CITES | University of Illinois

Flashback Removal and Prevention Instructions

Learn how to prevent your Mac from getting infected with the Flashback virus, and how to clean up an infection.

Introduction

In April 2012, security researchers discovered a piece of Mac malware that would auto-install on vulnerable computers. The malware was dubbed Flashback, and a Mac could be infected with it simply by visiting a web page. Early reports in the media suggested that up to 600,000 Mac computers were infected with Flashback.

Flashback is significant not only because of the number of Mac computers initially infected, but also because Flashback was the first widely-spread Mac malware that could install itself on a computer without the user of the computer entering their administrator password to complete the installation.

For that reason, it is entirely possible that a Mac can be infected without the user even realizing it. Fortunately, in most cases, being up to date with your Software Updates will remove Flashback and fortify your computer against future infections.

IMPORTANT: Infected Users Need to Change All Passwords

If you received a notice from CITES Security saying that you have a computer that is infected with Flashback, you need to change your passwords after you have installed the software updates.

Flashback was designed to collect personal information from your computer. This means that once you have successfully cleaned and patched your computer, you will need to change ALL of your passwords, especially your email, online banking, credit cards, and the passwords to your University accounts.

If you have not received a notice from CITES Security that your computer was infected with Flashback, and you are certain you have not been infected, then you only need to install the necessary software updates to protect against future infections. You do not need to change your passwords.

Installing Software Updates

Apple responded to the Flashback virus by releasing two updates to remove and block future infection from Flashback. You only need to have one of these updates installed to be protected against the basic Flashback virus. Those updates are "Java for OS X 2012-003" and "Java for Mac OS X 10.6 Update 8."

To check if these updates are installed, follow these steps:

1. Under the Apple Menu (in the upper left corner) select System Preferences.

2. In the System Preferences Pane, select Software Update

System Preferences Pane

3. Select the Installed Software Tab

4. Look at the list of updates. If you see Java for Mac OS X 10.6 Update 8 or Java for OS X 2012-003 then your computer is protected against Flashback.

Software Update window

5. If you do not see one of those two updates, then go to the Apple Menu in the upper left corner and select Software Update.

6. Software Update will automatically check for updates. Install the updates and repeat these steps to double check that you have the necessary updates.

7. Once you have confirmed that you have the proper update you will need to change ALL of your passwords, especially your email, online banking, credit cards, and the passwords to your University accounts.

Manual Software Update Installation for OS X 10.6 and 10.7

If for some reason you are unable to receive the Java updates through the Software Update application, you can also install the necessary Java updates by hand. Once you have confirmed that you have installed the proper update you will need to change ALL of your passwords, especially your email, online banking, credit cards, and the passwords to your University accounts.

If you do not know which version of OS X you are running it is easy to find out. Under the Apple Menu (in the upper left corner) select About This Mac to learn what version you are using.

Protection for OS X 10.5 and Earlier

If you need help removing Flashback from a computer running OS X 10.5 or earlier, please contact the CITES Help Desk. The CITES Help Desk can be reached via email at consult@illinois.edu, by phone at 1-217-244-7000, or in person in room 1211 Digital Computer Lab, 1304 West Springfield Ave., Urbana, IL 61801.

Last updated Monday, June 4, 2012, 3:40 pm