Skip navigation

Facebook download contains Trojan

3671 Views 37 Replies Latest reply: Apr 30, 2012 4:03 AM by softwater RSS
  • thomas_r. Level 7 Level 7 (26,980 points)
    Currently Being Moderated
    Apr 24, 2012 10:01 AM (in response to mvaug10087)

    No problem, such is the life of the malware researcher!  :-)  Deleting it was the sensible thing to do.  It would have been nice to be able to learn from a copy, but honestly, most of the time I never manage to get my hands on a copy of the malware people report seeing.

  • the.pussycat Calculating status...
    Currently Being Moderated
    Apr 24, 2012 3:30 PM (in response to thomas_r.)

    Hi Thomas,

     

    Sophos has just advised me that it's found two OSX/FkCodec-A infected files on my MacBook Pro.

     

    Whether or not they're associated with Facebook, I'm unsure.

     

    I did order an FB download on 17 January 2012, but I can't remember whether I actually clicked the link on that day, or on 26 January, or on any day.

     

    The two .dmg images which have been found by Sophos are entitled: "download.dmg" and "download-1.dmg".


    Looking through my user/downloads folder, those two documents are dated 26 January 2012.

     

    However, it's only now that Sophos has flagged them up, so perhaps the guy who built them was able to change the "Date Created" and "Date Modified" dates on them, to hide the actual date on which they were downloaded.

     

    Looking through the Google results for OSX/FkCodec-A, they only appear to have started turning up within the last 24 hours, so my suspicion that he altered the DC and DM dates appears to make sense.

     

    The most worrying part of all this is that whilst I haven't launched ANY new apps within the last few months, during the last 12 hours, my MBP has slowed down to an absolute crawl, to such an extent that it appears that the hard drive is about to fail.

     

    Consequently, I've been backing up with Time Machine, in preparation for a total hard drive wipe and reinstall of the OS, which I was planning to do anyway.

     

    I've been using Macs since 1989, and during those 23 years, this is the first time I've ever seen any virus, malware, or trojan.

     

    I take on board that you want to be sent a copy of the .dmg, which I would normally be willing to do.

     

    However, the strange behaviour during the last 12 hours obliges me to ask the Sophos app to clean up the threat immediately.

     

    I'm running an MBP A1278 unibody, with 4GB RAM, on 10.6.8.

     

    Best,

     

     

     

    Michael T
    London, England

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Apr 24, 2012 4:04 PM (in response to the.pussycat)

    the.pussycat wrote:

     

    Hi Thomas,

    ...

    I take on board that you want to be sent a copy of the .dmg, which I would normally be willing to do.

     

    However, the strange [behavior] during the last 12 hours obliges me to ask the Sophos app to clean up the threat immediately.

    I just want to quickly point out that those .dmg files cannot possibly harm you now. If they were used to install something, then the damage is done.

     

    I understand your desire to have Sophos clean it up, but I strongly doubt that it will do anything beside dispose of those two files and none of us will have any way of analyzing them to help you figure out what they did.

  • thomas_r. Level 7 Level 7 (26,980 points)
    Currently Being Moderated
    Apr 24, 2012 7:29 PM (in response to the.pussycat)

    I've gotta agree with MadMacs0.  A .dmg is not something that can do you any harm unless you open it and install whatever's in it.  Deleting them prematurely is like removing evidence from a crime scene, it can really prevent experts from helping you out.

     

    Also, for anyone else out there who comes across such things, if you don't feel comfortable sending them via email to some stranger like me, you should still submit them to ClamAV and VirusTotal:

     

    http://www.clamav.net/lang/en/sendvirus/

     

    https://www.virustotal.com/

  • Caraline Calculating status...
    Currently Being Moderated
    Apr 24, 2012 8:15 PM (in response to mvaug10087)

    I did a download of my Facebook content two days ago and had no such problem.  My download was a zip file that only contained html & text files.

  • the.pussycat Level 1 Level 1 (10 points)
    Currently Being Moderated
    Apr 25, 2012 12:34 AM (in response to MadMacs0)

    I agree with both MadMacs0 and Thomas that a .dmg can not do any harm unless it's opened.

     

    However, it does seem to be more than a coincidence that my MBP has been exhibiting very odd behaviour during what has now been 24 hours, despite the fact that I did not attempt to launch either one of the two .dmg files.

     

    Since instructing Sophos to remove the file, it appears to have disappeared completely from my Mac.

     

    However, if you can tell me how to retrieve it, I'll be happy to send it to both of you, as well as to clamav, and virustotal.

     

    In view of the fact that this is the first time in 23 years that I've ever found a dodgy file on a Mac, I would not be surprised if thousands of comments are added to this thread within the next week.

     

    Best,

     

     

     

    Michael T
    London, England

  • softwater Level 5 Level 5 (5,370 points)
    Currently Being Moderated
    Apr 25, 2012 7:09 AM (in response to the.pussycat)

    There's a report from a user on the Guardian here

     

    http://www.guardian.co.uk/news/datablog/2012/apr/22/download-your-data-google-fa cebook

     

    saying the same thing. However, I'm not sure if this commenter is the same as any of the contributors to this thread or whether this is a 3rd report of the same infection.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Apr 25, 2012 4:05 PM (in response to mvaug10087)

    > I did another scan today and found the .dmg file in backups going back to 19th March. I have followed your instructions and mailed the zipped file to you. looking forward to hearing what you find.

     

    Great, I was going to recommend you look there when I had a chance. Be careful how you handle the file on the backup as you can corrupt it if not done properly. Let me know if it's a TimeMachine backup and I can guide you through it.

     

    Somebody will get back to you with what was found.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Apr 25, 2012 6:47 PM (in response to mvaug10087)

    I took a quick look and it appeared familiar, so I dug this out from the ClamXav Forum Codec-M - suspicious codec. I remember sending it off for analysis at the time and writing to a couple of sites who's identity I thought had been hijacked to distribute it, but never heard back from either of them. Then things went out-of-control here with Flashback-K/39 and I lost interest.

     

    It actually comes with an uninstaller that looks like it might work, but since I can't test it I don't recommend using it at this time. If correct it involves extensions to Safari, Firefox and Chrome as well as an app in /Applications/ "Codec-M.app". Yes, dispite the name Sophos picked it seems to go by "M" but I found references to both a Codec-A and a Codec-C in searching around the internet.

     

    I'll be back with details on where to look after I've verified everything.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Apr 25, 2012 9:05 PM (in response to mvaug10087)

    Thomas was able to record the results of both an install and an uninstall in a sandboxed account, but he needed to set it aside to get an early start on it in the morning. He should be back with us a few hours from now.

     

    I've looked over his results and am confident I know where everything was installed and probably where you got it from, but at this time I have no idea what it does or tries to do.

     

    I ran across another thread here in the ASC from earlier this month Help removing codec m.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Apr 26, 2012 1:43 AM (in response to mvaug10087)

    mvaug10087 wrote:

     

    @MadMacs0

    I checked applications and browser extensions and found nothing out of the ordinary.

    Check Activity Monitor for a process called codecm_uploader. If there the infection is still active, otherwise you should be OK.

    I manually removed all examples of download.dmg from my time machine backups.

    Hopefully you did that from within TimeMachine with an action of Delete All Backups of "download.dmg". I've known users who forced a delete using the Finder or Terminal and ended up with a totally corrupt backup.

    I also think I know where it came from having read the other thread you mentioned.

    Do you recall whether or not you installed the Codec at the time?

     

    The only thing I've found in reading through various descriptions is that the users' home page was changed to something involving whitesmoke.com which has some negative ratings. I don't know if this is just to get you to that site or if something else could happen to you while you are there.

     

    Thomas should be back shortly, meanwhile I've got to get out of here...

  • the.pussycat Level 1 Level 1 (10 points)
    Currently Being Moderated
    Apr 26, 2012 3:48 AM (in response to MadMacs0)

    whitesmoke.com becoming my default home page definitely happened within the last couple of weeks, and in fairness, I did do a torrent search, but I can't remember which site I visited.

     

    Probably PirateBay.

     

    It all looked dodgy, so I walked away.

  • the.pussycat Level 1 Level 1 (10 points)
    Currently Being Moderated
    Apr 26, 2012 3:54 AM (in response to the.pussycat)

    Having asked Sophos to scan my entire hard drive, it's now found another piece of dodgy coding: Mal/JavaImMa-A

     

    Path and filename:

     

    /Users/the.pussycat/Library/Caches/Java/cache/6.0/60/332a3d7c-38b94de6,

    /Users/the.pussycat/Library/Caches/Java/cache/javapi/v1.0/jar/jvmsetfi.jar-65fac 19c-1025f6fe.zip

     

    Action available: The threat can be cleaned up.

     

    Let me know what you want me to do with it.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.