There’s been a lot of excitement today about a Trojan targeting Macintosh computers. There is some excellent in depth coverage over at Macworld, but I wanted to hit on some highlights for people who have been asking me about this.
First, don’t panic. Even if the high end estimates are true, about 600,000 macs are infected, which amounts to about 1% of all the Mac users out there. By those percentages, I would still carry on being a great deal more worried about a great deal many more things, such as your backup plan.
That being said, unlike 99% of all the other scares out there, this one is real in the sense that by visiting the wrong website (apparently, a lot of them are ones ending in a .nu domain – which I must admit, I’ve never even seen. Still, a lot of times those incredibly aggravating pop up windows that shady websites pop up for you lead to funkypants domains) you can become infected, and not even know it. The malware does give a few clues that something is up – upon installing itself within your user folder, it will pretend to run Software Update and ask for your administrator password, so it can gain wider access to the rest of the system. Even if you are savvy enough to deny it (and remember, always ask yourself, why is something suddenly asking for my password? Is this what I expected, and a normal part of my computer routine?), it will still install itself and run in a more limited, but still threatening, capacity.
First, go to your Apple Menu and click on Software Update. Let it run, and install any updates there. When it’s done, do it again. I say this because Apple just patched the vulnerability in Java that allowed this to happen, and if you have the update, you’ll be safe from here on out. Then, check and see if you are infected. To do that, you can download a script put together by the kind John Welch,which you can download here:
http://dl.dropbox.com/u/23632593/Find%20Flashback.zip
Update: another, perhaps easier to use tool, is available here: https://github.com/jils/FlashbackChecker/wiki
Alternately, the folks over at F-Secure have posted the instructions for checking and removing the virus manually, but a quick step-by-step summation for checking is as follows:
1) Click on the Finder in the dock. That’s the square looking smiley face guy.
2) Go to the menu bar, and click on the ‘Go’ menu.
3) From the ‘Go’ menu choose ‘Utilities’
4) Within the Utilities folder double click on ‘Terminal’
A command line interface will pop up. Some folks panic at this point, but don’t worry, it’s super easy. Simply paste in this command:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
Then, after that one, paste in this one:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
The response to each of those commands should end in ‘does not exist’. If it doesn’t, you’ll want to clean it up. Again, the manual commands are on the FSecure website. Or, you can download one of the free antivirus programs out there that should be updated by now to deal with this. I generally recommend either ClamXav or Sophos Antivirus for not acting like viruses themselves. You can leave them installed if you feel safer, but in all honesty, at this point, my general advice still stands: you’re saving yourself a great deal more hassle if you don’t have antivirus software installed than if you do.
What do you think the implications are on a wider scale though?
Good question. As I think the past few months have shown, the days of the MacOS being completely free of any security issues are well behind us. That being said, I think Apple is aggressively pursuing a way to cut all of this issues off at the head.