chadonline

Q: .rserv wants to connect to cuojshtbohnt.com

I have the message:

 

.rserv wants to connect to cuojshtbohnt.com

 

what is .rserv?  I googled it and couldn't locate anything ligitimate.

 

thanks

MacBook Pro, Mac OS X (10.6.8)

Posted on Mar 31, 2012 3:18 PM

Close

Q: .rserv wants to connect to cuojshtbohnt.com

  • All replies
  • Helpful answers

first Previous Page 14 of 16 last Next
  • by Topher Kessler,

    Topher Kessler Topher Kessler Apr 7, 2012 4:38 PM in response to dianeoforegon
    Level 6 (9,866 points)
    Apr 7, 2012 4:38 PM in response to dianeoforegon

    dianeoforegon wrote:

     

    For Office 2004 users that are infected we are seeing this in their crash logs:

     

    dyld: could not load inserted library: /User/Shared/.libgmalloc.dylib

     

    After removing the file the system will still try to load the file whenever Office or other programs are launched, so you will have to reset the system so it does not try to load the file. To do this, run the following commands in the Terminal:

     

         defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES


         launchctl unsetenv DYLD_INSERT_LIBRARIES

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 7, 2012 5:11 PM in response to lytic
    Level 5 (4,791 points)
    Apr 7, 2012 5:11 PM in response to lytic

    lytic wrote:

     

    Submit your Mac UUID to this Express-check form.

    Doctor Web will check if there was a connection from your computer to the botnet control server.

    First I wanted to pass on my thanks for providing this service to the Mac Community. It should prove to be very useful. But I do want to also make some observations concerning feedback I'm getting on this site. Sorry to do so in such a public manner, but I don't know any other way of communicating with you.

     

    I've had a couple of users get back to me saying that you did not find them in your database therefore they were clean and going about business as usual. If I understand the methodology you used correctly then your database may contain as little as 5% of the 600,000 you estimated were infected at the time. If that is correct I think you need to add emphasis on the site that users who are not identified in your database need to take further steps to check, such as downloading Dr.Mac Light.

     

    Next, some of are paranoid about entering identity information on any site for any reason. Nowhere on the web site is there a link to your priavcy policy explaining to us what you will do with this information. Not a complete solution, but much better than nothing.

     

    Also, it doesn't comfort us to find that the url given is not https: (i.e. using SSL) so our UUID is being broadcast to over the internet in the clear. I'm not aware of any way that such information can be exploited (other than what's currently going on with Flashback), nvertheless it's still identity information and sooner or later somebody will figure it out.

     

    And when I attempt to force SSL I get this:

    Picture 2.png

    So if you can persuade the powers that be to update the site you'll turn a good service into a great one, IMHO.

  • by chadonline,

    chadonline chadonline Apr 7, 2012 5:50 PM in response to MadMacs0
    Level 1 (0 points)
    Apr 7, 2012 5:50 PM in response to MadMacs0

    When I started this thread, I didn't know it would get this much attention. Could you please summarize where we are and what would users like me need to do?

     

    thank you!

  • by etresoft,

    etresoft etresoft Apr 7, 2012 6:08 PM in response to MadMacs0
    Level 7 (29,320 points)
    Mac OS X
    Apr 7, 2012 6:08 PM in response to MadMacs0

    What about those users who are identified in the database but don't have any malware?

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 7, 2012 7:42 PM in response to chadonline
    Level 5 (4,791 points)
    Apr 7, 2012 7:42 PM in response to chadonline

    chadonline wrote:

     

    When I started this thread, I didn't know it would get this much attention. Could you please summarize where we are and what would users like me need to do?

    Wow, what does that say about this forum? A week and fourteen pages and we still haven't answered the OP's question?

     

    I'm afraid you may have opened the floodgates here as there were about as many suggestions thrown out as there are participants now, except that many have been refined based on what we all learned.

     

    Not sure why you picked me. I don't recall what suggestions I may have made. I did summarize almost all the solutions I could find in some forum today, so I could repeat all that for you. I could also rumage through all 200+ entries and write up a summary for you or just rumage through all fourteen pages to see what you have done already, but it's Easter and my taxes are due and I think my time is worth more than yours right now, so how about at least telling us what it is you need. All I remember you asking was what was ".rserv"?

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 7, 2012 7:44 PM in response to etresoft
    Level 5 (4,791 points)
    Apr 7, 2012 7:44 PM in response to etresoft

    etresoft wrote:

     

    What about those users who are identified in the database but don't have any malware?

    You evidently know something I don't. I think that would be a question for Dr. Web, wouldn't it?

  • by etresoft,

    etresoft etresoft Apr 7, 2012 8:28 PM in response to MadMacs0
    Level 7 (29,320 points)
    Mac OS X
    Apr 7, 2012 8:28 PM in response to MadMacs0

    MadMacs0 wrote:

     

    etresoft wrote:

     

    What about those users who are identified in the database but don't have any malware?

    You evidently know something I don't. I think that would be a question for Dr. Web, wouldn't it?

    https://discussions.apple.com/thread/3859741

     

    I initially got excited thinking someone would be able to test my checker/removal script against the real thing. I have tested it against a similar trojan I wrote myself, but a real test is always best.

     

    I have little interest in Dr. Web. I am interested in that 5% value. I'm very suspicious of this whole mess.

  • by fane_j,

    fane_j fane_j Apr 7, 2012 11:54 PM in response to etresoft
    Level 4 (3,672 points)
    Apr 7, 2012 11:54 PM in response to etresoft

    etresoft wrote:

     

    I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271

    A very useful script, but it will flag false positives, related to MobileMe, FaceTime, Google Chrome Update, and others. The default button will be "Keep", but that may be a little too subtle for some users. You may wish to add a note to that effect. Or perhaps, instead of offering an option to delete those executables, saving a list to a file or to clipboard.

  • by WZZZ,

    WZZZ WZZZ Apr 8, 2012 6:25 AM in response to chadonline
    Level 6 (13,112 points)
    Mac OS X
    Apr 8, 2012 6:25 AM in response to chadonline

    chadonline wrote:

     

    When I started this thread, I didn't know it would get this much attention. Could you please summarize where we are and what would users like me need to do?

     

    thank you!

    If you're looking for something that briefly -- I don't know of any one article that covers this in great depth -- sums up what is known overall about this attack, and bear in mind it may be changing as we speak:

     

    http://community.f-secure.com/t5/Protection/Flashback-Mac-OS-X-Remover/m-p/10887 #M2223

     

    For possibly more complete information on detection, see also my post (courtesy of X423424X) in this thread

     

    https://discussions.apple.com/thread/3859741?start=0&tstart=0

     

    If you need more, there are hundreds of topics all over the place about this.

  • by etresoft,

    etresoft etresoft Apr 8, 2012 8:08 AM in response to fane_j
    Level 7 (29,320 points)
    Mac OS X
    Apr 8, 2012 8:08 AM in response to fane_j

    fane_j wrote:

     

    etresoft wrote:

     

    I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271

    A very useful script, but it will flag false positives, related to MobileMe, FaceTime, Google Chrome Update, and others. The default button will be "Keep", but that may be a little too subtle for some users.

     

    Absolutely. If the first character of the executable is ".", which means it is trying to hide, then the default button switches to "Delete".

     

    You may wish to add a note to that effect. Or perhaps, instead of offering an option to delete those executables, saving a list to a file or to clipboard.

     

    Unfortunately, due to the nature of the problem and my desire to keep everything transparent (downloading mystery programs to fix other myster programs) I had to write the program in Applescript. Some professional software engineers have difficulty with Applescript. I can barely get it to do anything. I can't even get it to tell me if a file exists. I find Applescript far more dificult than C++ or Perl.

     

    Anyone with more experise in Applescript is more than welcome to improve it. It's not that I don't want to improve it, I just don't have the ability or time.

  • by fane_j,

    fane_j fane_j Apr 8, 2012 4:26 PM in response to etresoft
    Level 4 (3,672 points)
    Apr 8, 2012 4:26 PM in response to etresoft

    etresoft wrote:

     

    I can't even get it to tell me if a file exists.

     

    This should evaluate to true if <~/.MacOSX/environment.plist> exists.

     

    --script begins

    path to home folder from user domain as text

    exists (result & ".MacOSX:environment.plist") as alias

    --script ends

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 8, 2012 4:47 PM in response to etresoft
    Level 5 (4,791 points)
    Apr 8, 2012 4:47 PM in response to etresoft

    etresoft wrote:

     

    I have little interest in Dr. Web. I am interested in that 5% value. I'm very suspicious of this whole mess.

    I've re-thought that 5% figure, even though I have not heard back from lytic, I think I misunderstood what was being said. If each infected Mac only contacts one of the 50-60 servers then capturing only three gives me a worst case of 5%. But in reading the articles from Dr. Web and Kaspersky, they seem to be saying that each Mac picks a rotational or perhaps random server each time it sends something out, in which case the three servers would only see 5% of the contacts, but ultimately close to 100% of the bots (assuming some get disabled before they get to one of the three). So maybe their database does contain almost 100% of all the infected machines that were out there since they started collecting, apparently on April 3.

  • by etresoft,

    etresoft etresoft Apr 8, 2012 4:52 PM in response to MadMacs0
    Level 7 (29,320 points)
    Mac OS X
    Apr 8, 2012 4:52 PM in response to MadMacs0

    MadMacs0 wrote:

     

    maybe their database does contain almost 100% of all the infected machines that were out there since they started collecting, apparently on April 3.

    Perhaps even more than 100%

     

    Here is what a reputable anti-virus company says about the situation: http://www.symantec.com/security_response/writeup.jsp?docid=2011-093016-1216-99

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 8, 2012 5:06 PM in response to etresoft
    Level 5 (4,791 points)
    Apr 8, 2012 5:06 PM in response to etresoft

    etresoft wrote:

     

    Here is what a reputable anti-virus company says about the situation: http://www.symantec.com/security_response/writeup.jsp?docid=2011-093016-1216-99

    Not sure why you find Symantec any more reputable, but I'll accept it as a data point. Be interesting to know if they have changed any of the numbers since September.

     

    The problem with all this is that most of the experts and almost all of the resources necessary to address this subject work for either an A-V vendor or the Government and the latter isn't talking until they make an arrest. I follow SANS pretty closely as they seem to have some degree of expertise and independence, but since they sell training there is still an opportunity for them to market through exaggeration.

  • by dhnyprod,

    dhnyprod dhnyprod Apr 8, 2012 5:18 PM in response to MadMacs0
    Level 1 (0 points)
    Apr 8, 2012 5:18 PM in response to MadMacs0

    Use program free program Easyfind Version 4.8.2 (4.8.2) will find and delete.

first Previous Page 14 of 16 last Next