1 2 3 Previous Next 35 Replies Latest reply: Jul 30, 2013 5:37 AM by Jonathan Hendry Go to original post Branched to a new discussion.
  • 15. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    MAC ATTACKED Level 1 Level 1 (5 points)

    Im not sure why you feel that suddeen changes to the boot log whereby the security protocol changes is normal.  I'm an idiot for once again trying to post anything to this community.  500,000 Apple computers fell victim to security threats.  Still everyonbe wants to believe Mac's are invulnerable.

     

    I have given the computer to APPLE to study and rebuild.  There are very real threats in the wild.  I'm not arguing with you about whether or not XCODE Instruments is called backgroundinstruments.  I'm not going to try and convince you.  I know what is out there and how it is getting in. 

      

     

    Good luck and fairwell. 

  • 16. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    thomas_r. Level 7 Level 7 (27,925 points)

    Nobody here has told you Macs are invulnerable.  Quite the opposite.  But just because malware exists for Macs does not mean that your particular problem is caused by malware.  But, I believe such information is not going to be welcomed, as you are bound and determined to have malware, whether that is the truth of the situation or not.  I don't believe anyone here can be of any assistance to you until you are willing to discuss it civilly.

  • 17. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    MAC ATTACKED Level 1 Level 1 (5 points)

    I would suggest that what I am describing has nothing to do with currently known Malware which is why so many people were affected by it.

     

    I do not think everyone has a debug log generated by their log in.  I am sure most don't have system processes making changes during startup.

     

    backgroundinstruments is an active process.  I tied directly back to XCODE Instruments applications running DTRACE.  You tell me this is all wrong.

     

    I haven't seen these types of logs before. You haven't told me what you expect me to report.

     

    It really doesn't matter.  I have seen what is out there.  I reported that code can be executed via web browsers without the knowlege or consent of the user 6 months ago and was told this was impossible. 

     

    XCODE isn't malicious in and of itself but it can be used to create applications to track etc.  Hackers use these applicatioins and debugging to figure out how to overcome the system and deploy applications.  How do IU kmow?  Because that is what they talk about on their sites. 

     

    I have seen reports of many ways to compromise a Mac.  And most of the new Malware does not require interaction by the user.  Simply watching a video is enough or sometimesd running a program like word etc.

     

    I'm really sorry I brought it up.  I'm trying to sound the alarm that you will see more and more of these attacks and Mac are especially vulnerable because there is a lot of complacency, no real experience with threats and no real security.

     

    Best of luck.  It will get worse before it gets better.  They are just starting, they have lots of experience getting around security.  Apple hasn't faced many threats before and hasn't had to contend with this kind of focused, deliberate, experienced attacks.  

     

    I warned of this in my first post.  Just saying be careful out there....its worse than you think.

  • 18. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    petermac87 Level 5 Level 5 (4,205 points)

    MAC ATTACKED wrote:

     

     

    Good luck and fairwell. 

    Didn't last long. Thanks for the extra info, but between yours and 10 other reports, a lot of people are now more confused than ever. Luckily due to early measures announced, I have seen no sign of this trojan.

     

    Bye

     

    Pete

  • 19. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    MAC ATTACKED Level 1 Level 1 (5 points)

    Not as hard to do as I might have thought.  Maybe you might tell us what would help you understand?

  • 20. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    petermac87 Level 5 Level 5 (4,205 points)

    MAC ATTACKED wrote:

     

    Not as hard to do as I might have thought.  Maybe you might tell us what would help you understand?

    Thomas's earlier link helped me.

     

    Thanks

     

    Pete

  • 21. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    billcole Level 1 Level 1 (30 points)

    Terence Devlin wrote:

     

    There is a part of XCode called "backgroundinstruments"

     

    /Applications/Xcode.app/Contents/Library/LoginItems/backgroundinstruments.app/Co ntents/MacOS/backgroundinstruments

     

    That's an odd place for Xcode to live.

     

    Is that where the new AppStore version 4.3.2 installs?

     

    I dislike it...

  • 22. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    billcole Level 1 Level 1 (30 points)

    Thomas A Reed wrote:

     

    There is a part of XCode called "backgroundinstruments"

     

    Not here.  I have the current version of XCode (4.2), and there is no such file. 

     

    See http://itunes.apple.com/us/app/xcode/id497799835?ls=1&mt=12

     

    Executive Summary: 4.3.2 is in the AppStore.

  • 23. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    billcole Level 1 Level 1 (30 points)

    I think you would get a better response if you were a bit more calm and careful in what you post. Specifically:

     

    1. Which log files or asl command gave you those log listings? Why do you think they are unsusual, aside from the verbosity? As a hint: I have unusually verbose logging configured on my machines, and your "boot log" (actually containing no boot info) looks very similar to a subset of the log entries a normal login drops in my logs. Noisier than a normal system, yes, but the content of the noise is not unusual. It does not seem to support your description of terrible things going on with PAM and keychains and guest users.
    2. No one has said that Mac's are immune to malware. However, you have offered no evidence of malware. You have offered evidence and testimony of installing suspect software (DIVX: completely pointless) and a program (Sophos AV) that hooks into the system deeply. You have also complained about performance when visting sites ("like YouTube, DailyMotion etc.") that use the dependably performance-sapping Flash. Unless you consider Flash to be malware per se (there's a case there...) that isn't a sign of anything unusual.
    3. You make claims about "keylogging" but don't explain a basis for that claim.
    4. What exactly are you trying to say about disks? It does not match normal MacOS disk naming and slicing, but it is vaguely similar. The default in Lion is for the boot disk to be /dev/disk0, which is sliced into 3 partitions. You can see this using the 'diskutil' command line utility:
      $ diskutil list disk0/dev/disk0
         #:                       TYPE NAME                    SIZE       IDENTIFIER
         0:      GUID_partition_scheme                        *250.1 GB   disk0
         1:                        EFI                         209.7 MB   disk0s1
         2:                  Apple_HFS MacBook_Internal        245.6 GB   disk0s2
         3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
      

    If I am mapping your sloppy naming correctly:

      • disk0s1 seems to be a nusiance to you. It should not be. It is the  "EFI System Partition" which is mandatory for any boot device on a machine using EFI.  I assure you: it is not a waste or a problem. If that isn't enough for you to accept its existence and necessity, try Google and Wikipedia for more detailed answers, but don't believe everything you read.
      • disk0s2 is the slice where everything normally accessible in MacOS X exists, in a HFS+ filesystem.
      • disk0s3 is the slice where Lion keeps a minimal HFS+ (ish) filesystem that can be booted with a .dmg holding a known-good system image adequate to support recovery. You can mount it if you want to, but you really should just let it sit there.

    Finally, on Xcode. I hate it being in the AppStore because the AppStore is horrid but your argument about it posing a risk by being freely available  is beneath silly. Development tools being freely available is a normal and necessary part of a useful platform. MacOS X development tools have been freely available for over a decade, with some releases including them on the distribution disks and latest versions being available online for the price of giving Apple an email address. This is not a MacOS X oddity, it is the norm for operating systems and has been for a long time.

     

    I don't know what's wrong with your system, but I'd start with looking at the output of 'ps auxwww', installing Little Snitch, and creating a new clean user with admin status and no user-friendly tweaks. The known malware for MacOS mostly only knowns about the account it came in through, so you may be able to find it more easily when logged in on a fresh undamaged account. I would also want to look at /etc/syslog.conf and /etc/asl.conf for changes from the default installs of those files and when the changes happened, since you seem to have some logging modifications that are the most suspect changes.

     

    Message was edited by: billcole

  • 24. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    thomas_r. Level 7 Level 7 (27,925 points)

    4.3.2 is in the AppStore.

     

    What?!  I checked for updates in the App Store and came up empty!  Yet I see XCode shows up with a new version when I search for it.  Ridiculous...  Yet another reason to dislike the App Store.

  • 25. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    thomas_r. Level 7 Level 7 (27,925 points)

    I do not think everyone has a debug log generated by their log in.  I am sure most don't have system processes making changes during startup.

     

    What does that mean?  Yes, you've got logs...  big deal, everyone has logs being generated constantly.  I've seen people report stuff like what's in your logs, and it has generally involved some kind of corruption in the system.  I saw a report from one person who found that deleting the keychain and re-creating it solved the problem.

     

    You have really said very little about how your system is behaving.  You have posted fairly meaningless logs, and it seems you are extrapolating a lot (inaccurately, from the sounds of it) from those logs and from seeing some benign processes running in Activity Monitor.

     

    You insisted that you have a keylogger going, but won't say how you know that.  What keylogger?  How did you find it?  etc.  What is your Mac doing, besides generating logs that you are interpreting improperly, that leads you to believe you have malware?

     

    I have seen reports of many ways to compromise a Mac.  And most of the new Malware does not require interaction by the user.  Simply watching a video is enough or sometimesd running a program like word etc.

     

    That is absolutely, 100% false.  Flashback is the only malware in existence that can execute third-party code without the user's assistance, and it can only do so on very outdated machines or machines that have not had security updates properly applied at this point.

     

    I am never one to discount possibilities of a new avenue of attack.  But it's difficult to accept when someone comes crying that the sky is falling without any evidence whatsoever, much less a coherent story.  If you think you have found something in advance of all my contacts in the security industry and all the anti-virus companies and Apple, you need to be able to provide solid evidence to be taken seriously.

  • 26. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    MAC ATTACKED Level 1 Level 1 (5 points)

    I'm not experienced enough to describe what is happening without being mocked.  I didn't initiate a DTRACE.  I didn't launch background instruments. 

     

    I'm done.  I asked for thoughtfull responses and what information you require.  Instead I got into a debate over whether backgroundinstruments are part of XCODE instruments or not. 

     

    I appreciate your tips and instructions on where to look.  When I get my machine back from APPLE I will make a note of those for future reference.

     

    I do appreciate your help.

     

    <Edited by Host>

  • 27. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    UNOwenNYC Level 1 Level 1 (0 points)

    I totally agree with you, Mac Attacked. I couldn't understand if Thos. A. R. was mocking you,or not.

     

    I've owned (only) Macs for -let's just say many years, and, while they've pretty much been much more secure than 'Windoze,' it's still unwise to ever rest on ones laurels.

     

    Personally, I appreciate your detailed posting(s), and your vigilance.

  • 28. Re: MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.
    thomas_r. Level 7 Level 7 (27,925 points)

    I totally agree with you, Mac Attacked. I couldn't understand if Thos. A. R. was mocking you,or not.

     

    I was not remotely mocking, I was trying to figure out what he was talking about.  It was extraordinarily unclear, didn't make much sense and he never would give us details that we requested.  Nobody suggested "resting on one's laurels," but at the same time, there is little sense in blaming malware for poorly-described behavior that doesn't sound remotely like any known malware.  That only interferes with finding a solution.

     

    If he ever returns and provides additional information, as requested by more than just myself, then I'm sure someone will help him.  Not me, though, not after the immature name-calling in his last post (deleted by the hosts).