-
All replies
-
Helpful answers
-
Sep 27, 2011 6:00 PM in response to SteveKirby Linc Davis,Do youknow what the risks are? Eg., keyboard logging (which must be the most dangerous), corrupting system files, email or internet snooping, etc. etc.
Any of that is possible, though as far as I'm aware it has never happened before now. When you enter your administrator password, you give the developer of the software that prompts for it the same degree of control over your computer that you have yourself. Think about that every time you do it, and maybe you'll have taken the first step toward real data security. I should say that I don't know whether you installed a trojan or not. For all I know, you may merely have installed Flash.
-
Sep 27, 2011 9:06 PM in response to WZZZby MadMacs0,WZZZ wrote:
Maybe MadMacs0 will let us know as soon as ClamX has cataloged it.
It appears to have been there most of the day. They probably forgot to label it as "OSX"
ClamAV database updated (27 Sep 2011 09-39 -0400): daily.cvd
Version: 13681
Submission-ID: 25229096
Sender: Virus Total
Sender: VirScan.org
Added: Trojan.FlashbackI hope to be able to confirm something more tomorrow, but it would still help us all to get a URL sent off to mailinator.
-
Sep 27, 2011 9:40 PM in response to MadMacs0by Louie Sherwin,MadMacs0 wrote:
Louie Sherwin wrote:
...What happens if I delete the SystemUI.plist file. Anything terrible that I will mess up?
Well I'm not the best source of info on this as I'm running Leopard, but that file doesn't exist anywhere on my Mac.
Well what happens to me is that I can no longer login to my user account :-(
Also everyone should not that SystemUI.plist file references an additional file that it wants to load. That is perflib which is also in my Preferences folder and is a binary file.
It seems that this application puts something else in my startup scripts that I cannot find and it causes my login to hang.
Anyone have any ideas?
-
Sep 28, 2011 12:29 AM in response to Louie Sherwinby MadMacs0,Louie Sherwin wrote:
everyone should not that SystemUI.plist file references an additional file that it wants to load. That is perflib which is also in my Preferences folder and is a binary file.
Thanks for passing that on.
It seems that this application puts something else in my startup scripts that I cannot find and it causes my login to hang.
Anyone have any ideas?
Assume you've checked all the obvious LaunchAgents, LaunchDaemons, Startup Items in ~/Library/, /Library/ and /System/Library/ along with System Preferences->Accounts-><username>->Login Items. The latter can be found in ~/Library/Preferences/com.apple.loginitems.plist. There's also one of those in /Library/Preferences/ but mine is blank and I would not thinik that it could effect a user login.
Anything in /Library/Logs/HangReporter/ that would help?
I've known Frameworks and Prefs Panels to be able to start processes, but that's like looking for a needle in a haystack if you don't know where to start.
-
Sep 28, 2011 12:50 AM in response to andyBall_ukby SteveKir,@Steve - check in Finder - Get Info - where from... if it says "download.macromedia.com/pub/labs/flashplatformruntimes/"... it was from adobe.
It does not say that. There is nothing about the download source.
-
Sep 28, 2011 1:12 AM in response to Louie Sherwinby Tycoon24,The malicious code is installed in a file at ~/Library/Preferences/Preferences.dylib, according to Intego's security researchers: http://blog.intego.com/2011/09/27/more-about-the-flashback-trojan-horse/
"The Trojan horse installs a backdoor, at ~/Library/Preferences/Preferences.dylib, which communicates with a remote server, sending and receiving data using RC4 encryption. [...] The backdoor is able to download further software, but, for now, we are not seeing this activity. It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed."
-
Sep 28, 2011 2:36 AM in response to MadMacs0by MadMacs0,I received a note from a ClamXav user that he had downloaded the Trojan and ClamXav did not catch it. The URL he downloaded it from is in mailinator mailbox "flashbacktrojan".
I went to the site and briefly saw the page described this evening by Intego here but then it redirected me to the Google home page without downloading the Trojan. Tried with Opera, FireFox and Safari. Whenever I tried a second time it redirected to Google immediately, so it must have left a cookie. I suspect it's because it knows I'm running Leopard on a PPC. Last few bits of malware have been Intel only.
-
Sep 28, 2011 2:38 AM in response to SteveKirby MadMacs0,SteveKir wrote:
@Steve - check in Finder - Get Info - where from... if it says "download.macromedia.com/pub/labs/flashplatformruntimes/"... it was from adobe.
It does not say that. There is nothing about the download source.
There's another way to check using Terminal to read the extended attributes, but I doubt that it's worth the effort if it's not showing up in the Finder info box.
-
Sep 28, 2011 6:19 AM in response to MadMacs0by Linc Davis,The URL he downloaded it from is in mailinator mailbox "flashbacktrojan".
Gone. Please send it there again.
-
Sep 28, 2011 6:34 AM in response to Linc Davisby WZZZ,Linc Davis wrote:
The URL he downloaded it from is in mailinator mailbox "flashbacktrojan".
Gone. Please send it there again.
Maybe it can just be posted directly here in some obfuscated way so it doesn't parse?
-
Sep 28, 2011 6:47 AM in response to WZZZby laverne's mom,I've been reading this and am a bit confused. I usually check Firefox's Plug -in updates page and when it says update now, click on that and I thougth it took me to the Adobe site and I download from there. I'm pretty sure that it looked like the flash update is supposed to. and the plug in check says its up to date now. I am running Snow Leopard, not Lion, and can't find anything in preferences which looks like the file you all have been talking about. Where would that file which indicates the trojan be in Snow Leopard?
Thank you,
laverne's mom
-
Sep 28, 2011 6:55 AM in response to laverne's momby WZZZ,If you went to Firefox>Check your plug-ins and that took you to theAdobe site, you got the real thing. This thing is coming from a malicious link that may appear somewhere on a page.
If you have Flash 10.3, you can also go to Sys Prefs>Other>Flash Player. In the Advanced panel>Updates>Check now. You should also have the default "Check for updates" checked.
-
Sep 28, 2011 6:53 AM in response to Ralph Deenby cathy fasano,Do we know whether the trojan also installs the legitimate flash player? (That would be clever...)
-
Sep 28, 2011 7:00 AM in response to MadMacs0by Louie Sherwin,MadMacs0 wrote:
Louie Sherwin wrote:
everyone should not that SystemUI.plist file references an additional file that it wants to load. That is perflib which is also in my Preferences folder and is a binary file.
Thanks for passing that on.
It seems that this application puts something else in my startup scripts that I cannot find and it causes my login to hang.
Anyone have any ideas?
Assume you've checked all the obvious LaunchAgents, LaunchDaemons, Startup Items in ~/Library/, /Library/ and /System/Library/ along with System Preferences->Accounts-><username>->Login Items. The latter can be found in ~/Library/Preferences/com.apple.loginitems.plist. There's also one of those in /Library/Preferences/ but mine is blank and I would not thinik that it could effect a user login.
Anything in /Library/Logs/HangReporter/ that would help?
I've known Frameworks and Prefs Panels to be able to start processes, but that's like looking for a needle in a haystack if you don't know where to start.
Ok the next clue....In my Console log
com.apple.launchd.peruser.501[266] dyld: could not load inserted library: <username>/Preferences/Preferences.dylib
It will repeat this line until I hit the power button and reboot.
I don't see anything yet in the locations that you suggest. I am still poking around with a root shell in the new admin account I created on the same system.
-
Sep 28, 2011 7:09 AM in response to Louie Sherwinby cathy fasano,Have you tried creating an empty file as Preferences/Preferences.dylib ? Or a copy of a legitimate library that does something else? Something has told the OS to expect that the file is there, so can you fool it into thinking that the file is there using some other file?