Skip navigation

Trojan in Java

1754 Views 29 Replies Latest reply: Apr 12, 2012 7:13 AM by benzdoc RSS Branched to a new discussion.
1 2 Previous Next
stellamaris5 Level 1 Level 1 (90 points)
Currently Being Moderated
Apr 5, 2012 5:26 AM

Is it true that there was a Trojan detected and that the Java update yesterday was to patch the hole?

 

So it begins.....

  • sig Level 8 Level 8 (35,770 points)
    Currently Being Moderated
    Apr 5, 2012 6:38 AM (in response to stellamaris5)

    No.

  • benzdoc Calculating status...
    Currently Being Moderated
    Apr 5, 2012 7:34 AM (in response to stellamaris5)

    yes

  • dominic23 Level 6 Level 6 (18,520 points)
    Currently Being Moderated
    Apr 5, 2012 1:19 PM (in response to stellamaris5)

    Apple does not say anything about any Trojan.

     

    This is just a java security update from Apple.

     

    For more info:

     

    http://www.macworld.com/article/1166195/apple_releases_java_security_updates.htm l

     

    Anything about Trojan could be speculation

     

    Best.

  • thomas_r. Level 7 Level 7 (26,980 points)
    Currently Being Moderated
    Apr 5, 2012 1:22 PM (in response to stellamaris5)

    There is malware (called Flashback) that has been actively taking advantage of Java vulnerabilities on Macs, installing as a drive-by download with no user interaction required when visiting a malicious web site.  Apple's latest Java update patches these vulnerabilities, though it's still possible for that malware to use social exploits to trick you into installing it.  You would do best to turn off Java in your web browser...  you probably won't miss it at all.

     

    See:

     

    http://www.reedcorner.net/news.php?tag=flashback

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

  • benzdoc Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 5, 2012 1:38 PM (in response to dominic23)

    Your kidding right ?

  • arlene220 Calculating status...
    Currently Being Moderated
    Apr 10, 2012 3:44 AM (in response to thomas_r.)

    Are you serious?

  • arlene220 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 10, 2012 3:46 AM (in response to dominic23)

    I am running the latest software the link you gave is old!

  • thomas_r. Level 7 Level 7 (26,980 points)
    Currently Being Moderated
    Apr 10, 2012 5:31 AM (in response to arlene220)

    Are you serious?

     

    Absolutely.

     

    BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

  • arlene220 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 10, 2012 3:03 PM (in response to thomas_r.)

    The link is very old!!!!

    Thomas A Reed wrote:

     

    Are you serious?

     

    Absolutely.

     

    BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

    Thomas A Reed wrote:

     

    Are you serious?

     

    Absolutely.

     

    BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 10, 2012 3:19 PM (in response to thomas_r.)

    Thomas A Reed wrote:

     

    BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.

     

    Maybe you can answer a question for me.  Why is it every one of the public flashback checkers and articles, including yours, seem to be ignoring one of the more recent strains of (flashback?) trojan that was found in these forums a few weeks ago?  Specially I am referring to the the variant that installs a user launchagent that launches a dot file in the users directory (~/.filename, where filename is any number of names).

     

    The only place I see this even addressed outside of these forums is F-Secure's Trojan-Downloader:OSX/Flashback.K article (steps 16, 17, 18).  I always include it my set of basic trojan checking commands which I have been posting in these forums (for example, see this post).

  • petermac87 Level 5 Level 5 (4,065 points)
    Currently Being Moderated
    Apr 10, 2012 3:21 PM (in response to thomas_r.)

    Thomas A Reed wrote:

     

    BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

    Thomas, thanks for a very condensed yet in-depth look at this Trojan. This is the all-in-one info I have been looking for. Seem to be all clear here, and Java now off.

     

    Thank You

     

    Pete

  • thomas_r. Level 7 Level 7 (26,980 points)
    Currently Being Moderated
    Apr 10, 2012 3:59 PM (in response to arlene220)

    The link is very old!!!!

     

    What link is very old?  The page at the link in the post you just replied to is dated April 7, 2012.

  • thomas_r. Level 7 Level 7 (26,980 points)
    Currently Being Moderated
    Apr 10, 2012 4:12 PM (in response to X423424X)

    Why is it every one of the public flashback checkers and articles, including yours, seem to be ignoring one of the more recent strains of (flashback?) trojan that was found in these forums a few weeks ago?  Specially I am referring to the the variant that installs a user launchagent that launches a dot file in the users directory (~/.filename, where filename is any number of names).

     

    I haven't actually seen any documentation of such a variant beyond the fairly vague information on F-Secure's page, which does not describe exactly what the contents of the file placed in LaunchAgents are.  However, it is obvious from reading posts from infected folks on forums like these that the instructions - no matter what they may be - are inadequate.  As are the numerous detection and removal tools based on those instructions.  As that has become more clear, I have significantly modified my instructions, and have been considering pulling them altogether.

     

    More and more, it's looking like anti-virus software is the best way to detect an infection.  As for removal, that's similarly difficult for novice users.  I would have to say that if you can't find and remove the pieces on your own, without needing to rely on instructions, you shouldn't be trying.  Either erase the hard drive and reinstall everything from scratch, or get a tech guru who really knows what he/she is doing to take care of the removal for you.  Any other recommendation, at this point, is starting to look irresponsible.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 10, 2012 4:31 PM (in response to thomas_r.)

    I haven't actually seen any documentation of such a variant beyond the fairly vague information on F-Secure's page, which does not describe exactly what the contents of the file placed in LaunchAgents are.

     

    I think the following is the primary thread where this variant first appeard in these forums:

     

    .rserv wants to connect to cuojshtbohnt.com

     

    And if you look at page 3 of that (still growing) thread you will see a typical example of the launchagent.

     

    However, it is obvious from reading posts from infected folks on forums like these that the instructions - no matter what they may be - are inadequate.

     

    I think they are adequate to find the top-level insertions of the current trojans.  Not find every piece of code that may have been injected.

     

    If there's a variant out ther that adds some control, injects its payload, and removes the control code, other than, for example, injecting code into browsers, then I haven't heard about it yet.

     

    As are the numerous detection and removal tools based on those instructions.

     

    I agree with that.

     

     

    As that has become more clear, I have significantly modified my instructions, and have been considering pulling them altogether.

     

    Which was my whole point of making you aware of this variant.

     

    More and more, it's looking like anti-virus software is the best way to detect an infection.

     

    To each his own.  Let's agree to disagree.

     

    As for removal, that's similarly difficult for novice users.  I would have to say that if you can't find and remove the pieces on your own, without needing to rely on instructions, you shouldn't be trying.  Either erase the hard drive and reinstall everything from scratch, or get a tech guru who really knows what he/she is doing to take care of the removal for you.  Any other recommendation, at this point, is starting to look irresponsible.

     

    There's a longish applescript floating around curently that attempts full detection and removal.  I just don't have the link handy at the moment.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Related Articles

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.