Q: .rserv wants to connect to cuojshtbohnt.com

Matt Durben wrote:

 

2. Does the trojan itself changes the url it connects to? Or does it come with one fixed url?

The bottom half of this blog from F-Secure Mac Flashback Exploiting Unpatched Java Vulnerability explains how all that works.

... This in effect will inject binary2 into every application launched by the infected user. ...

Means every application is infected? Even after deleting the files according to f.secure?

The malware then creates a launch point by creating "~/.MacOSX/environment.plist", containing the following lines:

• <key>DYLD_INSERT_LIBRARIES</key>
  <string>/Users/Shared/.libgmalloc.dylib</string>

For some reason I didn't had a environment.plist even if I'm infection type 2

Matt Durben wrote:

 

... This in effect will inject binary2 into every application launched by the infected user. ...

 

Means every application is infected? Even after deleting the files according to f.secure?

No, it injects the code into RAM after the app is launched, not onto the hard drive.

Matt Durben wrote:

 

The malware then creates a launch point by creating "~/.MacOSX/environment.plist", containing the following lines:

• <key>DYLD_INSERT_LIBRARIES</key>
  <string>/Users/Shared/.libgmalloc.dylib</string>

For some reason I didn't had a environment.plist even if I'm infection type 2

One of us is confused. In this entry Re: .rserv wants to connect to cuojshtbohnt.com you told us you did have it.

I haven't had the ~/.MacOSX/environment.plist

Matt Durben wrote:

 

1. I thought Creation Date: 03-apr-2012 means first registered date ever. And there's no history but this entry.

2. Does the trojan itself changes the url it connects to? Or does it come with one fixed url?

Three domains names that I mention before, registered by us. This helped us to estimate size of botnet.

Each subversion of BackDoor.Flashback.39 generates a list of C&C servers (about 50-60). We registered first server in list. Here second server according to subversion:

1 - vxvhwcixcxqxd.net

2 - cuojshtbohnt.net

4 - rfffnahfiywyd.net

LysaM, it's not registered yet.

Matt Durben wrote:

 

I haven't had the ~/.MacOSX/environment.plist

Then how were you able to read it?

Matt Durben wrote:

 

defaults read ~/.MacOSX/environment

{

    "DYLD_INSERT_LIBRARIES" = "/Users/Shared/.libgmalloc.dylib";

}

 

means I'm infected?

There's a 406kB .libgmalloc.dylib in the specified folder.

 

What exatly does this trojan? Unfortunately I installed Little Snitch few days after a strange program wants to have my password to install something. I declined, but from what I read that does not matter?!

It had to have been there at the time.

Ah,

defaults read ~/.MacOSX/environment

{

    "DYLD_INSERT_LIBRARIES" = "/Users/Shared/.libgmalloc.dylib";

}

was a Quote from f-secure

New JAVA update from Apple released today...  Check software updates!

foodguylargo wrote:

 

New JAVA update from Apple released today...  Check software updates!

That's yesterday's news, right?

I don't know if he's out of date, or if that means 2 updates already. Someone please confirm.

I'm sure we are all glad that so many folks with Little Snitch survived the attacks this weekend and that Apple has closed one of the doors on this thing, but for anybody that still feels this was no big deal, according to this article http://news.cnet.com/8301-1009_3-57409619-83/ there are still over half a million Macs still Flashback infected (including 274 just down the street from where I sit), so I suspect our work has only begun here.

Mad, I've asked you this in the Leopard forum already, so sorry for the duplication. Do you know if ClamX has got this thing covered, at least for the known variants  through yesterday or the day before, perhaps?

I've got my son a bit worried now. I gave him all the places I know about to check and he comes up clean, but I may not know them all, so thought it might be wise to run an AV.

If not, do you know -- or anyone else, maybe -- if Intego's VirusBarrier X6, the demo version, will scan properly for this? I know they are claiming the full version, at least, can.

Well, I wasn't going to reinstall my system, but now I'm seeing this "music manager" window pop up/under. It comes up for about 5 seconds and disappears. The window looks like a recently downloaded app window with Google's music manager. I do have music manager installed, but I downloaded that a long time ago. This has been a little frustrating to say the least.