Skip navigation

.rserv wants to connect to cuojshtbohnt.com

27318 Views 227 Replies Latest reply: Apr 12, 2012 8:53 PM by MadMacs0 RSS
  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Mar 31, 2012 10:09 PM (in response to X423424X)

    X423424X wrote:

     

    I had read that earlier variants aborted their code injection if they detected little snitch

    Yes, that's correct. But my suspicion is that there's more than one person behind this. Also, black hats do have their own watering holes, and they do exchange code and tips. This may be a variant where the code which self-destructs if LS is encountered is not fuctional or stopped by a bug.

     

    There's another possibility. It just occurred to me to look at the date. I hope we haven't been taken in by a hoax.

  • bgw1 Calculating status...
    Currently Being Moderated
    Mar 31, 2012 10:12 PM (in response to X423424X)

    /Library/LaunchAgents

     

        Only Little Snitch and Splashtop are here

     

    /Library/LaunchDaemons

     

         M-Audio DAC

          Little Snitch

          Splashtop

          HDAPM

          All the above are old-dated

     

    /Library/StartupItems

     

         Only my M-Audio USB DAC is here

  • sthej Calculating status...
    Currently Being Moderated
    Mar 31, 2012 10:20 PM (in response to X423424X)

    Thanks for your help on this in general...

     

    I ran the defaults read ~/.MacOSX/environment command in terminal and got a does not exist.

     

    Looking around on google it seems like similar behavior to the flashback trojan as well as the rr.nu domains.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 10:25 PM (in response to bgw1)

    bgw1 I have no idea where your .rserv is being launched.   Unless we actually are dealing with a trojan here I would have expected yours to come from the same Adobe Reader LaunchAgent as the OP.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 10:29 PM (in response to fane_j)

    fane_j wrote:


    There's another possibility. It just occurred to me to look at the date. I hope we haven't been taken in by a hoax.

     

    I'm really going to be pi$$ed off wasting all this time if this is a April Fools joke.

  • bgw1 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 10:31 PM (in response to X423424X)

    Is this the correct environment command in Terminal?  I am running Lion.

     

    defaults read ~/.MacOSX/environment

     

    Eirs-MacBook:~ EirUser$ defaults read ~/.MacOSX/environment

    2012-04-01 01:06:10.966 defaults[1677:707]

    Domain /Users/EirUser/.MacOSX/environment does not exist

    Eirs-MacBook:~ EirUser$

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 10:31 PM (in response to sthej)

    sthej wrote:

     

    Thanks for your help on this in general...

     

    I ran the defaults read ~/.MacOSX/environment command in terminal and got a does not exist.

     

    Looking around on google it seems like similar behavior to the flashback trojan as well as the rr.nu domains.

     

    Well you seemed to satisfy yours but I would download Adobe Reader from the Adobe Site.  I am still curious how that LaunchAgent got in there in the first place.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 10:42 PM (in response to X423424X)

    I'm sure the mere mention of the word "trojan" is going to attract certain interested readers to this thread.  So just in case, to make it easier for them, here's that adobe reader LaunchAgents plist in a more readable (i.e., formatted) form:

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

        <key>Label</key>

        <string>com.adobe.reader</string>

        <key>ProgramArguments</key>

        <array>

            <string>/Users/trungson/.rserv</string>

        </array>

        <key>RunAtLoad</key>

        <true/>

        <key>StartInterval</key>

        <integer>4212</integer>

        <key>StandardErrorPath</key>

        <string>/dev/null</string>

        <key>StandardOutPath</key>

        <string>/dev/null</string>

    </dict>

    </plist>

     

    Why would a launchd plist in a user's LaunchAgents have to specify RunAtLoad (it would run at login anyhow) and a StartInterval (or is this why RunAtLoad is needed)?

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Mar 31, 2012 10:41 PM (in response to trungson)

    trungson wrote:

     

    /Users/trungson/Library/LaunchAgents/com.adobe.reader.plist:

    (I'll assume this is on the level.)

     

    The syntax is valid; also, it has nothing to do with Adobe Reader. (The latter's identifier is probably "com.adobe.Reader", and there would be no need for it to implement anything as a launch agent.)

     

    This plist implements a launch agent. It tells launchd to run </Users/trungson/.rserv> every 4212 seconds, discarding any output and error. The process is not kept alive—launchd runs it, it does whatever it was designed to do, then terminates, and launchd runs it again some 70 mins later. (Which explains why ps didn't list it.) If I were to speculate (without any evidence), I'd say it's trying to connect to the mothership to download the actual payload.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 10:47 PM (in response to fane_j)

    It's just these kind of things why I consider Little Snitch a "must have" on my systems.  The last thing I want is something, anything, sent back to adobe, no matter what.

    The syntax is valid; also, it has nothing to do with Adobe Reader. (The latter's identifier is probably "com.adobe.Reader", and there would be no need for it to implement anything as a launch agent.)

     

    Why use the id "com.adobe.Reader" if it wasn't associated with Adobe Reader?  I do know the current AR doesn't instll this.

  • bgw1 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 10:46 PM (in response to X423424X)

    I don't have Adobe Reader, but I do have Acrobat Professional 8.  There is no Adobe .plist file at the locations you asked about.

     

    Did you see my earlier post that I found the .rsvr file, it's 59.9K and it was downloaded by PluginProcess.app on March 30, 2012 (part of the webkit2 framework)?  I could try to Zip it and email it to someone you if you want it.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 10:50 PM (in response to bgw1)

    Did you see my earlier post that I found the .rsvr file, it's 59.9K and it was downloaded by PluginProcess.app on March 30, 2012 (part of the webkit2 framework)?  I could try to Zip it and email it to someone you if you want it.

     

    I guess I missed that.  I don't know what PluginProcess.app is.    So long as you found it, ok. 

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Mar 31, 2012 10:53 PM (in response to X423424X)

    X423424X wrote:

     

    here's that adobe reader LaunchAgents plist in a more readable (i.e., formatted) form:

    That's useful. Just a couple of comments.

     

    The plist has nothing to do with Adobe Reader. The Label key is a unique identifier, required by launchd to keep track of agents. But it can be any string. If launchd's database is case-sensitive, and the Adobe Reader identifier is, as I suspect, com.adobe.Reader, then it's enough.

     

    RunAtLoad key is optional key "used to control whether your job is launched once at the time the job is loaded". (It's in the launchd.plist manpage.)

     

    As to how it  was installed… My bet would still be CVE-2011-3544.

  • bgw1 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 10:55 PM (in response to X423424X)

    It's been quiet for the last hour.  I think it hit Little Snitch about 5 times.  I'm interested in resolving this for the community if it's a new threat otherwise I'm just wondering how to quarantine it or positively delete it.

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Mar 31, 2012 10:56 PM (in response to bgw1)

    bgw1 wrote:

     

    it was downloaded by PluginProcess.app on March 30, 2012

    PluginProcess lives here

     

    </System/Library/PrivateFrameworks/WebKit2.framework/PluginProcess.app>

     

    So this was in all likelihood downloaded by Safari (possibly also Chrome?). You should make a list of all sites visited on that date. Any Wordpress blogs among them?

1 2 3 4 5 ... 16 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.