While it may not be the Macpocalypse some have been warning about, but the Flashback Trojan that’s spreading across the Macintosh universe is something users of Apple’s computers will want to pay attention to.

This piece of malware has infected more than 600,000 Macs. Earlier Wednesday, a Russian antivirus company claimed the Flashback Trojan was running on more than 550,000 Macs, including 274 in Apple’s hometown of Cupertino, Calif.

The Trojan doesn’t attack OS X, but rather exploits a flaw in the Java platform that runs on Apple’s operating system. Oracle patched the hole some time ago, but Apple – which distributes Java for OS X – only got around to releasing a fixed version this week.

Ars Technica has details on how the Trojan works:

According to Dr. Web, the 57 percent of the infected Macs are located in the US and 20 percent are in Canada. Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them. Now that the fix for the Java vulnerability is out, however, there’s no excuse not to update—the malware installs itself after you visit a compromised or malicious webpage, so if you’re on the Internet, you’re potentially at risk.

It’s important to note that Flashback doesn’t require the user to do anything to install it, unlike previous Mac malware attacks. It uses poisoned Web pages that look for a Mac with the unpatched Java module, then infects it.

And Sophos’ Naked Security blog has details about what happens once the malware is in place:

The Flashback malware being distributed by this exploit is what we refer to as a “downloader”. In and of itself it doesn’t do any harm to the system, it simply compromises the system and downloads a further payload that can do just about anything the attackers desire. We have seen two primary payloads associated with this attack. One is a data stealing Trojan that attempts to steal passwords and banking information from Safari. The other appears to do search engine redirection, presumably to perform advertising fraud or direct victims to further malicious content.

If you have not run Software Update on your Mac this week, do it now. And if you’re one of those folks who ignore update notifications on OS X and let them pile up, it’s time to change that behavior.

And shame on Apple for not releasing this patch sooner. The fix has been out for a while, and Apple’s dragging its heels in distributing it likely contributed to the number of infections.

Update: F-Secure has some fairly technical instructions for determining if your Mac is infected and removing the Trojan if it is.

Update 2.0: Mashable points to some scripts that will automate the process of checking for the Trojan. (Thanks, Jay!)

Update 4.6.2012: Apple has released a second Java update. Run Software Update again, Mac users, even if you’ve already grabbed the previous update. There’s no indication that this second fix is directly related to the Flashback Trojan, or if the patch is the result of other issues in the first Java update.