The Malware Cometh

It’s official: Macs are finally vulnerable to nasty viruses. There are malicious programs that can infect a Mac without the user having to do anything accidental or unwise. It ain’t an apocalypse, but we should be increasingly careful.

Last week saw the emergence of a version of the Flashback trojan. This bad bug sneaks into your web browser when you visit an infected web site, and starts reporting things like your browsing history and logins.

There are really good writeups about Flashback, like these from TidBITS, MacWorld, All Things D, and this nerdy one from Basics4Mac, with plenty of technical details and descriptions of the . For the purpose of this article, I’ll simply say that Flashback uses the programming environments Flash and Java to run. (These names may sound familiar, from discussions about how the iPhone has neither of them.)

Apple has also now, for the first time, posted a response to an emergent Mac malware. It’s brief and worth a glance.

So now I am going to try to distill, in as few words as possible, what the average Mac user should do about the virus.

What Now?

1. Run Software Update from the Apple menu.

Apple has released a patch to Java that prevents Flashback from infecting your Mac.

2. Don’t click on unknown or untrusted links to web sites.

Even some legit web sites have been infected, but they will be cleaned up. When you see a link in an email, before you click, hover your cursor over the link and read the address that pops up. If it doesn’t look right, don’t click.

3. Don’t enter your password…

…unless you know why you’re being asked to do so.

4. Test your Mac for infection.

This takes just a bit of effort, but is not hard. You have three reasonable options:

  1. Download this small app by long-time Mac nerd Mark Zeedar. Once the file (lowercase) is in your downloads folder, double-click it to “unzip” it, and then double-click the resulting file called Test4Flashback (with capital letters).
  2. Go to this web page by security firm Kaspersky. It can supposedly compare your Mac’s unique ID against a database of known infected machines.
  3. Open the app called Terminal. You can find it using Spotlight or in the /Applications/Utilities folder. Copy and paste each of the following commands into the Terminal, hitting return after each.

defaults read /Applications/ LSEnvironment

defaults read /Applications/Google LSEnvironment

defaults read /Applications/ LSEnvironment

defaults read /Applications/iCab 4/ LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

The result should look like the screen shot below, with the words “does not exist” after each line.

Terminal screenshot: Flashback not detected

Terminal screenshot: Flashback not detected

5. Remove the infection.

If one of the above techniques revealed that your Mac is infected, you have three options:

  • Call us and we’ll take care of it.
  • Download this removal tool from Kaspersky.
  • Or follow these brief-but-nerdy instructions posted by F-Secure.

What Next?

But what then? How should Mac-o-philes stay vigilant against these intruders?

Please understand that all of the following are just suggestions, not prescriptions. All of us want our Macs to just keep working, without the tinkering and worrying characteristic of Windows users. But to that end, I have myself adopted the following methods, and I believe they help protect my computers and my data from the bad guys.

1. Uninstall Adobe Flash from your Mac

Adobe has this page, from which you can download the Flash uninstaller for Mac.

I know, I know, you’re saying it’s going to break your internet. Read on, dear reader.

2. Use Google Chrome instead of Apple Safari for web browsing

Chrome is a fantastic, free web browser that Google created to make the web better and faster.

Google built their own version of Flash into Chrome, and Chrome updates itself on a regular basis behind the scenes. So you don’t have to keep up with Flash updates, and you’ll never be tricked into downloading a fake version of Flash.

Sometimes I browse in Safari, but mostly I use Chrome.

3. Should I disable Java?

You can read in the other articles how you can disable Java entirely, both for your browser and on your whole Mac. The problem is that, as of this moment, Java is even more important than Flash. Many of our clients are using CrashPlan for internet backups, or LogMeIn for remote access to their computers. Both services rely on Java.

As an experiment, I have disabled Java on Safari, in Safari menu > Preferences > Security. Ping me if you’re curious whether that has affected my experience on the web.

Back up, and be vigilant

If you follow the 3–2–1 rule of backups, then you can recover from anything that happens to your computer.

And from here on out, it behooves us to keep an eye on what goes on on our computers. The days of cavalier surfing are over for Mac users.

J2 News: Hell Is for Hackers, or Shields Up!

Hackers posterI hope y’all won’t mind if I say that I consider information in this and my next newsletter really important. It doesn’t matter where you learn how to protect yourself from hackers, but I hope you do take a few minutes to do so.

Because this is it. This is the year your Mac might get hacked. I’ve promised over the years that I would tell you when it happened, and now I’m telling you: It can happen, and unless you’re careful, it will happen to you.

Oh, hey, while I’m being all Mr. Sunshine, guess what? Your email password is gonna get hacked, too.


But that’s not to say you can’t protect yourself. I’ll deal with securing your online identity in another email. Right now, let’s talk Mac.

Malware has come to the Mac. It has appeared with several names — MacDefender, MacGuard, MacProtector, MacSecurity — and it looks like this:

MacDefender malware fake alert screen

It enters your life as a browser pop-up window, so far mostly frequently on pages resulting from Google Image searches. Then the malware gets you two ways:

  1. By warning you that your Mac computer is infected, it entices you to buy the advertised software, which doesn’t exist and is only a decoy to sucker you into divulging your credit card.
  2. Meanwhile, it installs a background application that shows you material of questionable taste to make you think your computer is infected, which hey, now it is!

It does not do some of the other horrors perpetrated by its more skeevy cousins, such as hijacking your mail program to spam your contacts, or reporting all your keystrokes back to its masters.

Golly, isn’t humanity awesome? All this because we wanted to see other people’s cats playing piano.

I’m not going to go into the differences between viruses, trojans, and other malwares. But since I just had to look it up, I’ll share that this nastiness is not a “virus,” in that does not replicate itself. Call it a hybrid, scareware with a trojan horse back. A pretend threat that relies on human nature and user action.

Speaking of user action, stopping this stuff is, at the moment, still really easy, using the same basic best practices all computer users should follow. Windows users have had lots of time to learn to ignore such nonsense. Now the Mac community gets to learn the stop-drop-‘n’-roll and the duck-‘n’-cover. Shall we?

Don’t Click the @%#$! Button!

I know, that “Cleanup” button, however ungrammatical, is tempting. Don’t. Just don’t. Simply close the window with the usual small, round, red button at the top left.

Ummm… Don’t Give Your Money to Just Anyone

‘Nuff said.

Don’t Enter Your Password Unless You Know Why

When you want to install software or make a change to the Mac system, you are asked for your password. Even if you never chose a password on your Mac (and you should do so), you’ll still get the dialog box asking for one. This, I think is one of the primary reasons the Mac is still the safer system. Any aspiring malware that wanted to corrupt your machine completely would have to request your password. Microsoft could make Windows much more secure by adopting this feature.

That said, some variants of this recent menace do not need to ask for your password to install themselves. They can’t get past your own user folder into the root of your system, but they can still be a pain.

The Mac message “[This thing you just downloaded] is a file downloaded from the Internet” is also a layer of protection. Windows has similar warnings. Error messages are worth reading. Don’t be afraid you won’t understand them. Apple is pretty good at speaking them plainly.

Tell Safari Not to Be So Trusting

  1. Open Safari.
  2. Click on the Safari menu by the Apple, and click Preferences…
  3. Click the General button in the toolbar.
  4. Turn off the option called ”Open ‘safe’ files after downloading.” As it says, “‘Safe’ files… include disk images and other archives,” and these can contain application installers.
  5. Close the Preferences window.

Run Software Update

If your Mac is running Snow Leopard, you’ll get Security Update 2011-003 with your next software update, which you can run manually from the Apple menu.

The Security Update is Apple’s first foray into malware-removal. It is almost entirely transparent: It updates its database in the background, learning about and blocking new annoyances on the fly. It depends on Apple to keep abreast of current threats.

Side note: If you don’t have Mac OS X 10.6 Snow Leopard, and your Mac is newer than 2006, for $29 it’s well worth it! Even with 10.7 Lion coming out this month, you’ll have to have 10.6 to have the Mac App Store from which to download 10.7. So you might as well.

Kill It If You Got It

If you do end up contracting a bug like this, you can follow these instructions from Apple to remove it.

Moving Forward

Finally, I gotta include the obligatory Mac fanboy defensive-sounding junk here at the end. In truth, malware has appeared on Macs before, especially before OS X. Also, there has been at least one virus. But for reasons mentioned above, they were never able to propagate. (I have never bought into the “security through obscurity” theory that too few Macs exist to make worthy, valuable targets. Shouldn’t 5% of all computers be infected with around 5% of all malware?)

This recent scare was a new breed. It was designed to look like Mac software. And it caught a lot of people. It didn’t do a ton of damage, though I’m sure many folks got their cards ripped off. For now, I reaffirm my belief that we don’t need anti-virus software running on the Mac. But this recent baddie is insidious, and obnoxious, and I doubt it’s the last of its kind.