1 3 4 5 6 7 Previous Next 227 Replies Latest reply: Apr 12, 2012 8:53 PM by MadMacs0 Go to original post
  • 60. Re: .rserv wants to connect to cuojshtbohnt.com
    MWMWMW Level 1 Level 1 (0 points)

    As was brought up by an earlier poster, this is an evolution of Flashback.  Anyone who has been evidence of .rserv on their system, or other concern for being infected, should review http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml or similar.

  • 61. Re: .rserv wants to connect to cuojshtbohnt.com
    MWMWMW Level 1 Level 1 (0 points)

    *Anyone who has seen evidence... 

     

    Sorry.

  • 62. Re: .rserv wants to connect to cuojshtbohnt.com
    X423424X Level 6 Level 6 (14,190 points)

    I don't think this has anything to do with Flashback.  I don't know if it is a trojan or not but in my opinion the flashback creaters are a lot more sneaky than the obvious stuff going on here.  This is too simple and much easier to spot. 

  • 63. Re: .rserv wants to connect to cuojshtbohnt.com
    MWMWMW Level 1 Level 1 (0 points)

    The basis for my conclusion was that I infected a test machine.  I was able to observe behavior that followed the pattern of Flashback exactly, with no apparent additions or modifications (right down to attempting to mimic software update to root the system).  The standard Flashback manual removal process was successful, from what I have seen so far.  I will report further observations if I discover more to report.  So far, it would seem that only the initial delivery mechanism has evolved.

  • 64. Re: .rserv wants to connect to cuojshtbohnt.com
    MadMacs0 Level 4 Level 4 (3,725 points)

    fane_j wrote

     

    Good work, but bad news. CVE-2011-3544 was supposed to have been fixed after update 27, so either it hasn't been really fixed, or they use another vulnerability. IMHO, that's serious stuff, and I'm considering whether or not I should remove Java altogether.

    Yes, but if it cannot use either of the two exploits in CVE-2011-3544 it tries social engineering to install. The two examples we have are the un-trusted fake Apple Certificate and the phony software update dialog asking for admin password. That's why I suggested to Linc yesterday that he modify his guidance to have everybody who doesn't require it to disable it, either in the browser or in Java Preferences.

  • 65. Re: .rserv wants to connect to cuojshtbohnt.com
    MadMacs0 Level 4 Level 4 (3,725 points)

    MWMWMW wrote:

     

    The basis for my conclusion was that I infected a test machine.  I was able to observe behavior that followed the pattern of Flashback exactly, with no apparent additions or modifications (right down to attempting to mimic software update to root the system).  The standard Flashback manual removal process was successful, from what I have seen so far.  I will report further observations if I discover more to report.  So far, it would seem that only the initial delivery mechanism has evolved.

    Although I would agree with you that this appears to be the next evolution of Flashback, the installation pattern is completely different from any we have seen before. In the F-Secure reference you cited neither of the two types of infection involve a launchagent or an executable at the root level of the home folder. It was either files added to Safari in Type 1 or the old environment.plist and an ".so" dylib file. I'm not understanding how you could have used the removal process specified by F-Secure to have found the two files that have been discussed here.

     

    In any case, nobody has suggested submitting them as samples, so I'll ask that anybody that has anything to please send/upload them to sample@virusbarrier.com and virustotal.com

  • 66. Re: .rserv wants to connect to cuojshtbohnt.com
    easthollow Level 1 Level 1 (0 points)

    This was caught by Little Snitch this morning on my system as well, except mine tried to connect to gangstasparadise.rr.nu. File .rserv is in my user folder. Other details per this thread:

     

    $ defaults read ~/.MacOSX/environment

    {

        PATH = "/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/opt/local/bin:/usr/ local/git/bin";

    }

    $ java -version

    java version "1.6.0_29"

    Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-11D50)

    Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)

     

    Thoughts?

  • 67. Re: .rserv wants to connect to cuojshtbohnt.com
    MWMWMW Level 1 Level 1 (0 points)

    I agree that the LaunchAgent is a fairly unsophisticated and transparent step in the delivery mechanism, but the remaining payload is extremely familiar.

     

    I refused the "software update" authentication prompt, so the "Type 2" environment.plist infection method was used in the only test case I've had a chance to review, and the corresponding removal technique was successful.  If I get a chance to reset my test environment and prompt a Type 1 scenario later today, I'll post results.

    MadMacs0 wrote:

     

    Although I would agree with you that this appears to be the next evolution of Flashback, the installation pattern is completely different from any we have seen before. In the F-Secure reference you cited neither of the two types of infection involve a launchagent or an executable at the root level of the home folder. It was either files added to Safari in Type 1 or the old environment.plist and an ".so" dylib file. I'm not understanding how you could have used the removal process specified by F-Secure to have found the two files that have been discussed here.

  • 68. Re: .rserv wants to connect to cuojshtbohnt.com
    MadMacs0 Level 4 Level 4 (3,725 points)

    easthollow wrote:

     

    This was caught by Little Snitch this morning on my system as well, except mine tried to connect to gangstasparadise.rr.nu. File .rserv is in my user folder. Other details per this thread:

     

    $ defaults read ~/.MacOSX/environment

    {

        PATH = "/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/opt/local/bin:/usr/ local/git/bin";

    }

    I've not seen the environment.plist used to provide a path profile before. What is in "/usr/local/git/bin/"?

    $ java -version

    java version "1.6.0_29"

    Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-11D50)

    Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)

    Java is up-to-date.

  • 69. Re: .rserv wants to connect to cuojshtbohnt.com
    MadMacs0 Level 4 Level 4 (3,725 points)

    MWMWMW wrote:

     

    I refused the "software update" authentication prompt, so the "Type 2" environment.plist infection method was used in the only test case I've had a chance to review, and the corresponding removal technique was successful.

    Was this on a fully patched OS X (and what version, BTW) or did it use Java exploit CVE-2011-3544 to install the Type 2 infection? I've asked F-Secure about this, but they have not gotten back to me.

  • 70. Re: .rserv wants to connect to cuojshtbohnt.com
    Baroncee Level 1 Level 1 (0 points)

    Emmm... I'm on Lion and just got a tip off from Little Snitch about ".mkeeper" in my user directory trying to connect to the same site.

     

    Is this thing definitely some sort of malware?

    I can imagine where i'd of gotten it from.

  • 71. Re: .rserv wants to connect to cuojshtbohnt.com
    easthollow Level 1 Level 1 (0 points)

    MadMacs0 wrote:

     

    I've not seen the environment.plist used to provide a path profile before. What is in "/usr/local/git/bin/"?

    git is a version control system used by programmers. I installed it myself, so that's nothing of concern.

     

    .rserv is the file of concern. Where did it come from, why is it trying to contact this bizarre site?

  • 72. Re: .rserv wants to connect to cuojshtbohnt.com
    MadMacs0 Level 4 Level 4 (3,725 points)

    Baroncee wrote:

     

    Emmm... I'm on Lion and just got a tip off from Little Snitch about ".mkeeper" in my user directory trying to connect to the same site.

     

    Is this thing definitely some sort of malware?

    I can imagine where i'd of gotten it from.

    I'd be willing to bet on it as there should be no hidden processes running out of the root level of your home folder. Recent versions are being spread by a Java applet rendered from a web page (recently WordPress blogs) using one of at least three methods of then downloading and installing the Trojan. Appears to be new as of the 30th, so we have not seen much analysis done on it other than what is in this thread.

  • 73. Re: .rserv wants to connect to cuojshtbohnt.com
    MadMacs0 Level 4 Level 4 (3,725 points)

    easthollow wrote:

     

    MadMacs0 wrote:

     

    I've not seen the environment.plist used to provide a path profile before. What is in "/usr/local/git/bin/"?

    git is a version control system used by programmers. I installed it myself, so that's nothing of concern.

    Thanks.

     

    .rserv is the file of concern. Where did it come from, why is it trying to contact this bizarre site?

    It appears to be either a new variant of the Flashback Trojan or a copycat using the same technique to download and infect your computer. Everything known about it now is in this thread unless somebody has run across more details today.

  • 74. Re: .rserv wants to connect to cuojshtbohnt.com
    fane_j Level 4 Level 4 (3,660 points)

    MadMacs0 wrote:

     

    I've not seen the environment.plist used to provide a path profile before.

    It looks like this strain doesn't use environment.plist (hardly surprising).

     

    As I've said before, there's more than one person, and perhaps more than one group, behind this. These people have their own boards, where they exchange ideas, code, and techniques. And, as you said yourself, some of them, no doubt, are reading these posts as we speak.

1 3 4 5 6 7 Previous Next