Recent malware attacks targeting Macs haven't tarnished the machine's reputation as the safer alternative to a Windows PC. But for many Mac users, the Flashback Trojan has dispelled the myth of Mac invulnerability.
The most recent Java-based iteration of Flashback appears to be easy to catch: just visit the wrong Web page and your machine's infected, as Josh Lowensohn describes in his Flashback FAQ.
The FAQ explains that Flashback's creators may have exploited Apple's go-it-alone strategy. Apple refuses to preinstall Adobe's Flash player, so Mac users are prompted to download and install the plug-in when they encounter a Web site that uses Flash. The initial release of Flashback mimicked Adobe's Flash installer.
Likewise, the company's decision to release its own Java patches rather than rely on Oracle's public release may have helped spread the later Java-based version of Flashback: by last February Oracle had patched the Java vulnerability leveraged by Flashback, but Apple didn't get around to plugging the hole until this month.
Tools for detecting and removing Flashback
Apple's Flashback malware removal tool is recommended for Mac OS X Lion without the Java runtime environment installed. Alternatively, F-Secure's free Flashback Removal Tool works with earlier versions of Mac OS X and alerts you to the results of its scan; Apple's tool does nothing unless its scan finds Flashback.
Topher Kessler explains on the MacFixIt blog how to disable Java on a Mac. Since Java isn't installed by default with OS X Lion, you may be prompted to install the Java runtime when you attempt to open Java Preferences in the Applications/Utilities folder.
To disable Java in the Safari browser, go to Safari > Preferences > Security and uncheck Enable Java.
In Firefox, disable Java by going to Tools > Add-ons > Plug-ins and choosing the Disable button for the Java plug-in. To do the same in Chrome, enter chrome://plugins in the browser's address bar and press Enter. Click Disable under the entry for the Java plug-in.
Prepare for the next Mac malware attack by installing free AV software
The silver lining of the Flashback outbreak is the realization, finally, that Macs need real-time virus protection, too. Two popular antivirus programs for OS X are Mark Allan's ClamXav donationware and the free Sophos Anti-Virus for Mac Home Edition.
Both programs feature automatic updates of their malware definitions, real-time virus protection, and scheduled scans. They can be set to quarantine or remove the threats they detect, and they add a scan-this-file option to the Mac's contextual menu.
Either of the two antivirus apps will provide all the malware protection a Mac user needs, although Sophos Anti-Virus' clean and polished interface gives it an edge over ClamXav.
To start ClamXav, click its icon in the menu bar. Before your first scan, choose the Updated Definitions button. (The program's Preferences options let you update the definition database automatically when the app opens.)
Click the plus button at the bottom of the source pane on the left and choose the item you want to scan, or simply drag the file or folder you want to scan into the source pane. Click the Start Scan button in the top-left corner of the window. The scan progress is shown in the bottom pane, and detected items are listed in the top window.
The 27 suspicious items ClamXav identified on my test Mac were all from Gmail's spam folder, which I had inadvertently imported to the Mac mail app. ClamXav will only quarantine the items after you have selected the option under Quarantine in the Preferences dialog.
Other options in Preferences let you exclude files from scans, schedule scans, and set the program's real-time Sentry feature to scan inserted discs automatically.
Sophos Anti-Virus also places an icon in the menu bar; start by clicking the icon, choosing either Scan Local Drives or Open Sophos Anti-Virus and then the Scan Now button. Select either "Scan with current privileges" or "Scan all" and enter your password.
When the scan completes the results are shown in the small Sophos window. Click the Quarantine Manager button to view more details.
Access Sophos Anit-Virus's settings by clicking the menu bar icon and choosing Open Preferences, or go to Sophos Anti-Virus > Preferences on the main menu. You can clean up, move, or delete detected items via the options under Scan Local Drives. Other settings let you activate the on-access scanner, enable the Live Protection feature, and view or clear the log file.
ClamXav and Sophos Anti-Virus for the Mac have similar features and worked about the same when I tested the programs, although ClamXav crashed midscan on a couple of occasions. I also found the Sophos design easier to use, but either program will help you lock down your Mac without getting in the way of your work.