1 4 5 6 7 8 9 Previous Next 128 Replies Latest reply: Apr 5, 2012 3:46 PM by Rod Stasick Go to original post
  • 75. Re: "Rosetta" applications suddenly stopped working
    WZZZ Level 6 Level 6 (12,225 points)

    But, Trojan or not, I don't have .MacOSX/environment.plist or environment.plist anywhere on my system... and, I thought that was one of the tip offs of the presence of the Trojan.

     

    That's not a normal pref file. What am I not understanding here?

  • 76. Re: "Rosetta" applications suddenly stopped working
    X423424X Level 6 Level 6 (14,190 points)

    NuLynx wrote:

     

    NO, I don't believe the problem WAS caused by the trojan... Can't find any evidence of it on my machine.

     

    I don't understand then.  Why did you mark my post about moving the environment.plist correct and your post saying that worked?  If you got no error from that move then environment.plist did exist and you have/had the a flashback strain of the trojan.

  • 77. Re: "Rosetta" applications suddenly stopped working
    WZZZ Level 6 Level 6 (12,225 points)

    And what is the .MacOSX/environment.plist doing there to begin with???  

  • 78. Re: "Rosetta" applications suddenly stopped working
    X423424X Level 6 Level 6 (14,190 points)

    You're asking me?  I'm asking him that same question!

  • 79. Re: "Rosetta" applications suddenly stopped working
    MadMacs0 Level 4 Level 4 (3,735 points)

    BTW, thanks for Hijacking my thread about something that had NOTHING to do with my original post, MadMacs0. I appreciate that.)

    Sorry you feel that way, but you have confused me here. First, I was not the first to suggest it was a Trojan, in fact there were at least two others before I ever arrived that suggested that.

     

    Secondly, the posting that you accepted as "This solved my question" does indicate that you have some form of the Flashback Trojan. If you had this file ~/.MacOSX/envirnonment.plist and it said any thing about "DYLD_INSERT_LIBRARIES" then you are infected. It may not have been the version I pointed out, but there are several other variants and most involve this file. Although there are a handfull of reasons to use this file for other things, by far the majority of users will never have need for it.

     

    I promise I won't take your words personally, so if you still need help, please speak up.

  • 80. Re: "Rosetta" applications suddenly stopped working
    MadMacs0 Level 4 Level 4 (3,735 points)

    WZZZ wrote:

     

    But, Trojan or not, I don't have .MacOSX/environment.plist or environment.plist anywhere on my system... and, I thought that was one of the tip offs of the presence of the Trojan.

     

    That's not a normal pref file. What am I not understanding here?

    I have that file on my computer. It contains:

    {

        "QDTEXT_ANTIALIASING" = 1;

        "QDTEXT_MINSIZE" = 12;

    }

    which got there via a prefs panel I've had for years appropriately named "RCEnvironment.prefPane". In fact you can use that to look for the dylib loader. I've run into one or two others during Flashback discussions who use it and at least one user that used an application that needed it. It's designed to establish an overall environment for the user upon login. The bad guys are simply using it to get their software loaded up as soon as the user logs in. If the dylib gets moved or deleted, then the login mechanism hangs and the user is unable to access their account.

     

    I'd have to double check but IIRC this mechanism was used for at least the first three variants of Flashback, then they tried adding the dylib to each browser and Skype, but that required an admin password and was causing browser/Skype crashes, so they seem to have returned to the original method, at least when they can't get admin privileges.

  • 81. Re: "Rosetta" applications suddenly stopped working
    WZZZ Level 6 Level 6 (12,225 points)

    ^Thanks for the information. Isn't it still to be determined whether it contained DYLD_INSERT_LIBRARIES or anything else nefarious?

  • 82. Re: "Rosetta" applications suddenly stopped working
    fane_j Level 4 Level 4 (3,660 points)

    WZZZ wrote:

     

    But, Trojan or not, I don't have .MacOSX/environment.plist or environment.plist anywhere on my system

    This file may or may not exist; however, its presence alone does not indicate any infection or abnormal configuration. It's only the presence of specific instructions in the environment.plist file that indicates the infection. The function and structure of environment.plist are detailed in "Runtime Configuration Guidelines" and also in Technical Q&A QA1067, both available in the Developer Library. (Reading the former should be very useful for anyone who tries to understand how this Trojan Horse works.)

     

    If the OP has had this file and deleted it without checking its contents, then we may never know whether his machine was infected by the Flashback Trojan or not. The presence of shared code libraries in, say, </Users/Shared>, or the LSEnvironment key in Safari's or Firefox's Info.plist would indicate the infection, but their absence would not be conclusive. I believe MadMacs0, who has been following this closely, can tell us more on the topic.

  • 83. Re: "Rosetta" applications suddenly stopped working
    MadMacs0 Level 4 Level 4 (3,735 points)

    PlatypusRex wrote:

     

    Will turning off Java in Safari offer any protection?

    As promised, here are some suggestions on how to prevent this from happening in the future, courtesy of magmatic.com:

    Mitigation 1: Disable "Open Safe Files.." In Safari->Preferences->General.

    Mitigation 2: ONLY DOWNLOAD FLASH FROM http://get.adobe.com/flashplayer/otherversions/

    Mitigation 3: Disable Java or manage the Preferences. http://www.magmatic.com/apple-security-muse/2012/2/23/java-hardening-tips.html

    Mitigation 4: Update your OSX to the latest version.

    and I'll add one more. Do all of your normal computing using a non-admin account so you won't be tempted to accidently install something you don't want.

  • 84. Re: "Rosetta" applications suddenly stopped working
    NuLynx Level 1 Level 1 (0 points)

    MadMacs0,

     

    No offense, personally. As to "DYLD_INSERT_LIBRARIES"....nothing anywhere brought that up. If you can give me any other terminal command to enter that would show that, then I take back what I said about the Trojan.

    As I said, my computer is VERY rarely online. We are blocked by a strict firewall that blocks most everywhere we try to go. So, unless the trojan can be picked up by a PC (up in the front of the company), transferred throughout the internal network, and infecting my computer, but nobody else's.....which I won't rule out, but..Occam's Razor and all that...probably not likely. Still, I throw out my appology on the chance that it could be the case. Just too many forums where it ends up being "But, that's not what I was talking about in the first place...now you own it."

     

    As to the file environment.plist even existing (unless there is the trojan)...X423424X and WZZZ....I turn up 915,000 Google results about tweaking, modifying, and even BEING a file like that.

     

    From the horse's mouth:

     

    https://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPRunti meConfig/Articles/EnvironmentVars.html

     

    The file is there, and appears to have been for quite a long while, although it may no longer exist in its current form in Lion.

     

    I guess all that's neither here nor there...SOMETHING happened to that file, and that appears to be the root of the problem. X423424X, as I said in a much earlier post...I don't know anything about UNIX or programming, but from what I can surmise, the command prompt you gave that fixed my problem renames the file, which I am guessing forces the system to create a new one since it can't find the old one? I may be way off base on that, but at any rate, that file was the problem. Be it a trojan, by some means or from the horrific font conflicts I was having at the time.

     

    At any rate, that file is the problem, and apparently the solution to that problem. Just spread the word about how to get around it and all will be well again for a lot of people.

     

    Brad

  • 85. Re: "Rosetta" applications suddenly stopped working
    NuLynx Level 1 Level 1 (0 points)

    at any rate, if this "fix" DOES stop the trojan that's going around, it's all good.

  • 86. Re: "Rosetta" applications suddenly stopped working
    X423424X Level 6 Level 6 (14,190 points)

    No offense, personally. As to "DYLD_INSERT_LIBRARIES"....nothing anywhere brought that up. If you can give me any other terminal command to enter that would show that, then I take back what I said about the Trojan.

     

    In that post of mine you marked correct I did request you do one command which would have verified if environment.plist was there and had the DYLD_INSERT_LIBRARIES variable.

     

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

     

    but from what I can surmise, the command prompt you gave that fixed my problem renames the file, which I am guessing forces the system to create a new one since it can't find the old one?

     

    This is not a preference plist.  Not all plists are preferences, this one included.  So it won't be recreated.  Someone, or something, needs to explictly create it.

     

    Also since you said that the mv worked, i.e.,

     

    sudo mv ~/.MacOSX/environment.plist ~/.MacOSX/environment.plist.old

     

    then the "old" environment.plist must still be at ~/.MacOSX/environment.plist.old now with the name environment.plist.old.  Assuming this is the case do this in terminal:

     

    sudo mv ~/.MacOSX/environment.plist.old ~/.MacOSX/environment.old.plist


    defaults read ~/.MacOSX/environment.old DYLD_INSERT_LIBRARIES

     

    Post the results of the defaults command.  Then will know for sure about all this.

     

    Note, the mv this time is just to allow the defaults command to work.  Now the file is named environment.old.plist.

  • 87. Re: "Rosetta" applications suddenly stopped working
    SWWW Level 1 Level 1 (0 points)

    Hi MadMacs0,

     

    I posted much earlier about having my old PPC MS Office 2004 stop working.  I followed ALL the directions from the link you posted and was able to reinstall Office successfully! I very much appreciate the effort you folks have taken to help us out.  I also changed all my recently used userid/passwords. 

     

    I think the infection happened recently because I used Office a week or two ago with no issues.

     

    By the way this is what I found when I when I used the grep command:

    .WondershareStreamingVideo.tmp

    in  /Library/Application Support

     

    Had to remember unix commands that I haven't used for a long time.

     

    Many thanks,

     

    Steve

  • 88. Re: "Rosetta" applications suddenly stopped working
    NuLynx Level 1 Level 1 (0 points)

    X423424X wrote:

     

    In that post of mine you marked correct I did request you do one command which would have verified if environment.plist was there and had the DYLD_INSERT_LIBRARIES variable.

     

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

     

    THAT part of it gave me nothing other than "File not found", or something like that. That's why I only quoted the second half of your post about:

     

    sudo mv ~/.MacOSX/environment.plist ~/.MacOSX/environment.plist.old

     

    that part worked.

     

    then the "old" environment.plist must still be at ~/.MacOSX/environment.plist.old now with the name environment.plist.old

     

    Yeah, I figured that when I did it. I was wondering about how to get rid of it and/or if it would be a problem in the future, or just sit there cluttering up my hard drive with a few extra K of another unneeded file.

  • 89. Re: "Rosetta" applications suddenly stopped working
    NuLynx Level 1 Level 1 (0 points)

    X423424X wrote:

     

    Also since you said that the mv worked, i.e.,

     

    sudo mv ~/.MacOSX/environment.plist ~/.MacOSX/environment.plist.old

     

    then the "old" environment.plist must still be at ~/.MacOSX/environment.plist.old now with the name environment.plist.old.  Assuming this is the case do this in terminal:

     

    sudo mv ~/.MacOSX/environment.plist.old ~/.MacOSX/environment.old.plist


    defaults read ~/.MacOSX/environment.old DYLD_INSERT_LIBRARIES

     

    Post the results of the defaults command.  Then will know for sure about all this.

     

    Will do, but once again it will have to wait until morning. I'm kind of hoping we DO find that "DYLD_INSERT_LIBRARIES" because then it would be case closed.

     

    I'll let you know more come the A.M.

1 4 5 6 7 8 9 Previous Next