Apple Creating Tool to Detect, Remove Flashback Malware

Company officials say they also are working with ISPs to help disable the command-and-control servers being used by the Flashback developers.

Apple engineers are developing a software tool that will detect and remove the Flashback malware, which has infected more than 600,000 Macs worldwide and has shaken the image of Apple devices being almost invulnerable to exploits.

In a brief message on the Apple Website, company officials noted that the recent iteration of Flashback€”which was first detected last year as a Trojan masquerading as an update to Adobe Flash€”is able to exploit a security flaw in Java and install itself on Macs.

€œIn addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions,€ the officials wrote. €œApple is working with ISPs worldwide to disable this command-and-control network.€

The posting did not say when a tool would be available.

The company released a Java update April 3, fixing the Java security flaw in systems running OS X v.10.7 and Mac OS X v10.6, and released another update two days later. The officials suggested that Mac users running Mac OS X v10.5 or earlier should disable Java in their Web browser preferences.

New variants of Flashback were detected last month, and a small Russian antivirus firm, Doctor Web, reported last week that after running a €œsinkholing€ operation, they found that more than 550,000 Macs worldwide had been infected. The researchers later updated that figure to more than 600,000€”or between 1 and 2 percent of all Macs in use€”numbers that security software firm Kaspersky Lab later confirmed through its own operation.

Apple has come under fire from some security experts who noted that Oracle€”which owns the Java technology€”had patched similar flaws for Windows PCs and other systems weeks ago. Apple doesn€™t ship Macs with Java, but users can install it onto their systems. However, because Apple doesn€™t allow third parties to patch its systems, Apple updates tend to be late, and security experts say this puts Mac users at greater risk to malware infections.

Officials with Doctor Web also said that they have not heard from Apple since alerting them of the findings from their sinkhole operation, and that at one point, Apple officials asked a register to shut down the domain that Doctor Web was using in the operation. Doctor Web executives told that they believed Apple's request was an honest error, but it also illustrated Apple's closed nature and its inexperience in dealing with the security community.

The Flashback malware takes advantage of vulnerabilities in Java. While the first Flashback exploit was a Trojan, the newer variants are more of a drive-by malware, which relies less on users downloading the exploit to their Macs. Instead, it hits vulnerable systems when users visit malicious or compromised Websites.

A growing number of security firms are rolling out tools designed to detect and€”in some cases€”remove the Flashback malware from infected systems. Security software vendor F-Secure has outlined a series of manual steps that users can take to detect and remove the malicious code from their machines.

In addition, Kasperksy has created a Website,, that offers Mac users a quick way to determine whether their system has been compromised. The company also offers a free removal tool.

A software developer also has created a free tool designed to detect the Flashback malware on Macs. Juan Leon posted his FlashbackChecker tool, which essentially automates the complex steps outlined by F-Secure, to github. The tool will detect the malware, but won't remove it.

Security experts have said that as Internet-connected Apple devices€”not only Macs, but iPhones, iPads and others€”become more popular, and gain greater acceptance in enterprises, they increasingly will become targets for malware creators. There has been a steady increase in malware activity around Apple systems over the past year.

€œAt the beginning of 2012, we predicted an increase in the number of attacks on Mac OS X which take advantage of zero-day or unpatched vulnerabilities,€ Kaspersky security expert Costin Raiu wrote in an April 9 post on the company€™s SecureList blog. €œThis is a normal development which happens on any other platform with enough market share to guarantee a return-on-investment for virus writers, so Mac OS X fans shouldn€™t be disappointed because of this. During the next few months, we are probably going to see more attacks of this kind, which focus on exploiting two main things: outdated software and the user€™s lack of awareness.€