1 3 4 5 6 7 Previous Next 128 Replies Latest reply: Oct 24, 2011 12:59 PM by MadMacs0 Go to original post
  • 60. Re: new malware disguised as flash installer
    andyBall_uk Level 7 Level 7 (20,320 points)

    Hi

     

    go to ~/.MacOSX and trash the environment.plist file if you see it.

     

    this trojan sets a user environment variable " DYLD_INSERT_LIBRARIES " to ~/Library/Preferences/Preferences.dylib and if OS X can't find it - you'll never login fully.

  • 61. Re: new malware disguised as flash installer
    andyBall_uk Level 7 Level 7 (20,320 points)

    I do have the rogue pkg, but little time to look further today.

    checked at http://virscan.org/ but was a duplicate & no malware detected.

     

    upped it to easyshare & url sent to mailinator, fwiw.

  • 62. Re: new malware disguised as flash installer
    Louie Sherwin Level 1 Level 1 (0 points)

    Thanks!!

     

    I can login again. Now I think that this thing is finally removed from my system. Now I am wondering what information was exposed during the 3+ days it was active on my system. <sigh>

    andyBall_uk wrote:

     

    Hi

     

    go to ~/.MacOSX and trash the environment.plist file if you see it.

     

    this trojan sets a user environment variable " DYLD_INSERT_LIBRARIES " to ~/Library/Preferences/Preferences.dylib and if OS X can't find it - you'll never login fully.

     

    Sneaky *******....

  • 63. Re: new malware disguised as flash installer
    andyBall_uk Level 7 Level 7 (20,320 points)

    I'd look very carefully for other signs, the systemui file mentioned above, for example.

     

    @Linc - see the pkg at mailinator, I've sent the url again.

  • 64. Re: new malware disguised as flash installer
    andyBall_uk Level 7 Level 7 (20,320 points)

    cathy fasano wrote:

     

    Do we know whether the trojan also installs the legitimate flash player?  (That would be clever...)

    It doesn't.

  • 65. Re: new malware disguised as flash installer
    Louie Sherwin Level 1 Level 1 (0 points)

    andyBall_uk wrote:

     

    I'd look very carefully for other signs, the systemui file mentioned above, for example.

     

    @Linc - see the pkg at mailinator, I've sent the url again.

    Thanks Andy,

     

    Actually I found the SystemUI file following the hints from madmacs. I know that I may not be completely out of the woods yet until the security geniouses can find out what this thing is really doing. In the mean time I have VirusBarrier setup to monitor all outgoing connections and so far I am only seeing valid requests.

     

    Here is a summary of what I have learned so far and how to start to remove this from you system if you are unluckily ( read carless like me ) enough to get infected.

     

    At least 4 files are installed on you system all in your user home directory

     

    ~/.MacOS/environment.plist

    ~/Library/Preferences/Preferences.dylib

    ~/Library/Preferences/preflib

    ~/Library/LaunchAgents/com.apple.SystermUI.plist

     

    These all had the same create date and seem to have been installed at the same time.

     

    If you have been infected you should certainly remove all of these files from your system. This certainly disrupts the infection and may be all you need to do to remove it. However, that is still to early to tell until the code is thoroughly analyzed.

     

    Some other symptoms that I noticed are as follows:

     

    1) Some websites that I commonly used stopped working giving weird errors. All flash based.

    2) Contextual menus in Finder started showing up with cryptic labels for things like N14 instead of "Open"

     

    It was the latter that got me searching in the discussions and subsequently learn that I had been infected.

     

    -louie

  • 66. Re: new malware disguised as flash installer
    cathy fasano Level 2 Level 2 (340 points)

    Like a good little os x user, I am logged into a non-priviledged user account (short username cathy) all of the time, and then I have an Administrator account (short username cathyf) which I put username/password into the Authentication panel whenever I need to do something priviledged.  So when you say to look for these files in the user directory, would that be the user directory for the priviledged or non-priviledged account?  (in other words, ~cathy or ~cathyf?)

  • 67. Re: new malware disguised as flash installer
    cathy fasano Level 2 Level 2 (340 points)

    Kurt posted some screen shots on page 2 of this thread, and I just in the last hour had an update panel pop up that looks different from both (but more like the legit adobe update)

    Screen shot 2011-09-28 at 10.32.28 AM.png

    I killed it via Force-Quit.  Here's what it looked like in ActivityMonitor before I killed it:

    Screen shot 2011-09-28 at 10.34.08 AM.png

    In both cases, it was the Adobe panel with the square corners and not the mac installer with the rounded-corners.

     

    The install_flash_player_osx_intel.dmg file which is in my downloads directory is size 6,376,888 bytes, and I downloaded it apparently last Wednesday (9/21).

     

    I have a vague memory of this popping up last week, but I can't actually remember whether I installed it or not.  (Sheesh I'm getting senile.)

     

    I have none of the files that other people are reporting you get as part of the infection -- so, folks, what is your opinion -- could I be infected or not?

     

    Another interesting piece of data...  At the same time as the install_flash_player_osx_intel.dmg file appeared in my downloads folder, an application appeared in Applications/Utilities

    Screen shot 2011-09-28 at 11.40.38 AM.png

    called Adobe Flash Player Install Manager.  Is this legit or the trojan?

  • 68. Re: new malware disguised as flash installer
    Louie Sherwin Level 1 Level 1 (0 points)

    cathy fasano wrote:

     

    Like a good little os x user, I am logged into a non-priviledged user account (short username cathy) all of the time, and then I have an Administrator account (short username cathyf) which I put username/password into the Authentication panel whenever I need to do something priviledged.  So when you say to look for these files in the user directory, would that be the user directory for the priviledged or non-priviledged account?  (in other words, ~cathy or ~cathyf?)

     

    From your description of how you work I would think you would find the bad files in your unprivileged account (cathy). I don't recall if the installer asked me for a password or not but I don't recall that it did. Since everything I have found so far is in my user account I doesn't seem as though it needs to have root permissions to install it self.

     

    -louie

  • 69. Re: new malware disguised as flash installer
    cathy fasano Level 2 Level 2 (340 points)

    Intego has posted another article about the flashback trojan:

     

    http://blog.intego.com/2011/09/28/flashback-trojan-spreading-mac-users-should-be -wary-of-flash-installers/#disqus_thread

     

    It includes a comment about there being a Flash pref tab in System Preferences (which, if I was ever aware of, I had forgotten) and that there is a preference in there about automatic update checks.  Which I had checked off to yes.

     

    So it is still quite possible that what I saw was a legitimate adobe flash update.

     

    (I have to admire this as brilliant social engineering.  Since adobe software is stupidly designed all up and down the line from installers to the software itself, who thinks twice when something that looks like adobe software behaves oddly?)

  • 70. Re: new malware disguised as flash installer
    WZZZ Level 6 Level 6 (12,225 points)

    Since May, when Apple fought a weeks-long battle with makers of phony Mac security software -- usually called "scareware" or "rogueware" -- XProtect checks daily for new signature updates.

    The new signature will detect Revir if a user downloads the fake PDF document using Safari, iChat or Mail -- Mac OS X's native email client -- and then displays a warning urging the user to toss the file into the Trash.

    This is about the Revir trojan -- with a short added note about the new Flashback one -- but is this true? XProtect will only quarantine files if downloaded from one of the native Mac apps, like Safari, iChat or Mail?

     

    In other words, no protection if using Firefox? I guess I haven't been paying much attention to the XProtect feature.

     

    http://www.computerworld.com/s/article/9220309/Apple_updates_OS_X_to_block_Mac_T rojan

  • 71. Re: new malware disguised as flash installer
    pcbjr Level 2 Level 2 (265 points)

    You say: "go to ~/.MacOSX and trash the environment.plist file if you see it."

     

    Sorry for being a dummy, but where the heck is  ~/.MacOSX ?

     

    I see it nowhere (????)

  • 72. Re: new malware disguised as flash installer
    Louie Sherwin Level 1 Level 1 (0 points)

    pcbjr wrote:

     

    You say: "go to ~/.MacOSX and trash the environment.plist file if you see it."

     

    Sorry for being a dummy, but where the heck is  ~/.MacOSX ?

     

    I see it nowhere (????)

     

    This is a Unix hidden file in your home directory and is no visible from Finder. Start a Terminal and from the prompt which end in a "$" (dollar sign)  do the following:

     

    $ ls -a

     

    You should see a bunch of stuff including .MacOSX

     

    $ cd .MacOSX

    $ ls -a

     

    The only file I found was the bogus environment.plist. If it is there then:

     

    $ rm environment.plist

     

    This will delete it immediately without puting it into the trash.

     

    -louie

  • 73. Re: new malware disguised as flash installer
    cathy fasano Level 2 Level 2 (340 points)

    Ok, I went directly to adobe, and downloaded install_flash_player_osx_intel(1).dmg, and it is (6,365,350 bytes) long.  The file I got last Wednesday, install_flash_player_osx_intel.dmg, is (6,376,888 bytes) long.  So is there any chance that th (6,376,888 bytes) file is legit?

     

    (I can't find anything on Adobe's web site that would indicate a hash key or any other validation for an install file.)

  • 74. Re: new malware disguised as flash installer
    Linc Davis Level 10 Level 10 (118,270 points)

    @Linc - see the pkg at mailinator, I've sent the url again.

     

    Thanks. The installer does not need root privileges to run. The BOM file contains only an empty text file; the payload is entirely contained in the "preinstall" executable, which in this case is a binary. It installs the files listed below, attempts to disable "Little Snitch" (if present), loads a launchd job, and relaunches Safari and Firefox.

     

    Here is a complete list of the files installed:

     

    1. .MacOSX/environment.plist
    2. Library/LaunchAgents/com.apple.SystemUI.plist
    3. Library/Preferences/perflib
    4. Library/Preferences/Preferences.dylib
    5. Library/Logs/swlog

     

    Paths are relative to the user's home directory.

     

    File 1 is an empty plist, merely a placeholder at this stage, apparently.

     

    File 2 is a launchd job that executes, at load and once every 3650 seconds afterwards, the shell command equivalent to "Library/Preferences/perflib Library/Preferences/Preferences.dylib".

     

    File 3 is a small executable that seems to decrypt its argument in some way and then execute it.

     

    File 4 is the real payload of the trojan. It's a Mach-O binary, but its contents are almost completely obfuscated or encrypted, so one can't tell what it really does. According to the system log, it tries to inject code into all the user's running processes, but it seems to fail in most, if not all, of those attempts.

     

    File 5 contains a string of hexadecimal digits. I think it must be an encrypted keylog or something similar.

     

    My interpretation is that a little less than once an hour, the trojan "burps" out an encrypted message to its creator containing whatever information it has collected, and presumably also receives instructions.

     

    After removing the above files and logging out, I found that I couldn't immediately log back in into the same account; I'm not sure why not. After rebooting, all was well.

1 3 4 5 6 7 Previous Next