Apple today has made good on its promise to release its own tool that detects and removes any instances of the Flashback malware on Mac systems running Java. The tool is only available for systems running OS X 10.6 or later, and is bundled with a slightly updated version of the most recent Java runtime, but is a separate component that is installed and runs on its own.
In addition to this program, the system will install a small command-line tool called MRT to /usr/libexec/, and will place a couple of launcher files in the following locations:
These launcher files will work together to keep the MRTAgent program running when you have loaded OS X, until the program successfully exits. When they run, the programs will scan for and remove any installations of the Flashback malware that it finds, and will upload a log of the findings to Apple's servers.
Upon completion of its scan, the MRT command line tool, the MRTAgent program, and the launch agent scripts used for it will be deleted from your system.
This approach to managing the malware is reminiscent of the XProtect update that Apple issued to manage the MacDefender malware outbreak last year. MRT stands for Malware Removal Tool, and is Apple's approach to quickly checking and removing malware as part of security updates that prevent or otherwise check for it.
While the MRT process should run quickly for most people, as with the past version of it there may be some for whom it might get stuck on a particular stage in its scan, or may take a while and cause high CPU usage that slows the system down. If this happens, you can try the following approaches to get it running or simply remove it if you are certain you do not have any malware on your computer (these steps are from our previous coverage of Apple's MRT utility):
Permissions fix and general maintenance
It is preferred to have the scanner complete its initial scan and remove itself, so if it is getting hung up and causing slowdowns, then first quit the MRT processes by opening the Terminal and running the following command:
sudo launchctl stop com.apple.mrt
If the process is still using CPU when you do this, then open Activity Monitor and force the processes MRT and MRTAgent to quit. After the processes are shut down, then open Disk Utility and run a permissions fix on the boot drive, or more preferably run a general maintenance routine to clear system caches and other temporary files that might be contributing to the slowdowns.
Follow the maintenance routines by either restarting the system if you have not done so already, and then running the following command in the Terminal to ensure the MRT process runs and completes its scan:
sudo launchctl start com.apple.mrt
Manually remove MRT
If you are sure your system is free of malware and are experiencing problems with the MRT process, then you can remove it manually. The MRT process is not necessary to provide ongoing protection for your system, and will be automatically deleted when it completes its scan. Therefore, instead of coaxing it through any problems it may encounter, you can simply delete it and its components by running the following command in the Terminal:
sudo rm /System/Library/LaunchDaemons/com.apple.mrt.plist
sudo rm /System/Library/LaunchAgents/com.apple.mrt.uiagent.plist
sudo rm /System/Library/CoreServices/MRTAgent.app
sudo rm /usr/libexec/MRT
If you do not wish to use the Terminal, then you can locate these files in their respective directories using the Finder, move them to the trash, and then empty the trash. The last file listed (/usr/libexec/MRT) is in a hidden directory on the system, but you can get to it by choosing Go to Folder from the Go menu in the Finder, and then entering "/usr/libexec" in the text field. Then locate the MRT tool (which, like others in the folder, should look like a small black square), and remove it from the system.
While Apple's tool should remove currently known variants of the Flashback malware, it may not locate future variants. Undoubtedly when these surface Apple will release updates to its MRT tool to tackle them, but you should still take measures to protect your system. If you do not need to use Java or other Web add-ons like Adobe Reader and Adobe Flash, then uninstall or disable them from your system. Additionally, be sure to follow CNET editor Seth Rosenblatt's recent recommendations for securing your Mac while you browse and use your system on the Web.