i cancelled the download be4 it cud really progress..so now its lying there in my apps "WHEN I GO INTO LAUNCH PAD" BUT theres no adobe flash icon or folder in my applications wen i go into applications via the {GO} bookmark on the top of the desktop......so assuming tht the adobe flash thingy is an incomplete file ....wht shud i do?

How do I remove the Apple Flashback Removal Tool from my system?

thanks,

A new user

amx2010 wrote:

How do I remove the Apple Flashback Removal Tool from my system?

Since you are in the Lion forum, I assume that's what you are running, in which case it removed itself after checking for (and eliminating, if necessary) the existance of Flashback. At least that's what the blogs have said.

If it's still there, you should be able to find it here:

Thank you for the prompt reply; searched those folders, nothing there, so the tool must of self-removed.

Kappy Tampa, FL and Vancouver, BC

It just works automatically. If it finds malware it will notify you, otherwise I understand it just quits and self-deletes.

If you don't have Java installed on your computer, then you need not worry about the malware.

Kappy,

So this means that if i have doubts in the future about being infected , i have to donwload it again and run it. Since it will self-delete if it founds nothing, Right?

No, you can't install that update again, but you won't get the malware again in the future, because the update will also ensure you have an updated copy of Java that is not vulnerable to Flashback. Plus, there haven't been any new Flashback sightings in a while. For now, at least, the malware appears to be pretty much dead.

I understand. Thank You very much!