1 2 3 Previous Next 100 Replies Latest reply: Apr 22, 2012 12:44 AM by Ramón Tech
jo823 Level 1 Level 1 (0 points)

Does anyone have any info about how accurate the Flashback checker from Dr Web is? http://public.dev.drweb.com/april

 

When I enter my Hardware UUID into the tool I get the following response:

 

probably infected by Backdoor.Flashback.39 !

 

Timestamp of the first access: 2012-04-03 21:27:19
Timestamp of the last access: 2012-04-06 17:48:52

 

However when I follow the instructions from the F-Secure website to locate and remove the virus (http://community.f-secure.com/t5/Protection/Flashback-Mac-OS-X-Remover/m-p/10887 #M2223) using Terminal, I get the files "do not exist" reponses. 

 

I haven't experienced any issues with my computer but figured I'd check to be certain, and now I'm not sure how to proceed.


MacBook Pro, Mac OS X (10.6.8)
  • 1. Re: Dr Web Flashback Virus checker accurate?
    rccharles Level 5 Level 5 (5,370 points)

    General advice:

     

    Security overview by klaus1

    https://discussions.apple.com/docs/DOC-2472

     

    Security update.

    http://support.apple.com/kb/HT1222

     

    Here is a post about the flash malware.

    https://discussions.apple.com/thread/3857036?tstart=0

     

    Robert

  • 2. Re: Dr Web Flashback Virus checker accurate?
    WZZZ Level 6 Level 6 (12,225 points)

    Dr. Web might be more up to date.

  • 3. Re: Dr Web Flashback Virus checker accurate?
    ds store Level 7 Level 7 (30,305 points)

    Copy and paste the required info into Dr. Web. and try again.

     

    There are checks one can perform to see

     

    1: If any of their machines have been seen on the Flashback botnet

     

    http://public.dev.drweb.com/april/

     

     

    2: Terminal commands to see if their machine is infected (use copy and paste, then press enter)

     

    https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

     

     

    3: Preventative methods to avoid becoming infected.

     

    Update Java via Software Update.

     

    Disable Java in all your web browsers preferences (notice Java is not Javascript)

     

     

    Check your status of all browser plug-ins

     

    https://www.mozilla.org/en-US/plugincheck/

     

     

    Firefox + NoScript add-on + Temp Allow All Button on Firefox's toolbar to turn on scripts only on sites you trust.

     

     

    Learn how to make bootable clones, this way a complete erase can occur and a reverse clone done.

     

    https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

     

     

    4: Resources if one is infected

     

    Data Recovery, wiping entire machine, reinstalling OS X, returning clean files, etc.

     

    https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

  • 4. Re: Dr Web Flashback Virus checker accurate?
    jo823 Level 1 Level 1 (0 points)

    Thanks, I re-tried the Dr Web check several times and keep getting the same response that it's "probably infected". 

     

    However when I check the Terminal commands (as you noted in step 2 above from F-Secure), I still get the results "does not exist" or "no such file or directory".

     

    Reading the Additional Details section on F-Secure I noticed:

    Infection Type 2

    In cases where the user did not input their administrator password, the malware checks if the following path exists in the system:

    • /Applications/Microsoft Word.app
    • /Applications/Microsoft Office 2008
    • /Applications/Microsoft Office 2011
    • /Applications/Skype.app

    If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself, presumably to avoid infecting a system that has an incompatible application installed.

     

    I do have Microsoft Office 2008 installed on this Mac, anyone think its possible that the malware was downloaded but deleted itself as a result of MS Office being installed?  Could that be the reason the Dr. Web tool says "probably infecte" but I can't find the files using Terminal?

  • 5. Re: Dr Web Flashback Virus checker accurate?
    WZZZ Level 6 Level 6 (12,225 points)

    Try running these commands courtesy of X423424X  The formatting here is breaking one of the lines. Be sure to copy/paste it in.

    Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans.  Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

     

    defaults read ~/.MacOSX/environment

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

     

    ls -la ~/Library/LaunchAgents

     

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

     

    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

     

    The third command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used in conjuntion with the last grep command.  If the grep shows any results then that too may indicate infection and again post its results.

    And these two as well.

     

    defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

  • 6. Re: Dr Web Flashback Virus checker accurate?
    jo823 Level 1 Level 1 (0 points)

    For all 4 defaulsts commands listed, I get the "does not exist" response.  Not sure about the Launch Agents list however:

     

    <Edited By Host>

  • 7. Re: Dr Web Flashback Virus checker accurate?
    rccharles Level 5 Level 5 (5,370 points)

    You sure you do not want these commands in quotes?

     

    defaults read "/Applications/Safari.app/Contents/Info LSEnvironment"

     

     

    defaults read "/Applications/Firefox.app/Contents/Info LSEnvironment"

     

    defaults read "/Applications/Safari.app/Contents/Info LSEnvironment"

     

    looks like there is a space after the Info.

     

    Robert

  • 8. Re: Dr Web Flashback Virus checker accurate?
    etresoft Level 7 Level 7 (24,270 points)

    jo823 wrote:

     

    Does anyone have any info about how accurate the Flashback checker from Dr Web is? http://public.dev.drweb.com/april

     

    When I enter my Hardware UUID into the tool I get the following response:

     

    probably infected by Backdoor.Flashback.39 !

     

    Timestamp of the first access: 2012-04-03 21:27:19
    Timestamp of the last access: 2012-04-06 17:48:52

     

    However when I follow the instructions from the F-Secure website to locate and remove the virus (http://community.f-secure.com/t5/Protection/Flashback-Mac-OS-X-Remover/m-p/10887 #M2223) using Terminal, I get the files "do not exist" reponses. 

     

    I haven't experienced any issues with my computer but figured I'd check to be certain, and now I'm not sure how to proceed.

    I have created a user tip and malware checker/removal tool:https://discussions.apple.com/docs/DOC-3271

     

    I would love to find out what the results are if you run this program. If it returns clean, perhaps there is something fishy in Russia.

  • 9. Re: Dr Web Flashback Virus checker accurate?
    jo823 Level 1 Level 1 (0 points)

    Ok, I re-ran with those commands in quotes and got the same responses.

     

    Thanks etresoft, I was able to download your malware checker tool and it responded "You don't seem to have any malware problems".  Think I'm ok?

     

    <Edited By Host>

  • 10. Re: Dr Web Flashback Virus checker accurate?
    etresoft Level 7 Level 7 (24,270 points)

    jo823 wrote:

     

    Thanks etresoft, I was able to download your malware checker tool and it responded "You don't seem to have any malware problems".  Think I'm ok?

    I think you're fine, but my skepticism of the Dr. Web story has made me unpopular in certain circles.

     

    I have asked the hosts to remove your posts with your name in them. If you really have disproved the Dr. Web story, you might not be very popular either .

     

    I have saved a copy of this thread and can provided a santiized copy of the logs if anyone wants to see.

     

    Enjoy! And thanks for the update!

  • 11. Re: Dr Web Flashback Virus checker accurate?
    jo823 Level 1 Level 1 (0 points)

    Thanks a bunch, I really appreciate everyone's help.  etresoft-thanks for also having my posts edited, I was so concerned about the stupid virus I didn't even think about my personal info.

  • 12. Re: Dr Web Flashback Virus checker accurate?
    BDAqua Level 10 Level 10 (116,480 points)

    I'm wondering since Dr Web is using the UUID, that it's just not a case that there's a duplicate UUID out there that is infected... I seem to remember, (not very well), some duplicate UUID problem from a couple of years back?

  • 13. Re: Dr Web Flashback Virus checker accurate?
    MadMacs0 Level 4 Level 4 (3,735 points)

    ds store wrote:

     

    2: Terminal commands to see if their machine is infected (use copy and paste, then press enter)

     

    https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

    Latest is https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

  • 14. Re: Dr Web Flashback Virus checker accurate?
    MadMacs0 Level 4 Level 4 (3,735 points)

    jo823 wrote:

     

    When I enter my Hardware UUID into the tool I get the following response:

     

    probably infected by Backdoor.Flashback.39 !

     

    Timestamp of the first access: 2012-04-03 21:27:19
    Timestamp of the last access: 2012-04-06 17:48:52

    Sorry I'm late to the party, but I have way too much going on right now for this...

     

    My first observation is that this is very recent. As I recall everything we were watching last weekend was installed something like March 23 to March 28. Perhaps we are dealing with an as yet un-named variant.

     

    Next, from what I understand about this database, all it knows is that something with an identifier that includes an encrypted identifier that includes a UUID is trying to contact one of three Command & Control servers. It has no idea whether or not that Mac has any other files installed, just that one or more steps in the installation process has taken place. That's why they say "probably infected." We've been told that if the process finds certain software installed on that Mac it will abort the process and destroy itself, but I suppose something could go wrong with the destruction leaving the communications module active.

     

    Last weekend we were alerted to the situation by users who had Little Snitch installed and practically nobody that didn't have it complained. If this is new, I'm sure they have found a way to eliminate the Little Snitch canary again.

     

    Perhaps some details have been deleted, but there's a lot I don't know about your situation. Do you have Little Snitch installed? Do you recall seeing any dialogs requesting your admin password, certificate approval, anything unusual around around the date and time (although I'm not sure I know what time  zone Dr. Web is using) they first heard something purportedly form your Mac? If so, do you remember whether you approved or dismissed that dialog.

     

    I've scanned through all the test that were run and they all seemed to have focused on removing a full infection. You've told us that you have Office 2008 installed, so a Type 2 infection probably could not have happened. I think we can rule out a Type 1 infection from the "K" variant, so again it maybe a new one or it aborted and left something behind. I've tried to check all the commands and probably overlooked it, but did anybody check for a hidden executable in the home folder (I doubt that I remember them all from last week but we had .rserv, .mkeeper, .jupdate and I'm sure several others)? I know there were some checks for LaunchAgents, but can't be sure they would have revealed one installed around that date.

     

    And yes, I can't dismiss the possibility that Dr. Web is wrong or that duplicate UUID's exist. Just thought it might be worth looking a little harder at this since it's apparently our first effort at a Dr. Web positive and possibly something new that we won't read about until the bloggers get back to work after their Easter weekend.

1 2 3 Previous Next