Apple promises malware removal tool for Flashback trojan

Apple says it is developing software that will detect and remove malware estimated to have infected more than 650,000 Macs running the OS X operating system.

Detection, removal already possible with commercial antivirus software

Apple says it is developing software that will detect and remove malware estimated to have infected more than 650,000 Macs running the OS X operating system.

Apple posted the information on a page about the malware known as "Flashback" in the support section of its website, which was updated Tuesday.

The page also describes how Mac users can protect themselves from the trojan malware, which infects computers via a vulnerability in Java, plug-in software needed for web browsers to run certain kinds of applications. Infected computers become part of a botnet of thousands of computers that can be remotely controlled by special servers to conduct activities such as delivering spam and taking part in denial-of-service attacks.

The malware can be detected and removed by some commercial, third-party antivirus software packages, or it can be removed manually by advanced users.

Apple noted that it released a Java update on April 3 that fixes the Java security flaw on computers running OS X v10.7 and Mac OS X v10.6. However, it said users running Mac OS X v 10.5 or earlier should disable Java in their web browser preferences.

An entry posted Wednesday on the Naked Security blog, run by the antivirus software company Sophos, noted that Apple hasn't provided a patch for users of OS X v10.5 or earlier "and isn't saying if it will ever do so."

It also noted that patching Java reduces the chance of infection, but doesn't rule it out, and users who install the patch may still have become infected before installation.

Apple changes security approach

Paul Ducklin, Sophos's head of technology in the Asia Pacific and the author of the post, said Apple's acknowledgement that it is working on a detection and removal tool is a big step, considering that the company traditionally says it "does not disclose, discuss or confirm security issues until a full investigation has occurred and the necessary patches or releases are available."

Macs have traditionally been rarely targeted by the makers of malicious software, who have tended to focus instead on PCs. The Java vulnerability was patched for the PC operating systems Windows, Linux and Unix back in February.

The Mac Flashback trojan epidemic, Ducklin wrote, is "bad luck, this time, for Mac users, but perhaps good news in the long term. If nothing else, Apple's security team has touched down on Planet Earth." He added that the company's decision to share information about the security flaw early is better for everyone.

According to Dr. Web, a Russian antivirus software maker that has been studying the virus, there were 655,700 Macs infected with Flashback as of Tuesday, a rise from 550,000 on April 4. At that time, 20 per cent of infected computers were in Canada. Another 57 per cent were in the U.S.

The Flashback trojan can be detected using a number of antivirus services, including a free one from Dr. Web and Sophos's free Anti-Virus for Mac Home Edition, which also removes it.

The antivirus software maker F-Secure has posted instructions for manually removing Flashback, but warns that it is a risky process "recommended only for advanced users." The company advises other users to seek professional technical assistance.