503-507-0410 [email protected]

A Trojan Horse—a bit of bad computer code that pretends to be something else—is infecting a few Macs. This is different from a virus which spreads from computer to computer. I saw an infected Mac up in Portland yesterday via remote support. I don’t think Flashback terrifically common, but let’s keep it from becoming so. Here’s what you should do:

1. Go to the Apple Menu and choose Software Update…. Install all available updates, especially those that relate to “Java” (which is how Flashback works). After you run these updates, your Mac running Mac OS X 10.6 or 10.7 cannot be infected by Flashback.

2. If you’re afraid that your Mac may have already been hit by Flashback, download and run Test4Flashback. This will tell you if your Mac is infected or not. If your Mac is clean and you’ve applied the Software Updates in Step 1, you have nothing more to worry about.

3. If Test4Flashback indicates that your Mac is infected, please call (503-507-0410) or email ([email protected]) at your earliest convenience. Removing the Flashback Trojan involves working in the Terminal, and unless you know what you’re doing, you could do more harm than good. You should not lose any data.

Flashback does not involve iOS. iPhones, iPads, etc. are not impacted by this.

If your Mac is running an earlier operating system (Mac OS X 10.4 or 10.5), you will need to go to your web browser’s preferences and turn off Java to avoid infection. This may cause some web browsing features not to work, depending on the site, but there is presently no other way I know of to block infection for those systems.

A little bit more about Flashback
Flashback is a Java-based Trojan Horse. It uses the Java programming language to install itself and to do things on your Mac without your permission (or, likely, awareness). Apple has depreciated Java—it’s not even installed with Mac OS X 10.7 Lion unless you specifically choose to install it. Unfortunately, a lot of web sites and programs use Java, so a lot of Mac users (me too) have Java installed.

The real genius of Flashback is that it can be tied to web sites that use Java—again, there are lots of those—and infect your Mac without intervention from you, and you may not even know that your Mac has been infected. On the Mac I saw in Portland, the evidence of a problem was that older, PowerPC software was crashing. But you may not notice anything is wrong. It’s insidious.

The good news is that, as outlined above, it’s a relatively simple matter to test for infection and protect against it going forward. (And if your Mac is infected, it’s a technically-complicated but not impossible, fix.) Should you load your Mac with anti-virus software on the basis of this? I don’t think it’s essential. First, I’ve seen far more problems with antivirus software than I have with malware on the Mac. Second, I think it’s telling that Flashback uses a technology that Apple doesn’t even ship by default anymore.

Nonetheless, if you want to have antivirus, a free virus scanner called ClamXav is available from the Mac App Store. (Odds are good that what you’ll find when you use it is that you’ve received emails loaded with PC viruses; those are incredibly common, and though they don’t impact Macs, we can spread them Typhoid Mary-like to PCs.) If that provides you with peace of mind, use it. By and large, I continue to think there’s not a lot to worry about so long as you keep your Mac software up to date.

UPDATE: I’ve had several users ask me about protecting older, PowerPC or 10.4 or 10.5 Macs. I don’t have (and can’t find) a way to check older PowerPC-based Macs for this infection. You can use the free Sophos Antivirus to check for Flashback.

I’m afraid my only suggest at this point is to go to Applications > Utilities > Java Preferences and turn Java off system-wide. That may disrupt some things—CrashPlan is a notable Java app—but the only way I know right now to insure that your old Mac is safe is to turn off the language (Java) that Flashback uses. Then it won’t matter if your Mac is infected or not.