It appears Apple has quietly released an updated tool in the fight against fake Flash Player installers. Two updates showed up today:
Flashback Removal Security Update 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware.” This update also disables the Java plug-in in Safari.
Flashback malware removal tool 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware. This update contains the same malware removal tool as Java for OS X 2012-003. This update is recommended for all Mac users who do not have Java installed”
While both updates appear to do the same thing judging from their descriptions, a look at the installer shows the differences.
Flashback malware removal tool 1.0 installs the actual Flashback malware hunter, an agent called “MRTAgent.app” in System/Library/CoreServices. The app does not appear to activate until the next restart. At that point two files in /System/Library/LaunchAgents (com.apple.mrt.uiagent.plist) and System/Library/LaunchDeamons (com.apple.mrt.plist) will activate the app and take care of the Flashback ma
Flashback Removal Security Update 1.0 installs the MRTgent app and related files but also an app that disables Java called “JavaDisabler.app” in System/Library/CoreServices. An additional file is added to the System LaunchAgents folder “com.apple.javadisabler.plist”.
The descriptions and links on both updates point to older support pages, no mention is made anywhere that I could find about updated signatures or other changes. The documentation for the removal tool points to this page which was last updated on November 8, 2014. The documentation for the Security Update points to this page which was updated last around the same time as the other page, November 19, 2014.
Until someone digs around in these installers to see what’s new it’s unknown which variants specifically are targeted. It may be the recently discovered OSX.IronCore.A, Apple had already updated their XProtect with the signature in December. The fact that the update references the “Java for OS X 2012-003” update that was released in 2012 is a bit confusing. Though I was able to see and download the updates using Software Update Server, none of the Macs on my network appear to be interested in the updates. If you do see these updates appear in your App Store, it’s a good idea to install them. If I find out more details about these updates I’ll post a follow-up.