The Malware Cometh

It’s official: Macs are finally vulnerable to nasty viruses. There are malicious programs that can infect a Mac without the user having to do anything accidental or unwise. It ain’t an apocalypse, but we should be increasingly careful.

Last week saw the emergence of a version of the Flashback trojan. This bad bug sneaks into your web browser when you visit an infected web site, and starts reporting things like your browsing history and logins.

There are really good writeups about Flashback, like these from TidBITS, MacWorld, All Things D, and this nerdy one from Basics4Mac, with plenty of technical details and descriptions of the . For the purpose of this article, I’ll simply say that Flashback uses the programming environments Flash and Java to run. (These names may sound familiar, from discussions about how the iPhone has neither of them.)

Apple has also now, for the first time, posted a response to an emergent Mac malware. It’s brief and worth a glance.

So now I am going to try to distill, in as few words as possible, what the average Mac user should do about the virus.

What Now?

1. Run Software Update from the Apple menu.

Apple has released a patch to Java that prevents Flashback from infecting your Mac.

2. Don’t click on unknown or untrusted links to web sites.

Even some legit web sites have been infected, but they will be cleaned up. When you see a link in an email, before you click, hover your cursor over the link and read the address that pops up. If it doesn’t look right, don’t click.

3. Don’t enter your password…

…unless you know why you’re being asked to do so.

4. Test your Mac for infection.

This takes just a bit of effort, but is not hard. You have three reasonable options:

  1. Download this small app by long-time Mac nerd Mark Zeedar. Once the file test4flashback.zip (lowercase) is in your downloads folder, double-click it to “unzip” it, and then double-click the resulting file called Test4Flashback (with capital letters).
  2. Go to this web page by security firm Kaspersky. It can supposedly compare your Mac’s unique ID against a database of known infected machines.
  3. Open the app called Terminal. You can find it using Spotlight or in the /Applications/Utilities folder. Copy and paste each of the following commands into the Terminal, hitting return after each.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read /Applications/Google Chrome.app/Contents/Info LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

defaults read /Applications/iCab 4/iCab.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

The result should look like the screen shot below, with the words “does not exist” after each line.

Terminal screenshot: Flashback not detected

Terminal screenshot: Flashback not detected

5. Remove the infection.

If one of the above techniques revealed that your Mac is infected, you have three options:

  • Call us and we’ll take care of it.
  • Download this removal tool from Kaspersky.
  • Or follow these brief-but-nerdy instructions posted by F-Secure.

What Next?

But what then? How should Mac-o-philes stay vigilant against these intruders?

Please understand that all of the following are just suggestions, not prescriptions. All of us want our Macs to just keep working, without the tinkering and worrying characteristic of Windows users. But to that end, I have myself adopted the following methods, and I believe they help protect my computers and my data from the bad guys.

1. Uninstall Adobe Flash from your Mac

Adobe has this page, from which you can download the Flash uninstaller for Mac.

I know, I know, you’re saying it’s going to break your internet. Read on, dear reader.

2. Use Google Chrome instead of Apple Safari for web browsing

Chrome is a fantastic, free web browser that Google created to make the web better and faster.

Google built their own version of Flash into Chrome, and Chrome updates itself on a regular basis behind the scenes. So you don’t have to keep up with Flash updates, and you’ll never be tricked into downloading a fake version of Flash.

Sometimes I browse in Safari, but mostly I use Chrome.

3. Should I disable Java?

You can read in the other articles how you can disable Java entirely, both for your browser and on your whole Mac. The problem is that, as of this moment, Java is even more important than Flash. Many of our clients are using CrashPlan for internet backups, or LogMeIn for remote access to their computers. Both services rely on Java.

As an experiment, I have disabled Java on Safari, in Safari menu > Preferences > Security. Ping me if you’re curious whether that has affected my experience on the web.

Back up, and be vigilant

If you follow the 3–2–1 rule of backups, then you can recover from anything that happens to your computer.

And from here on out, it behooves us to keep an eye on what goes on on our computers. The days of cavalier surfing are over for Mac users.

Author: jjmarcus

Mac Whisperer, Cloud Integrator, Gadget Wrangler, Content Beautifier

6 thoughts on “The Malware Cometh”

  1. Just came across this malware on a client’s MacBook Pro. In the process of removing using the Kapersky tool.

  2. Great post!
    Using the terminal, I determined that I don’t have Java on my new MBP. Is that why the Java update did not appear in the update list when I ran software update?

  3. That’s totally the reason, and it’s a good point: you can’t update what isn’t there. And if you don’t have Java, you can’t have Flashback, so just running Software Update is a good start to checking your exposure.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s