Skip navigation

Dr Web Flashback Virus checker accurate?

16366 Views 100 Replies Latest reply: Apr 22, 2012 12:44 AM by Ramón Tech RSS
  • duderRama Level 1 Level 1 (15 points)
    Currently Being Moderated
    Apr 12, 2012 1:16 PM (in response to etresoft)

    etresoft wrote:

     

    jo823 wrote:

     

    I did download Little Snitch, but was wondering if anyone felt the need to run an Anti-Virus program on their Macs as well?  I didn't get one initially because everyone at the Apple Store said it wasn't necessary, but this latest experience has me second-guessing myself.  Any recommendations?

    I don't even run anti virus on Windows

     

    This is the first actual malware that I can remember on MacOS X in 12 years. All of the other ones required the user be tricked into installing them. The actual security hole was in Java from 5 years before MacOS X. The actual infection is pitifully easy to remove. Apple has already removed Java from the default installation of the operating system and is taking additional steps to make it more secure in the future. I don't think there is anything to worry about.

     

     

    ALWAYS RUN ANTI-VIRUS!!!!!!!!

     


    A malware attack such as this has even greater odds of success on Mac OS X than it does on a Windows system. The Mac OS X system itself is not less secure or prone to infection than Windows per se, but the Mac culture is conditioned to believe the OS is virtually invulnerable. Fewer users have any security software installed to protect their Mac OS X systems, and Mac OS X users are more likely to click links and open files without thinking twice.

    It doesn’t help anything that Apple perpetuates the myth of invulnerability. It takes time to develop a patch, but as soon as Apple was aware that the threat existed, it should have proactively communicated to Mac OS X users to make them aware. In fact, it should have provided users with instructions to disable Java and mitigate the threat pending a patch to resolve the issue. The fact that it didn’t is probably a contributing factor to why the Flashback botnet is as large as it is.

     

     

    It has affected the LARGEST percentage of users of any virus in history. Obviously windows having 95% share would mean more pc's can be hit by a virus, but as far as percentage wise, no windows OS has ever been hit this hard.

     

    So I would say yes, be worried, don't allow etresoft to trick you into the exact mentallity in which allowed this virus to bread so heavily in the first place.

  • etresoft Level 7 Level 7 (23,890 points)
    Currently Being Moderated
    Apr 12, 2012 1:59 PM (in response to duderRama)

    duderRama wrote:

     

    ALWAYS RUN ANTI-VIRUS!!!!!!!!

    If you don't run IE or Outlook, and stay behind a hardware NAT like a WiFi router, even Windows isn't going to get any viruses.

    A malware attack such as this has even greater odds of success on Mac OS X than it does on a Windows system. ....

    It has affected the LARGEST percentage of users of any virus in history. Obviously windows having 95% share would mean more pc's can be hit by a virus, but as far as percentage wise, no windows OS has ever been hit this hard.

    That is all preposterous. Have you ever actually used a Windows PC? Recent versions of Windows/IE/Outlook are much better, but a few years ago it would not be unusual to see a single PC infected with dozens of different types of viruses. They would be so deeply embedded that if you removed them, the machine wouldn't work.

     

    I guess we can start blaming Microsoft for this problem. Since Microsoft has improved the security of recent versions of Windows, people have obviously forgotten what it used to be like - with viruses, spyware, real botnets, and rootkits. I don't think there was ever a piece Windows malware that was as easy to find and remove as this one. The Flashback issue doesn't even seem to be as big as MacDefender.

  • billynicol Calculating status...
    Currently Being Moderated
    Apr 12, 2012 5:25 PM (in response to fane_j)

    I see your point, but I am inclined to believe the reports around what the malware is being used for e.g. Schouwenberg says that for now, the hijacked Macs are being used for click fraud, creating Web traffic from the infected machines to boost revenue from pay-per-click and pay-per-impression advertisements. He says there’s no evidence yet that they’re being used for credit card fraud. But like any Trojan, the malware functions as a backdoor on the user’s computer, and can allow new software updates to be downloaded. “They could easily update what they’re doing in the future,” Schouwenberg says.

     

    from

     

    http://www.forbes.com/sites/andygreenberg/2012/04/06/researchers-confirm-flashba ck-trojan-infects-600000-macs-being-used-for-clickfraud/

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 12, 2012 6:26 PM (in response to billynicol)

    billynicol wrote:

     

    I see your point, but I am inclined to believe the reports around what the malware is being used for

    I tend to agree, although Intego has been quite convinced from their analysis that privacy information is being collected:

    2/23/12

    Flashback Mac Trojan Horse Infection Increasing with New Variant

     

    > What this malware does

    >

    > This malware patches web browsers and network applications essentially to

    > search for user names and passwords. It looks for a number of domains –

    > websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many

    > others. Presumably, the people behind this malware are looking for both user

    > names and passwords that they can immediately exploit – such as for a bank

    > website – as well as others that may be reused on different sites. (Hint:

    > don’t use the same password for all websites!)

    > ...

    > This malware also has an automatic update module that checks a number of

    > websites for new versions.

    There are numerous examples here in the forum of users being redirected to ad sites and it's clear that has been going on for some time.

     

    On the other hand, I have not heard from a single infected user in this forum that they were hacked or suffered any type of identity theft since being infected. The only report I've even heard of was during Shawn King's Interview with Rich Mogull discussing the Flashback Trojan during which Rich said that a user reported fraudulent credit card activity shortly after he was infected. I don't think we can conclude much from one such occurance. So, unless this thing can be tied to what's going on with the iTunes store, it's either very small scale, Intego is wrong or that's the next shoe to drop.

  • Ramón Tech Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 21, 2012 9:00 PM (in response to jo823)

    Does anyone know what the original file location for where the backdoor.flashback.39 is stored?    

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 21, 2012 11:14 PM (in response to Ramón Tech)

    Ramón Tech wrote:

     

    Does anyone know what the original file location for where the backdoor.flashback.39 is stored?    

    The original file is a Java applet that is rendered by your browser and exists only in RAM. There should be a copy of it in ~/Library/Caches/Java/cache/6.0/.

     

    The first file is an updater component. It is dropped in the users home folder. The filename will always start with a ".".

    A launch point is then created for the updater component in the ~/Library/LaunchAgents folder.

    Locations for the rest of the components depend on whether the user provides an admin password or not.

  • Ramón Tech Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 21, 2012 11:17 PM (in response to MadMacs0)

    So it is a hidden file?   

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 21, 2012 11:27 PM (in response to Ramón Tech)

    Ramón Tech wrote:

     

    So it is a hidden file?   

    Yes, with a variety of file names.

  • Ramón Tech Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 21, 2012 11:45 PM (in response to MadMacs0)

    I did not see any file created or modified after February 23rd 2012 besides .bash_history in my home directory, bt in the launchagents folder; I only found one file that is a list to a program I don't know about, the file was "com.akamai.single-user-client.plist"

     

    I am running Mac OS X Lion Server so I assume that is where that file came from, but it is not com.apple... so I don't know where that file came from just that it was created on January 21st 2012 and modified/last opened on March 21st 2012.         

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 22, 2012 12:35 AM (in response to Ramón Tech)

    I guess the first question I have is why do you think you might be infected?

    Ramón Tech wrote:

     

    I did not see any file created or modified after February 23rd 2012 besides .bash_history in my home directory, bt in the launchagents folder; I only found one file that is a list to a program I don't know about, the file was "com.akamai.single-user-client.plist"

     

    I am running Mac OS X Lion Server so I assume that is where that file came from, but it is not com.apple... so I don't know where that file came from just that it was created on January 21st 2012 and modified/last opened on March 21st 2012.         

    January is too early for this variant. Although Dr. Web claims they started seeing it in mid-March, about the earliest we saw was perhaps March 27 or 28.

     

    I found this reference to "com.akamai.single-user-client.plist" Akamai NetSession Interface which sounds like it might be something an OS X Server might use. I know that Apple has used Akamai services for file distribution in the past, so chances are it's legit. Use QuickLook to take a look inside by highlighting the file and hitting the space bar. Here's an example of a partial malware LaunchAgent

      <key>ProgramArguments</key>

              <array>

                        <string>~/.skypeup</string>

              </array>

              <key>RunAtLoad</key>

              <true/>

              <key>StartInterval</key>

              <integer>4212</integer>

              <key>StandardErrorPath</key>

              <string>/dev/null</string>

              <key>StandardOutPath</key>

              <string>/dev/null</string>

    Note the reference to ".skypeup"

  • Ramón Tech Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 22, 2012 12:44 AM (in response to MadMacs0)

    My computers runs apps fine except recelty some of my java apps have become unstable.    

1 ... 3 4 5 6 7 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.