Kaspersky Lab Announces ‘Kaspersky Flashfake Removal Tool,’ a Safe and Free Tool for Users to Identify and Disinfect the Mac OS X Flashback/Flashfake Malware

Kaspersky Lab Announces ‘Kaspersky Flashfake Removal Tool,’ a Safe and Free Tool for Users to Identify and Disinfect the Mac OS X Flashback/Flashfake Malware

In response to the recent discovery of the Flashfake botnet, which has infected 670,000 computers worldwide, Kaspersky Lab has announced the availability of its free Kaspersky Flashfake Removal Tool. Users can check if they’re infected with Flashfake by visiting Kaspersky Lab’s safe verification site, and can remove it using the Kaspersky Flashfake Removal Tool.

Kaspersky Lab’s experts recently analysed the Flashfake botnet and found a total of 670,000 infected computers worldwide, with more than 98% of the computers most likely running Mac OS X. It is anticipated that the other 2% of machines running the Flashfake bot are very likely to be Macs as well. This is the largest Mac-based infection to date, with the largest number of victims targeting developed countries. The United States had the most infected computers (300,917) followed by Canada (94,625), the United Kingdom (47,109) and Australia (41,600). Other infected countries included France (7,891), Italy (6,585), Mexico (5,747), Spain (4,304), Germany (4,021) and Japan (3,864).

On 6 April Kaspersky Lab’s researchers reverse-engineered the Flashfake malware and registered several domain names which could be used by criminals as a Command & Control (C&C) server for managing the botnet. This method enabled them to analyse the communications between infected computers and the C&Cs. By connecting to Flashfake, Kaspersky Lab’s experts are able to continuously monitor the botnet’s communication with active bots and have published their findings here.

Throughout the Bank Holiday weekend Kaspersky Lab experts saw a decline in the number of active bots: on 6 April the total number was 650,748. At the end of 8 April, the number of active bots was 237,103. However, the rapid decrease in infected bots does not mean the botnet is shrinking at the same rate. The statistics represent the number of active bots connected to Flashfake over the weekend – it is not the equivalent of the exact number of infected machines. Infected computers that were inactive over the weekend would not have communicated with Flashfake, thus they would not have appeared as an infected bot.

Flashfake is a family of OS X malware that first appeared in September 2011. Previous variants of the malware relied on cyber criminals using social engineering techniques to trick users into downloading the malicious program and installing it in their systems. However, this latest version of Flashfake does not require any user-interaction and is installed via a “drive-by download,” which occurs when victims unwittingly visit infected websites, allowing the Trojan to be downloaded directly onto their computers through the Java vulnerabilities. Although Oracle issued a patch for this vulnerability three months ago, Apple delayed in sending a security update to its customer base until 2 April. Users who have not updated their systems with the latest security should install and update immediately to avoid infection.

“The three month delay in sending a security update was a bad decision on Apple’s part,” said Kaspersky Lab’s Chief Security Expert, Alexander Gostev. “There are a few reasons for this. First, Apple doesn't allow Oracle to patch Java for Mac. They do it themselves, usually several months later. This means the window of exposure for Mac users is much longer than PC users. This is especially bad news since Apple’s standard AV update is a rudimentary affair which only adds new signatures when a threat is deemed large enough. Apple knew about this Java vulnerability for three months, and yet neglected to push through an update in all that time! The problem is exacerbated because – up to now – Apple has enjoyed a mythical reputation for being ‘malware free’. Too many users are unaware that their computers have been infected, or that there is a real threat to Mac security.”

Mac OS X users are advised to install the latest security updates from Apple.

Since connecting to the botnet for analysis, Kaspersky Lab’s sinkhole server has registered all the data sent by bots from the infected computers and recorded their Universally Unique Identifers (UUIDs) in a dedicated database. Based on this information, Kaspersky Lab’s experts have created an online resource where all users of Mac OS X can check if their computer has been infected by Flashback / Flashfake.

How to determine if your computer is infected:

  • Visit Kaspersky Lab’s site at www.flashbackcheck.com to determine if you’re infected.
  • This dedicated site is safe for users to visit and enter their UUID, which will be checked in Kaspersky Lab’s Flashfake database of infected computers. Instructions for entering user UUIDs are included as well.

How to disinfect your computer:

If your UUID is found in our database, you need to disinfect your Mac. Here are three recommendations to do this:

  1. Use the Kaspersky Flashfake Removal Tool. It will automatically scan your system and remove Flashback if it is detected. This is a free-to-download and free-to-use program.
  2. Download a trial version of Kaspersky Anti-Virus 2011 for Mac. This program offers comprehensive protection against all known malicious programs for Mac OS X, including Flashback.
  3. Detect and remove Flashback manually. Please follow the instructions provided on the following page: www.flashbackcheck.com

    For more information on the Flashfake botnet and the Flashfake Trojan, please visit our FAQ sheet. To learn about the latest research results by Kaspersky Lab’s experts, please visit Securelist.

11 Apr 2012