Spinland

Q: Question about Flashback.K Trojan

On this instructional post:

 

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

 

The initial instructions are:

 

  • 1. Run the following command in Terminal:

    ls -lA ~/Library/LaunchAgents/

  • 2. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.

 

I ran the indicated command and encountered this output:

 

Node00:~ mdyson$ ls -lA ~/Library/LaunchAgents/

total 64

-rw-r--r--  1 mdyson  staff  697 Nov 15 10:19 com.adobe.AAM.Updater-1.0.plist

-rw-r--r--  1 mdyson  staff  574 Dec  1 17:51 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

-rw-r--r--  1 mdyson  staff  618 Nov 14 17:54 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.1A4046BE-D44F-4F2D-B3C7-FD 38ED0EF401.plist

-rw-r--r--  1 mdyson  staff  889 Nov 14 17:25 com.apple.CSConfigDotMacCert-mdyson@me.com-SharedServices.Agent.plist

-rw-r--r--  1 mdyson  staff  425 Dec 22 13:36 com.apple.FolderActions.enabled.plist

-rw-r--r--  1 mdyson  staff  517 Dec 22 13:36 com.apple.FolderActions.folders.plist

-rw-r--r--@ 1 mdyson  staff  803 Jan  7 13:43 com.google.keystone.agent.plist

-rw-r--r--@ 1 mdyson  staff  543 Jan 30 10:58 ws.agile.1PasswordAgent.plist

Node00:~ mdyson$

 

In item 2, based on multiple results, my apparent next step would be to contact "our customer care" but I am not an F-Secure customer and instructions as to exactly whom and how I am to contact them are lacking. For various reasons I did have Java installed and enabled in Safari.

 

Based on the above output should I even be worried?

 

Thanks in advance!

MacBook Pro 17, Mac OS X (10.7), Mac Mini Server; Time Capsule

Posted on Apr 3, 2012 7:16 AM

Close

Q: Question about Flashback.K Trojan

  • All replies
  • Helpful answers

Page 1 Next
  • by Frank Caggiano,Helpful

    Frank Caggiano Frank Caggiano Apr 3, 2012 8:19 AM in response to Spinland
    Level 7 (25,796 points)
    Apr 3, 2012 8:19 AM in response to Spinland

    You're running Lion, by default java is not installed in Lion. Did you install java?

     

    if you're not sure open a terminal and enter

     

    java -version

     

    If java is installed you'll get a version number if it is not installed you'll be asked i you want to install it, don't.

     

    If it is not installed you don;t need to worry about this trojan. If is is installed post back.

  • by Spinland,

    Spinland Spinland Apr 3, 2012 8:22 AM in response to Frank Caggiano
    Level 1 (54 points)
    Mac OS X
    Apr 3, 2012 8:22 AM in response to Frank Caggiano

    java version "1.6.0_29"

    Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-11D50)

    Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)

     

    i had to do a little Java development a while back and never uninstalled it when I was done.

  • by Frank Caggiano,

    Frank Caggiano Frank Caggiano Apr 3, 2012 8:42 AM in response to Spinland
    Level 7 (25,796 points)
    Apr 3, 2012 8:42 AM in response to Spinland

    Then turning off java in your browser is recommended.

  • by Spinland,

    Spinland Spinland Apr 3, 2012 8:48 AM in response to Frank Caggiano
    Level 1 (54 points)
    Mac OS X
    Apr 3, 2012 8:48 AM in response to Frank Caggiano

    Already done. I just wanted to reassure myself the damage hadn't already been done, and the f-secure how-to linked by so many blogs seemed to be a dead end for me, based on their instructions quoted above.

  • by gfburke11,

    gfburke11 gfburke11 Apr 3, 2012 10:15 AM in response to Spinland
    Level 1 (0 points)
    Apr 3, 2012 10:15 AM in response to Spinland

    The F-secure post isn't that clear, what I did was run the defaults check on each of the four files in my LauchAgents dir, like so:

     

     

    MBP:~$ defaults read ~/Library/LaunchAgents/com.apple.SafariBookmarksSyncer.plist  
    
    ProgramArguments(
       "/Applications/Safari.app/Contents/SafariSyncClient.app/Contents/MacOS/SafariSyncClient",
       "--sync",
       "com.apple.Safari",
       "--entitynames",
       "com.apple.bookmarks.Bookmark,com.apple.bookmarks.Folder"
    )
    

    The F-secure post advises to look in the initial path of the LaunchAgents files's ProgramArguments for a leading dot ('.' indicating that it's pointing to some malware hidden in that directory.  But further on in the document it advises to run these shell commands:

     

    SHELL COMMAND: defaults read /Applications/Safari.app/Contents/Info LSEnvironment
    
    2012-04-03 12:57:55.786 defaults[13101:707] 
    The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
    
    SHELL COMMAND: defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
    
    2012-04-03 12:58:11.147 defaults[13102:707] 
    The domain/default pair of (/Users/gburke/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
    
    

    If you get those "do not exist" errors then you're probably in the clear.    At least, that's what I inferred from reading that F-secure doc.

  • by Spinland,

    Spinland Spinland Apr 3, 2012 10:25 AM in response to gfburke11
    Level 1 (54 points)
    Mac OS X
    Apr 3, 2012 10:25 AM in response to gfburke11

    Yeah; I also elected in the end just to use the follow-on command on all of the reported launch agent lines, one by one, and then press on to the rest of the how-to. I got the "do not exist" result also, so I think I'm good.

  • by etresoft,

    etresoft etresoft Apr 3, 2012 10:48 AM in response to Spinland
    Level 7 (29,233 points)
    Mac OS X
    Apr 3, 2012 10:48 AM in response to Spinland

    Just because one anti-virus company claims there is some malware in existence doesn't mean it is actually true. They are in the business to sell fear and software. Even if we assume this exploit actually does exist, your chances of getting it are infinitesimally small. If you turn Java off in your web browser, then your chances are zero. If you haven't even installed Java at all, then less than zero.

     

    Those instructions are just bogus. All they want you to do is call them so they can sell you more fear and software. It is perfectly normal to have any number of files in that directory.

     

    At this point, there is a greater risk of damaging your system by incorrectly removing legitimate software and getting ripped off than there is of getting any virus.

     

    Just turn off Java - that is all you need to do. And pass the word.

  • by HACKINT0SH,

    HACKINT0SH HACKINT0SH Apr 3, 2012 11:21 AM in response to etresoft
    Level 5 (5,774 points)
    iLife
    Apr 3, 2012 11:21 AM in response to etresoft

    Just because one anti-virus company claims there is some malware in existence doesn't mean it is actually true. They are in the business to sell fear and software.

    100% true to what etresoft just said.

     

    Also keep in mind, that false-positives are infamous in this kind of software.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 3, 2012 2:33 PM in response to etresoft
    Level 5 (4,791 points)
    Apr 3, 2012 2:33 PM in response to etresoft

    etresoft wrote:

     

    Just because one anti-virus company claims there is some malware in existence doesn't mean it is actually true. They are in the business to sell fear and software. Even if we assume this exploit actually does exist, your chances of getting it are infinitesimally small.

    Tell that to all the folks we struggled with this weekend who were smart enough to have installed Little Snitch which in this case prevented the installation phase .rserv wants to connect to cuojshtbohnt.com. How many folks who don't use Little Snitch are now infected?

     

    In any case, Apple has released the version 31, so if you haven't taken other steps, launch Software Update now.

  • by HACKINT0SH,

    HACKINT0SH HACKINT0SH Apr 3, 2012 7:23 PM in response to MadMacs0
    Level 5 (5,774 points)
    iLife
    Apr 3, 2012 7:23 PM in response to MadMacs0

    You will find in the Safari forums, that Little Snitch is one of the main causes of never ending problems over there. It's certainly done more harm than good.

     

    Can't say I had a problem this weekend, despite not running Little Snitch.

  • by Lanny,

    Lanny Lanny Apr 3, 2012 7:31 PM in response to Spinland
    Level 5 (7,952 points)
    Desktops
    Apr 3, 2012 7:31 PM in response to Spinland

    Check Software Update for a Java update.

  • by etresoft,

    etresoft etresoft Apr 3, 2012 8:33 PM in response to HACKINT0SH
    Level 7 (29,233 points)
    Mac OS X
    Apr 3, 2012 8:33 PM in response to HACKINT0SH

    HACKINT0SH wrote:

     

    You will find in the Safari forums, that Little Snitch is one of the main causes of never ending problems over there. It's certainly done more harm than good.

    This is a support forum. You will find problems anywhere you look. Little Snitch is not the cause of any of them.

  • by jsd2,

    jsd2 jsd2 Apr 3, 2012 9:00 PM in response to HACKINT0SH
    Level 5 (6,210 points)
    Apr 3, 2012 9:00 PM in response to HACKINT0SH

    It's been relatively quiet here in the Lion forum, presumably because most Lion users don't have Java installed. However Java is installed by default in Snow Leopard, and also Snow Leopard has a "canary in a coal mine" early warning system that is not available in Lion - the presence of PPC apps which don't run after a "drive-by" Flashback infection. The result has been a flurry of  activity in the Snow Leopard forum. These very recent Snow Leopard threads involved an operational problem directly shown to be caused by a Flashback variant, with no role played by anti-viral software:

     

    Application began unexpectedly quitting

     

    Unexpectedly quit problem

     

    "Rosetta" applications suddenly stopped working

     

    Skype won't open

     

    Freehand not opening - Rosetta installed?

     

    Office 2004 unexpectedly quits

     

    Please Help! Finder is displaying strange codes such as N80 and N201

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 3, 2012 9:03 PM in response to HACKINT0SH
    Level 5 (4,791 points)
    Apr 3, 2012 9:03 PM in response to HACKINT0SH

    HACKINT0SH wrote:

     

    Can't say I had a problem this weekend, despite not running Little Snitch.

    Interestingly enough, you would probably not notice any problems unless did.

Page 1 Next