Spinland

Q: Question about Flashback.K Trojan

On this instructional post:

 

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

 

The initial instructions are:

 

  • 1. Run the following command in Terminal:

    ls -lA ~/Library/LaunchAgents/

  • 2. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.

 

I ran the indicated command and encountered this output:

 

Node00:~ mdyson$ ls -lA ~/Library/LaunchAgents/

total 64

-rw-r--r--  1 mdyson  staff  697 Nov 15 10:19 com.adobe.AAM.Updater-1.0.plist

-rw-r--r--  1 mdyson  staff  574 Dec  1 17:51 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

-rw-r--r--  1 mdyson  staff  618 Nov 14 17:54 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.1A4046BE-D44F-4F2D-B3C7-FD 38ED0EF401.plist

-rw-r--r--  1 mdyson  staff  889 Nov 14 17:25 com.apple.CSConfigDotMacCert-mdyson@me.com-SharedServices.Agent.plist

-rw-r--r--  1 mdyson  staff  425 Dec 22 13:36 com.apple.FolderActions.enabled.plist

-rw-r--r--  1 mdyson  staff  517 Dec 22 13:36 com.apple.FolderActions.folders.plist

-rw-r--r--@ 1 mdyson  staff  803 Jan  7 13:43 com.google.keystone.agent.plist

-rw-r--r--@ 1 mdyson  staff  543 Jan 30 10:58 ws.agile.1PasswordAgent.plist

Node00:~ mdyson$

 

In item 2, based on multiple results, my apparent next step would be to contact "our customer care" but I am not an F-Secure customer and instructions as to exactly whom and how I am to contact them are lacking. For various reasons I did have Java installed and enabled in Safari.

 

Based on the above output should I even be worried?

 

Thanks in advance!

MacBook Pro 17, Mac OS X (10.7), Mac Mini Server; Time Capsule

Posted on Apr 3, 2012 7:16 AM

Close

Q: Question about Flashback.K Trojan

  • All replies
  • Helpful answers

Previous Page 2
  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 3, 2012 9:09 PM in response to jsd2
    Level 5 (4,791 points)
    Apr 3, 2012 9:09 PM in response to jsd2

    jsd2 wrote:

     

    Snow Leopard has a "canary in a coal mine" early warning system that is not available in Lion - the presence of PPC apps which don't run after a "drive-by" Flashback infection.

    Which only happens with a "Type 2" infection. If you are foolish enough to give up your admin password to a phoney Software Update dialog, then that warning system doesn't work as only Safari gets infected, as far as anybody knows. I don't recall seeing any Type 1 infections yet, so I don't know what the tell-tale signs are there.

  • by MadMacs0,Helpful

    MadMacs0 MadMacs0 Apr 3, 2012 9:24 PM in response to Spinland
    Level 5 (4,791 points)
    Apr 3, 2012 9:24 PM in response to Spinland

    Spinland wrote:

     

    ...

    Based on the above output should I even be worried?

    Based on the installation dates I see, probably not. The earliest I have heard of this particular malware installing anything was March 15, I believe.

     

    Are you having issues that make you suspect something's going on?

  • by Spinland,Solvedanswer

    Spinland Spinland Apr 4, 2012 5:20 AM in response to MadMacs0
    Level 1 (54 points)
    Mac OS X
    Apr 4, 2012 5:20 AM in response to MadMacs0

    As far as pooh-poohing the severity of this issue, I think it's time to get real. Apple obviously took it seriously, as evidenced by their fast-tracking this Java update. And given the security company who raised the red flag is also demonstrably trying hard to make information freely available so people can act, ascribing sinister motives seems just silly.

     

    @MadMacs0: Thanks, your insight as to the dates was helpful validation of my opinion. Also, all of the entries track back to software I recognize and installed myself.  I was probably just being overly-nervous after hearing of this trojan and, when I saw some beachballs when it seemed my dual-core i7 machine with 8GB of RAM should be handling a job without breaking a sweat, I got paranoid.

     

    I've never knowingly gone to a "dodgy" web site, don't mess with torrent crap, and I went through the rest of the steps posted on that security site and came up clean so far as I can tell.  I'm satisfied this has passed me by.  Java is disabled by default on Safari and I just installed the new update.

     

    Thanks to all!

Previous Page 2