Apple has released a malware removal tool for the most common variant of the Flashback Trojan, as well as security updates to mitigate the vulnerability exploited by the malware.
The Flashback Trojan exploited three Java vulnerabilities to gain remote access to the infected systems and likely included a keylogger capability to capture authentication credentials, and is thought to have infected more than 600,000 systems.
The removal tool will detect and automatically remove the malware from the infected device. According to the Apple bulletin:
"This update runs a malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, it presents a dialog notifying the user that malware was removed. In some cases, the user will need to restart in order to completely remove the malware. There is no indication to the user if malware is not found. This update is available for OS X Lion systems that do not have Java installed."
The tool is applicable to "OS X v10.7 or later without Java installed."
Apple also notified users that patches to mitigate the vulnerability exploited by Flashback are available for the following products:
- OS X Lion v10.7.3
- OS X Lion Server v10.7.3
- Mac OS X v10.6.8
- Mac OS X Server v10.6.8
The Apple security bulletin advises the following for users of OS X Lion v10.7.3, OS X Lion Server v10.7.3:
"As a security hardening measure, the Java browser plugin and Java Web Start are deactivated if they are unused for 35 days. Installing this update will automatically deactivate the Java browser plugin and Java Web Start. Users may re-enable Java if they encounter Java applets on a web page or Java Web Start applications. Further information is available at http://support.apple.com/kb/HT5242."
The Apple security bulletin also advises the following for users of Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3:
"This update runs a malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. These updates include the security content from Java for OS X 2012-002 and Java for Mac OS X 10.6 Update 7."
Researchers at Kaspersky Labs have also recently discovered another OSX backdoor that utilizes a Java exploit dubbed "SabPub" which may have been in the wild for about a month.
Apple has yet to release an guidance for mitigating the SabPub Trojan.