1 3 4 5 6 7 Previous Next 100 Replies Latest reply: Apr 22, 2012 12:44 AM by Ramón Tech Go to original post
  • 75. Re: Dr Web Flashback Virus checker accurate?
    etresoft Level 7 Level 7 (24,270 points)

    jo823 wrote:

     

    I did download Little Snitch, but was wondering if anyone felt the need to run an Anti-Virus program on their Macs as well?  I didn't get one initially because everyone at the Apple Store said it wasn't necessary, but this latest experience has me second-guessing myself.  Any recommendations?

    I don't even run anti virus on Windows

     

    This is the first actual malware that I can remember on MacOS X in 12 years. All of the other ones required the user be tricked into installing them. The actual security hole was in Java from 5 years before MacOS X. The actual infection is pitifully easy to remove. Apple has already removed Java from the default installation of the operating system and is taking additional steps to make it more secure in the future. I don't think there is anything to worry about.

  • 76. Re: Dr Web Flashback Virus checker accurate?
    MadMacs0 Level 4 Level 4 (3,735 points)

    jsd2 wrote:

     

    F-Secure just released a free Flashback detection and removal tool:

    http://www.f-secure.com/weblog/archives/00002346.html

    Yes, I've taken a really quick look at the script they supposedly use which can be accessed here. They clearly seem to know more about this than any of the other vendors we've read, so it's promissing. It is a pretty simple script which seems to check first for Library components involved with different variants and if found tells you "Possible infected file: ${ldpath} . If this is malware, please remove manually."

     

    It checks for:

    /Applications/Safari.app/Contents/Info/ for LSEnvironment

    ${HOME}/.MacOSX/environment for DYLD_INSERT_LIBRARIES

    Deletes whatever it finds, unsets they dylib in launchctl and that's that.

  • 77. Re: Dr Web Flashback Virus checker accurate?
    MadMacs0 Level 4 Level 4 (3,735 points)

    etresoft wrote:

     

    Apple has already removed Java from the default installation of the operating system and is taking additional steps to make it more secure in the future. I don't think there is anything to worry about.

    I think I agree except for Intel Mac's still running 10.6.7 and below who are still at risk. Disabling Java in browsers seems to be "good-enough" for now, but then we'll all have to watch for the next Java exploit or some new path.

  • 78. Re: Dr Web Flashback Virus checker accurate?
    X423424X Level 6 Level 6 (14,190 points)

    MadMacs0 wrote:

     

    jsd2 wrote:

     

    F-Secure just released a free Flashback detection and removal tool:

    http://www.f-secure.com/weblog/archives/00002346.html

    Yes, I've taken a really quick look at the script they supposedly use which can be accessed here. They clearly seem to know more about this than any of the other vendors we've read, so it's promissing. It is a pretty simple script which seems to check first for Library components involved with different variants and if found tells you "Possible infected file: ${ldpath} . If this is malware, please remove manually."

     

    It checks for:

    /Applications/Safari.app/Contents/Info/ for LSEnvironment

    ${HOME}/.MacOSX/environment for DYLD_INSERT_LIBRARIES

    Deletes whatever it finds, unsets they dylib in launchctl and that's that.

     

    I looked at this too and this is the first one I've seen that I can recommend (and will be pointing to in future posts).  I want to add that in addition to the checks noted above it also checks the ~/Library/LaunchAgents.

  • 79. Re: Dr Web Flashback Virus checker accurate?
    MadMacs0 Level 4 Level 4 (3,735 points)

    X423424X wrote:

     

    I want to add that in addition to the checks noted above it also checks the ~/Library/LaunchAgents.

    Great! I don't see that in the shell script, but perhaps it was added in the app or it's in an AppleScript that I've just been told exists. That worried me too, as it's been the primary element overlooked by most all the tools initially.

  • 80. Re: Dr Web Flashback Virus checker accurate?
    jsd2 Level 5 Level 5 (6,200 points)

    The app bundle that can be downloaded contains two scripts, and the first is apparently a newer version of the one at the github site.

     

    FlashbackRemoval.app/Contents/Resources/RemoveFlashback.sh

    FlashbackRemoval.app/Contents/Resources/Scripts/main.scpt

  • 81. Re: Dr Web Flashback Virus checker accurate?
    MadMacs0 Level 4 Level 4 (3,735 points)

    Following up my own observation, yes, the shell script has been enhanced to include launchagents as well as Firefox. They also added an optional mode where they move probable infected files to quarantine, then zip them, suitable for uploading to sample sites.

  • 82. Re: Dr Web Flashback Virus checker accurate?
    MadMacs0 Level 4 Level 4 (3,735 points)

    jsd2 wrote:

     

    The app bundle that can be downloaded contains two scripts, and the first is apparently a newer version of the one at the github site.

     

    FlashbackRemoval.app/Contents/Resources/RemoveFlashback.sh

    FlashbackRemoval.app/Contents/Resources/Scripts/main.scpt

    Yes, I'm caught up now.

     

    The AppleScript:

     

    -- Step 1: Get acceptance of EULA

    -- Step 2: Scan only run of the shell script

    -- Step 3: Ask if user really wants to remove if something was found

     

    Otherwise give the all clear.

  • 83. Re: Dr Web Flashback Virus checker accurate?
    X423424X Level 6 Level 6 (14,190 points)

    If it is true what you said about not having the launchagent check when you first dowloaded the app then my only complaint about this is I which they would version the app (e.g., 1.0, 1.1, etc.) so we could immediatelay know they have a newer version.  Silent updates are inconvenient to track.

     

    I just checked the Flashback Removal Tool page again and notected there's button for comments.  So I made a request for them to add a version number (it appears to be waiting for "moderator approvial").

  • 84. Re: Dr Web Flashback Virus checker accurate?
    MadMacs0 Level 4 Level 4 (3,735 points)

    X423424X wrote:

     

    If it is true what you said about not having the launchagent check when you first dowloaded the app then my only complaint about this is I which they would version the app (e.g., 1.0, 1.1, etc.) so we could immediatelay know they have a newer version.  Silent updates are inconvenient to track.

    It wasn't F-Secure that had the incomplete shell script, it was the author's postings to github five days ago that were out of date. After I took the time to download and disassemble the app, I figured out that what I previously looked at was out-of-date. But I do concur about versioning. Weiss' has been doing that with his tool which just went from 1.0.2 to 2.0. Several other are not doing that.

  • 85. Re: Dr Web Flashback Virus checker accurate?
    X423424X Level 6 Level 6 (14,190 points)

    Ahh, that explains the confusion.  I was wondering why you were pointing at the github site.  They are all marked as 5-days old there.

  • 86. Re: Dr Web Flashback Virus checker accurate?
    WZZZ Level 6 Level 6 (12,225 points)

    I'm posting this in this thread since it seems to be one where all the major players might see it.

     

    I've been trying to help someone in the Leopard forum who says that he had clear signs of the presence of the Trojan and then it inexplicably disappeared. He's run the F-Secure test and X4's commands and he comes up clean. I've recommended he get Little Snitch to see if anything's trying to connect.

     

    I don't quite know what to recommend now. He could do a laborious reinstall and that might be the safest way to go, but it might be unnecessary. Did this thing delete itself?

     

    Anyway, here's the thread. Please have a look and see what you think.

     

    https://discussions.apple.com/thread/3869018?tstart=0

  • 87. Re: Dr Web Flashback Virus checker accurate?
    MadMacs0 Level 4 Level 4 (3,735 points)

    WZZZ wrote:

     

    I've been trying to help someone in the Leopard forum who says that he had clear signs of the presence of the Trojan and then it inexplicably disappeared.

    Yes, I saw this last night and remembered the case as I believe there have only been two Leopard infections discussed in the forum. Even tracked down the previous discussion https://discussions.apple.com/thread/3846648 back on April 1 to see if I could spot anything. One guess is that he went to one of the links we gave him at the time and did something to delete the DYLD_INSERT_LIBRARIES evidence and perhaps more, but forgot what he had done way back then. The only other possibility I can come up with is that the backdoor attempted an update and terminated the infection for whatever reason. At the time we thought it was the "I" variant as we were just discovering "K" (F-Secure had not even published the "K" information) and we don't know the date of infection. As far as I can tell the F-Secure test would have picked up signs of either, including the LaunchAgent that triggers the bot transponder in "K". If it somehow missed that then Little Snitch should tell him. I didn't know what to tell him, either.

  • 88. Re: Dr Web Flashback Virus checker accurate?
    WZZZ Level 6 Level 6 (12,225 points)

    Thanks. I didn't realize he was the author of that earlier thread also. I guess it's a crap shoot.

  • 89. Re: Dr Web Flashback Virus checker accurate?
    X423424X Level 6 Level 6 (14,190 points)

    There is nothing more I can add to what MadMacs0 said.  I don't think I was tracking the Leopard forums at the time the OP posted.

1 3 4 5 6 7 Previous Next