Apparently the Flashback Mac trojan is getting significant traction. Gruber notes the irony that the first real widespread Mac malware infection is getting less press than previous proof-of-concept attacks that never appeared in the wild.
Out of curiosity, I checked my MacBook Air for infection following the F-Secure instructions. As expected, it was clean. Had I been infected, it would likely have been via “Infection Type 2” – an installation that does not require the admin password – since I run as a standard user and am generally careful about inputting my administrator password. What really struck me, however, was the following line in their description of “Infection Type 2”:
Infection Type 2
In cases where the user did not input their administrator password, the malware checks if the following path exists in the system:
- /Applications/Microsoft Word.app
- /Applications/Microsoft Office 2008
- /Applications/Microsoft Office 2011
If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself, presumably to avoid infecting a system that has an incompatible application installed.
That’s right, the presence of Microsoft Office on your system will protect your Mac against infection from this malware, as long as you are judicious in using your admin password. Never in my life did I expect to write those words.