Skip navigation

Dr Web Flashback Virus checker accurate?

16365 Views 100 Replies Latest reply: Apr 22, 2012 12:44 AM by Ramón Tech RSS
  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Apr 9, 2012 1:55 PM (in response to jo823)

    jo823 wrote:

     

    Update-downloaded Little Snitch and got the message "Little Snitch: .null wants to connect to vxvhwcixcxqxd.com"

     

     

    Bad, bad bad.

     

    Your infected, that url and many others like it all all over these forums and other Mac sites related to Flashback.

     

    urlQuery gives

     

     

    URLhttp://vxvhwcixcxqxd.com/info.html http://urlquery.net/screenshot.php?id=38804 
    IP91.233.244.102
    ASNAS57636 Olborg Ltd.
    Location  Russian Federation
    Report created2012-04-05 23:00:49 CET
    StatusReport complete.
    Alerts - No alerts detected
    Reputation Suspicious
  • etresoft Level 7 Level 7 (23,880 points)
    Currently Being Moderated
    Apr 9, 2012 2:15 PM (in response to jo823)

    Please try my removal script again. I have updated it to handle your installation.

  • pcbjr Level 2 Level 2 (265 points)
    Currently Being Moderated
    Apr 9, 2012 3:20 PM (in response to etresoft)

    Can you re-post the current script (I'm getting lost trying to keep up with this whole mess).

     

    Thanks!

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 9, 2012 4:02 PM (in response to pcbjr)

    pcbjr wrote:

     

    Can you re-post the current script (I'm getting lost trying to keep up with this whole mess).

    https://discussions.apple.com/docs/DOC-3271

  • etresoft Level 7 Level 7 (23,880 points)
    Currently Being Moderated
    Apr 9, 2012 4:07 PM (in response to jo823)

    Success!

     

    Unfortunately, I didn't have time to write a decent script. You did everything correctly. There is no need to reinstall.

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Apr 9, 2012 4:10 PM (in response to jo823)

    jo823 wrote:

     

    It defaults to "Keep", but was wondering if this is necessary to delete?

    Don't delete it. Do you have a MobileMe account? If yes, that's what it's for.

     

    That's exactly the kind of issue which caused me to suggest to etresoft to modify his script

     

    <https://discussions.apple.com/message/18070822#18070822>

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Apr 9, 2012 4:16 PM (in response to jo823)

    jo823 wrote:


    Since I ran the script that seemed to remove the files, would you all think its necessary to go ahead with the removal and reinstall of Mac OS?

     

    Your being of assistant since your machine is already infected, but eventually yes you should also backup just user files, erase and install everything and only return vetted files, no programs or TimeMachine restores.

     

    Erase everything that can be rewritten too.

     

    If you have a 10.6 disk, build from that as it's burned and work out, malware can't write to that.

     

    Consider everything else tainted.

     

    https://discussions.apple.com/docs/DOC-3251

     

     

    I haven't seen the need to write a effective malware erradication guide for Mac's, but I've learned on the PC that everything gets infected, miss one little spot or get lazy and it's back on again.

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Apr 9, 2012 5:49 PM (in response to jo823)

    A recent TidBITS article covers this issue

     

    <http://tidbits.com/e/12918>

     

    I'm a long time subscriber to TidBITS, and I regard their information as usually reliable. So far, I've been very skeptical about the "Dr. Web" reports (I must say that the name "Dr. Web" redoubled my skepticism, perhaps unfairly so). I'm beginning to change my mind.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 9, 2012 6:33 PM (in response to ds store)

    ds store wrote:

     

    urlQuery gives

     

    URLhttp://vxvhwcixcxqxd.com/info.html http://urlquery.net/screenshot.php?id=38804 
    IP91.233.244.102
    ASNAS57636 Olborg Ltd.
    Location  Russian Federation
    Report created2012-04-05 23:00:49 CET
    StatusReport complete.
    Alerts - No alerts detected
    Reputation Suspicious

    As stated in this post from a Dr. Web employee Re: .rserv wants to connect to cuojshtbohnt.com it is one of the three servers that Dr. Web (from Russia) was able to register in order to perform their Sinkhole operation that came up with the 600,000 number.  When we were running these URL's early on the weekend before last, they were all coming up as unknown until their registries made it to DNS.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 9, 2012 6:50 PM (in response to etresoft)

    etresoft wrote:

     

    Please try my removal script again. I have updated it to handle your installation.

    I still cannot comment on your Tip, so either I don't know how or I don't have permission.

     

    I went back to the Tip early this morning and found that it had been updated on the sheet, so I tried that and it did everything I expected it to, which wasn't much, however I found that it cleanly deleted my environment.plist. So OK, I'll just drag it back out of the Trash. Not in the Trash. OK, then restore from backup worked.

     

    So yes, I have a real environment.plist that isn't really important. Just something i was playing with, but realize that I have run across some users who own applications which use the environment.plist for purposes it was designed for.

     

    So my recommendation would be, rather than using rm use defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES which will only remove that entry and leave anything else in tact.

  • etresoft Level 7 Level 7 (23,880 points)
    Currently Being Moderated
    Apr 10, 2012 7:11 AM (in response to MadMacs0)

    MadMacs0 wrote:

     

    etresoft wrote:

     

    Please try my removal script again. I have updated it to handle your installation.

    I still cannot comment on your Tip, so either I don't know how or I don't have permission.

    It must be a permissions issue. There must be some level of points you need to add a comment. Can you see the comments I made?

     

    I went back to the Tip early this morning and found that it had been updated on the sheet, so I tried that and it did everything I expected it to, which wasn't much, however I found that it cleanly deleted my environment.plist. So OK, I'll just drag it back out of the Trash. Not in the Trash. OK, then restore from backup worked.

     

    So yes, I have a real environment.plist that isn't really important. Just something i was playing with, but realize that I have run across some users who own applications which use the environment.plist for purposes it was designed for.

     

    So my recommendation would be, rather than using rm use defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES which will only remove that entry and leave anything else in tact.

    I completely agree, up to a point. I have no intention of getting into the anti-virus business. Users who are sophisticated enough to have something in ~/.MacOSX/environment.plist aren't going to have any malware and, if they did, aren't going to need any help removing it. The script was and will remain a quick-n-dirty tool.

     

    One of the problems with the script is that I have tried to hard to be gentle with it. That has already caused it to fail to remove an infection from one person. Considering all the possible variants of malware and all the misinformation, cryptic commands, and paranoia, I feel a "scorched-earth" approach is best. The script will try to return your user account to a default configuration. Any legitimate hacks you may have made will have to be re-done.

     

    In any event, no decent software should ever use ~/.MacOSX/environment.plist to begin with. If removing it breaks something, then I've done you a favor by identifying some poorly ported Linux software.

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Apr 10, 2012 11:17 AM (in response to etresoft)

    etresoft wrote:

     

    no decent software should ever use ~/.MacOSX/environment.plist to begin with. If removing it breaks something, then I've done you a favor by identifying some poorly ported Linux software.

    Is BBEdit "poorly ported Linux software"?

     

    This is a regrettably arrogant attitude. Environment.plist has nothing to do with Linux software, poorly ported or not. It is required because Mac OS X maintains different evironment variables for GUI and CLI apps.

     

    Moreover, no software which uses a facility provided by the OS for the purpose which it was designed to support can be called 'poor'. Any app which uses environment.plist to set enironment variables does exactly what Apple says it should do, in exactly the way Apple says it should. See Environment Variables in Runtime Configuration Guidelines and Technical Q&A QA1067.

     

    The problem with environment.plist is that—just like Microsoft with certain Windows features—Apple never envisaged that it could be used in the way this malware uses it. If there's anyone to blame, it's not 'poorly ported Linux software', but Apple itself. And if you want to look for a similar Apple-created wide-open hole, check out the login and logout hooks. (Which, yes, still work in Lion.) I'm rather surprised that the gang behind Flashback have ignored it so far—if, indeed, they have.

  • etresoft Level 7 Level 7 (23,880 points)
    Currently Being Moderated
    Apr 10, 2012 1:27 PM (in response to fane_j)

    The environment.plist file is never required. There are other, much better ways to accomplish the same thing. An Aqua user interface application should never rely on environment variables. It is poor practice to ship code using that file. I don't care who uses it.

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Apr 10, 2012 1:41 PM (in response to etresoft)

    etresoft wrote:

     

    The environment.plist file is never required.

    BBEdit and others require it. Hence, your statement is incorrect.

     

    Moreover, if Apple provides this facility, and explains how it should be used, I don't understand why a developer shouldn't use it.

    There are other, much better ways to accomplish the same thing.

    Such as?

    An Aqua user interface application should never rely on environment variables.

    And if it needs, or it is used, to run shell scripts, Perl, Phython, etc, what should it rely on?

    It is poor practice to ship code using that file.

    You are certainly entitled to your opinion. I see no reason or argument why anyone should agree with it.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.