What to do about the Flashback trojan

Amazon is now an Authorized Apple Reseller!. Current models, older models, refurbished models-- now you are assured of getting genuine Apple products when you shop at Amazon. Check it out.
Use this link (note: sales via this link may generate a commission to Christian Boyce, from Amazon.

Bad news and good news about Flashback.

First the bad news. There’s this thing called Flashback and it will mess up your Mac big-time. You could get it simply by visiting an infected website. Flashback will inject code into your browser and the modification lets the bad guys collect information as you visit various websites. The information could include, for example, your online banking username and password. Ugh. You don’t want this to happen.

Now the good news. Flashback is reasonably easy to detect, and reasonably easy to protect against. Let’s start with detection. This AppleScript will let you know whether your machine shows signs of being infected by Flashback. Download it, expand it (if it doesn’t expand automatically), and then double-click to run it. You can read the code here, then copy and paste it into Apple’s Script Editor if you’d prefer to run it that way. Thanks to macstuff.beachdogs.org for the script.

(Flashback creates various files, some of them invisible, and the AppleScript automates the process of looking for them.)

If the script tells you that your Mac is Flashback-free, that’s that– except not quite. Now you have to stay clean. The easiest thing to do is to run Software Update (under the Apple menu) until it tells you you’re up to date. That may take a few iterations. The reason this works is that the Flashback program takes advantages of security holes in early versions of Java. Apple has patched those holes and provides the patches via Software Update.

If the script tells you that it found malware you have to take action. Unfortunately it isn’t easy. Here are directions but they’re not for the meek. Get help if you aren’t comfy with Terminal. You could easily make things worse if you make a wrong turn.

Now for some background on Flashback.

  • The Flashback trojan has been around awhile. Its name comes from one of its early infection methods, which involved putting up a fake “Adobe Flash Updater” dialog box and fooling people into installing something bad. Flashback’s creators have modified it several times; each variation is given a letter designation by those in the computer security business, with this most recent one being “Flashback.K.”
  • Technically, Flashback isn’t a virus (it doesn’t spread from machine to machine), and it isn’t even technically a trojan horse (because you can get it just by “driving by” an infected website. Most people will call it a virus but you will know better. Previous versions were trojan horses but the latest version is not.
  • There’s some debate about whether there are really 600,000 Macs infected by Flashback.K. I’ve seen one instance of it. Most likely the sky is not falling but it is smart to carry an umbrella.
  • Flashback will not install itself if it finds anti-virus software on the Mac because it wants to keep a low profile (good luck with that now). My personal favorite is Intego’s VirusBarrier X9 as it is the least intrusive of all of them, and it comes from a company that is focused on Macs. You can get VirusBarrier X9 (at a discount) direct from Intego as part of Intego’s Internet Security X9 package– it runs on El Capitan and it’s the best.
    Did this article help you? Maybe you'd like to contribute to the Christian Boyce coffee fund.

    Got 60 seconds? Learn something about the Mac on my
    One-Minute Macman website!

    Also visit my iPhone In a Minute website!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.