Apple promises Flashback malware killer

Week after firms put infected Macs at 600,000+, acknowledges infections

Apple on Tuesday for the first time publicly acknowledged a malware campaign that has infected an estimated 600,000 Macs, and said it would release a free tool to disinfect users' machines.

"A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs," Apple said in a support document published Tuesday. "Apple is developing software that will detect and remove the Flashback malware."

Although Flashback has circulated since September 2011, it was only last month that the newest variant began infecting Macs using an exploit of a Java bug that Oracle patched in mid-February.

Apple maintains its own version of Java for Mac OS X, and is responsible for producing security updates. It issued a Java update on April 3 that quashed the bug Flashback has been using to sneak onto Macs.

In the seven weeks between Oracle's and Apple's updates, hackers responsible for Flashback managed to insert their software -- designed for, among other things, password theft -- onto an estimated 2% of all Macs.

Apple, which rarely comments on security issues, and never prior to producing a patch, had been mum since last Wednesday, when Russian antivirus maker Dr. Web said it had "sinkholed" Flashback command-and-control (C&C) domains. Dr. Web tallied the infected machines that communicated with those hijacked domains to come up with its 600,000 estimate.

The Loop blog first reported on Apple's support document late Tuesday.

Apple also said it was working with Internet service providers (ISPs) to "disable [the Flashback] command and control network," referring to the usual practice of asking hosting firms to pull hacker-operated C&C servers off the Internet so that infected computers cannot receive further orders.

And the company promised to issue a special tool to "detect and remove the Flashback malware." Apple did not set a timetable for its release.

It won't be the first time that Apple has crafted a detection-and-deletion utility. In May 2011, the company announced a similar tool to sniff out and remove the MacDefender fake security software that plagued Mac users for several months last year.

Apple delivered the promised anti-MacDefender tool as a software update one week later.

If the company sticks to the same tempo this time, the Flashback deletion tool should be available April 17.

Similar aids are already available, however. On Tuesday, Kaspersky Labs, one of the Russian antivirus companies that counted the number of infected Macs, released a free removal tool dubbed "Flashfake," that detects and eradicates the malware. Kaspersky and others have also created websites where users can determine if their Macs harbor the Flashback malware.

Apple issued patches last week for the Java vulnerability exploited by Flashback, but only for the two OS X flavors it still supports: Lion and its immediate predecessor, Snow Leopard.

Mac owners running older editions -- Leopard and earlier -- should disable the Java browser plug-in, Apple said, and pointed users to instructions. According to Web metrics vendor Net Applications, about one-in-six Macs run an unsupported version of Apple's operating system.

Kaspersky tool
Kaspersky Lab released a free seek-and-destroy tool for Mac owners who suspect their computers are infected with the Flashback malware.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies