Skip navigation

how to find if you are affected by a malware program?

2239 Views 24 Replies Latest reply: Apr 8, 2012 12:17 PM by nerowolfe RSS
  • X423424X Level 6 Level 6 (14,190 points)

    etresoft wrote:

     

    Marco g wrote:

     

    I posted this in another threat, if anybody is interested:

     

    Another threat? A little Freudian slip there, eh?

     

    Seems to be a lot of that going around these days.  I just accused another user of the exact same thing.

     

    stevejobsfan0123 wrote:

     

    I actually heard that the trojan will check for programs like Little Snitch, and delete itself if any of these are found to prevent it from being detected (I think I read that on Cnet). True?

     

    No.  This newer variant  installs a launchagent to launch a chunk of code (~/.filename, filename has various names) is not a sneaky as the other flashback trojans (probably a different group writing this one).  It doesn't check for Little Snitch and Little Snitch will jump all over that code when it attempts to call out.  If I recall that is how it called attention to itself in the first place.  Good 'ol LS!

  • Topher Kessler Level 6 Level 6 (9,305 points)

    Some variants will check for this, but do not rely on this as a means of protection. The latest variants will bypass such checks and continue installing, even though some others will delete themselves. Relying on such action is like trusting a serial thief who says he won't steal from your home because he claims your locks are too big.

  • MadMacs0 Level 4 Level 4 (3,345 points)

    stevejobsfan0123 wrote:

     

    I actually heard that the trojan will check for programs like Little Snitch, and delete itself if any of these are found to prevent it from being detected (I think I read that on Cnet). True?

    At first they tried to disable Little Snitch, but then they realized that made things too obvious, so now they check for it's presence (as well as several A-V softwares) and abort if found, deleting any evidence they were even there. What they seemed to have forgotten to do with the "K" version is check for Little Snitch before the downloader tried to obtain the malware components from the server, alerting the user that something was up. I suspect the next variant to correct that oversight.

  • Henry-In-FL Level 1 Level 1 (0 points)

    My finding are as follows:

    Nothing on three of the four test lines posted. But one of the four had positive results. I tried to install Clam X AV on this Mini running OS X10.6.8 but had difficulty (wouldn't download the updates). Could this be why??

     

    Here is the result:

    BubbaMacMini:~ bubba$ ls -la ~/Library/LaunchAgents

    total 24

    drwx------   5 bubba  staff   170 Sep  5  2011 .

    drwx------+ 41 bubba  staff  1394 Apr  8 11:31 ..

    -rw-r--r--   1 bubba  staff   589 Apr 14  2010 com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3.plist

    -rw-r--r--   1 bubba  staff   581 Sep  5  2011 com.apple.MobileMeSyncClientAgent.plist

    -rw-r-----   1 bubba  staff   812 Aug 23  2009 com.apple.SafariBookmarksSyncer.plist

  • etresoft Level 7 Level 7 (23,915 points)

    There is nothing wrong with having files in that directory. Those look fine. You can always open them with TextWranger or similar and look for the program that actually gets launched. The trojan will start with a ".".

  • MadMacs0 Level 4 Level 4 (3,345 points)

    etresoft wrote:

     

    There is nothing wrong with having files in that directory. Those look fine. You can always open them with TextWranger or similar and look for the program that actually gets launched. The trojan will start with a ".".

    Although I agree with your conclusion that those look fine, the LaunchAgents we've found are not hidden and do not start with an ".".

  • MadMacs0 Level 4 Level 4 (3,345 points)

    Henry-In-FL wrote:

     

    I tried to install Clam X AV on this Mini running OS X10.6.8 but had difficulty (wouldn't download the updates). Could this be why??

    Go to the ClamXav Forum and somebody will help you troubleshoot that. They will need to know what it says in your Update Log.

  • nerowolfe Level 6 Level 6 (13,070 points)

    One of my best friends is "Little Snitch" which does exactly what its name implies.

    I use Little Snitch and a recently installed ClamXav (which I never thought I would need) and between them I am reasonably safe. I say "reasonably" because there are very few absolutes in life.

    The best A/V tool is an informed and intelligent user.

    And now we see why Apple has always recommended NEVER to run the computer as an Administrator, UNLESS you are actually administrating.

     

    Everyone should create a standard user account and use that for 99% of the time.

    Very rarely is the Administrator account needed.

    Again, create and use a Standard User Account, right now.

  • Topher Kessler Level 6 Level 6 (9,305 points)

    Another option here is to create a second administrator account and then demote your current one to a standard account. This will save the trouble of having to set up mail accounts and other settings in the new account.

  • nerowolfe Level 6 Level 6 (13,070 points)

    An excellent point, Topher.

    I remember when we were laughed at for even suggesting that all users should be using a standard account, many moons ago.

    Well, the rubber has finally hit the road. We were right, they were wrong.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.