Tuesday, April 24, 2012

Flashback Malware and Java : FYI Notes

I just posted an FYI set of notes over at MacDaily news to help sort out some misinformation regarding what has been occurring thanks to the Russian malware rats who write the Flashback series of malware. It may be helpful here as well.

The worst previous Mac malware infection was due to Trojan.OSX.iServices.A-C. It was a Trojan horse that was infiltrated into Warez versions of a few different Mac apps available at Torrent websites. The result was a botnet estimated to contain 10,000 Macs. That was in early 2009.

The worst estimate for the Flashback botnet (created by an estimated 19 different versions of the Flashback malware) was about 600,000 Macs. That is larger than the iServices botnet by a factor of 60.
All of the Mac malware previous to the recent few Java versions of Flashback, have been Trojan horses with infections preventable by basic safe user practices. The people who infected themselves are generally considered either to be Mac newbies or to be ‘LUSERS’ who would figure out a way to become infected if not for their account administrators.
The recent versions of Flashback have been unique in the history of Mac OS X malware because they were drive-by infections from websites that required no user interaction. The cause of this problem was two-fold:
1) Oracle don’t give a rat’s about Java and have allowed it to become the #1 source of third party security vulnerabilities for Mac users. Oracle don’t care.
2) Apple’s experiment with having Oracle provide timely updates of Java for Mac OS X has FAILed. Oracle don’t care.
My personal recommendations:
A) Don’t install Java onto Mac OS X 10.7. Most people never need it.
B) If you do install Java onto 10.7, or you run a previous version of Mac OS X, TURN JAVA OFF. This can be done in the Java Preferences app in your Utilities folder. Only turn it on again for critical uses, then turn it OFF when you’re done.
IOW: Java now sucks. Avoid Java as much as possible. 
Java is now even more dangerous than JavaScript, aka LiveScript, aka ECMAScript, aka JScript (by Microsoft), aka ActionScript (by Adobe). It is now even more dangerous than the real Adobe Flash Player plugins.
Hopefully this Java catastrophe has woken Apple up to being preemptive about Java security holes and their danger to Mac Java users. Oracle don’t care.
Ideally, Oracle will at long last allow Java to become an open source project. However, I don't see that happening in the near term as Oracle will be reaping some major bucks off Google for having ripped off Java technology for their Android OS. Oh well.

Sunday, April 15, 2012

Flashback Malware And
The Confusing Case Of
The Apple Flashback Malware Remover v1.0

[Updated 2012-04-18:
Symantec are now reporting that, according to their data collection, the Flashback botnet is down to 140, 000 Macs. That's still a vast number, but a remarkable improvement thanks to Apple's Java update and Remover. 

Also new: 
My net friend Al Varnell, who performs a great deal of vigilant work with ClamXav and the ClamAV project, has provided me with new information and insight reflected below. Of greatest interest is the fact that the Flashback malware series has been specifically aimed at Intel CPU Macs only. PPC Macs are immune.]

Apple has provided a separate tool for Mac OS X 10.7 users (only) for the removal of most versions of the Flashback malware. It is entitled (despite odd journalist claims to the contrary) the 'Flashback Malware Remover.' Apple also call it their 'Flashback malware removal tool.' The Software Update system in 10.7 is offering the tool to those who have no installed Java. Optionally, you can manually download it from Apple's Downloads site:


Here is Apple's description of the Flashback malware removal tool:
About Flashback malware removal tool 
This update removes the most common variants of the Flashback malware. This update contains the same malware removal tool as Java for OS X 2012-003.If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed. 
In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware. 
This update is recommended for all OS X Lion users without Java installed.
Why does the description say 'without' Java installed? Because there have been quite a few versions of the Flashback malware that did not involve Java. Mac users who do not have Java installed (which is the default starting with Mac OS X 10.7) would never have been offered Java for OS X 2012-003 via Software update and therefore would never have run Flashback Malware Remover on their Macs via that update. Rather than leaving those users out in the cold, Apple have provided the Remover as a standalone installer application.

NOTE: The Remover only runs on Mac OS 10.7. I checked.

What is confusing about the Remover is that Apple have NOT provided an actual application tool. Instead Apple has provided an 'installer' package that runs within their Installer program and that is ALL that it does. 

Essentially, Apple took the Java for OS X 2012-003 installer and removed everything except the Remover process from the installation. In other words: NOTHING is installed on your Mac. Not-a-thing. And yes, that is freaky. The installer is the Remover. Get it? This is going to freak out and confuse quite a few Mac users. This has already been proven to be the case up on Apple's Discussion forums at their Support site. I can't blame them! It makes no sense, except that Apple had the Remover handy inside their Java for OS X 2012-003 installer, so they sped the Remover out the door within that same format.

Don't worry about it! Just run the installer and the Remover will run. Keep the .dmg file if you would like to run it again in the future. This is a great idea because the older Trojan horse versions of Flashback (of which there are reportedly 13 versions that don't use Java) are going to remain out in the wild on the Internet.

Please refer back to my previous article for details about how to avoid being infected with Trojan horse malware, along with other security rules and tips:

The Rules of Computing: Keeping Your Mac Secure

The Numbers:

Adding up all the Macs infected with ALL the variations of the Flashback malware, apparently well over 600,000 Macs were affected:

After Apple's three Java updates, the last of which included the Remover, the number dropped to half, less than 300,000 infected Macs:

Who's left in the Flashback botnet?

1) Users with Mac OS X 10.6 or 10.7 with Java installed who have not run the most recent updater or Apple's separate Flashback Malware Remover.

2) Users with Mac OS X 10.7 who never installed Java and have not yet run Apple's Flashback Malware Remover.

3) Anyone using Mac OS X 10.5 on Intel Macs. From the data of which I am aware, the Flashback malware code is directly ONLY at Intel Macs, making PPC Macs immune. It is not clear whether there has been infection of Mac OS X 10.4 Intel Macs. However, I continue to suspect there have. The Java security hole exploited by Malware.OSX.Flashback.N, the latest version (according to Intego) is apparently present in the last Java update for that version of Mac OS X.

Kaspersky has provided a web page where you can check if your specific Mac was infected with Flashback. However, I can't recommend it as the page requires you to enter your Mac's hardware UUID (Universally Unique Identifier). That's a bit like giving away your social security number and could be used by hackers to fake being you on the Internet. I suggest you only give it away to people you know and trust. Therefore, I'm not going to link Kaspersky's Flashback infection checking page here. If you'd like to use it, go digging around at the Kaspersky.com website.

Is this the time to buy Mac Anti-Malware software?
(Often wrongly called 'Anti-Virus' software). 

Probably not, unless you are dealing with the 'LUSER Factor' or unless you have an Intel Mac with Mac OS X 10.5 or 10.4. Even then, I suggest you first download and use Mark Allan's ClamXav software. It's FREE. My Mac Security friends and I work to keep the ClamAV open source project up-to-date with the latest Mac malware definitions. Install it, update its malware definitions and have it scan your entire boot drive.

There are also a number of free scanner versions of commercial anti-malware apps. I'd suggest checking out Sophos Free Anti-Virus for Mac. (I can no longer recommend the free PC Tools iAntiVirus app, which is drastically out-of-date).

If you'd like to buy the best Anti-Malware program, I continue to recommend Intego's VirusBarrier. They have a 30 trial version. I own it, use it and like it. It ships with excellent bells and whistles including its own firewall, Internet website protection, good background scanning that doesn't eat your CPU, and its own reverse firewall (similar to the renowned Little Snitch software). The only drawback is the yearly fee for malware definitions. I pay it and don't mind.

I have friends who like F-Secure Anti-Virus. They offer free online tools and a 30 day free trial. (Use the 'campaign code' on their AV page). The only reason I avoid F-Secure is that they are FUD mongers, attempting to scare Mac users with exaggerated reports about Mac malware. I don't deal with that.

Sophos is the best if you are running a small business or enterprise network of Macs. They also offer a free trial. I also like their free Sophos Security Monitor app for iOS devices. It provides timely computer security information.

The other anti-malware providers can be anywhere from OK to total CRAP. The crap includes (IMHO of course) anything from ZeoBIT and Symantec. IOW: Run away from MacKeeper and Norton Anti-Virus. 

Coming Up:

Over at my MacSmarticles blog, I will be posting an article about ZeoBIT paying their users to bombard Mac software review sites, a grotesque abuse of marketing.

Here at the Mac-Security blog, I will be providing a list of my favorite Mac security information sources.

Wednesday, April 4, 2012

CRITICAL Java Updates: Mac OS X 10.6 Update 7 and 10.7 Update 2012-002 (formerly 001)

[Updated 2012-04-06:
For users of Mac OS X 10.7, Java update 2012-002 has been released today to correct an error in the .DMG installation file for 2012-001. The 2012-001 installer has been withdrawn. I interpret this to mean that the flaw in 001 was critical. Therefore, please install Java for OS X 2012-002 IMMEDIATELY! It has been reported that over 600,000 (not a typo) Macs are now infected with the Flashback Trojan horse / botnet malware! This is unprecedented in Mac history. This Java update kills off a Drive-By method of Mac infection by the Flashback malware.]

If you haven't already installed the latest Java update for Mac OS X 10.6 Snow Leopard and 10.7 Lion, INSTALL IT NOW. No excuses. The best method of installation in this case is via Software Update, available under the Apple menu. There is currently a problem with the direct download version for 10.7 whereby it FAILs the fsck check the OS runs during DMG file verification. See details below.

This particular update is CRITICAL because there is an active exploit against the older version of Java that results in Drive-By infection of Mac machines without requiring the user to provide a password. This is unheard of on Macs. It is specifically a Java problem, NOT a Mac OS X problem. Don't blame Apple. Blame the lazy crapcoders at ORACLE.

Windows users have had this particular Java update for MONTHS. Supposedly Apple and Oracle have an arrangement whereby Oracle are now writing Mac updates for Java. But that arrangement is FAILing.

Earlier today I posted reviews of this update at both VersionTracker/CNET and MacUpdate. I have provided a somewhat redundant summary below which with details about how to turn OFF Java, which I highly recommend, as well as some rant action.

∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞

Good: This CRUCIAL Java update patches an active exploit against Macs. Better a late update than never. Java is occasionally useful.

Bad: Java is now one of the most INSECURE Internet technologies. If you don't use Java, TURN IT OFF! Oracle and Apple are NOT providing Mac Java updates in a timely manner. This Java update for Mac provides an update that Windows users have had for months. For over a week, there has been an active malware exploit against Mac users with the unpatched version of Java.

It is terrific that Apple jumped on this exploit so quickly. However, Apple users MUST be provided with Java patches at the same time as Windows users. Delaying Java patches for Mac users is NOT acceptable.

I have verified that the direct download file of the 10.7 version of Java for OS X 2012-001,  FAILs the Mac OS X fsck check during file verification. This is evident in the Console. This is BAD. If you used this downloaded installer, IMMEDIATELY update to the Java for OS X 2012-002 installer!

The BEST way to install this update is from Software Update. You will find it under your Mac's Apple menu. This installation works perfectly.

Now For My Rant:

Java has become a BANE of the Internet. I have turned it OFF. I am sick of the recent Java exploits against Mac users. I don't deal with it. I suggest you turn Java OFF as well, unless you use it regularly.


If you use multiple web browsers (I use six) then the best and simplest way to turn Java OFF is via the Java Preferences app found in your Mac's Utilities folder. Follow these steps:

1) Open the Java Preferences app.

2) Under the 'General' tab, check OFF "Enable applet plug-in and Web Start applications". (Mac OS X 10.6 users: Instead uncheck the plugins for Java SE 6 in the box inside the window).

3) Quit the Java Preferences app.

4) VERIFY IT'S OFF: Open the Java Preferences app, again. Verify that the "Enable..." checkbox remains OFF. If you find it on again, check the damned thing OFF again. Quit Java Preferences. Verify AGAIN as required.

I add this VERIFY step because I personally have seen this checkbox turn on again. If you want to be extra-special certain the box doesn't turn on again, you can go down to the box under the 'General' tab and turn OFF both 64 and 32-bit "Java SE 6", then turn off "Enable". That definitely does the trick.

My #2 Rant: 

SHAME ON ORACLE. That company has RUINED OpenOffice. The LibreOffice branch is now off and running and far superior, leaving the source OpenOffice project irrelevant. Oracle has been just as obtuse with Java, which is now a DETRIMENT to the Internet.

Maybe Java will be made open source, at long last. That would help. Perhaps great developers like those on the LibreOffice team will grab it and make Java seriously great. Until then, BEWARE OF JAVA. I fully expect more Java exploit malware to come. (o_0) 

Now I go all sentimental: 

Remember when Java was supposed to be 100% secure, never able to access your computer directly, entirely safe in its sandboxed little Just-In-Time runtime machine? Remember 'write once, run anywhere'? Remember 'secure memory management'? Fun times in Fantasy Land.