Skip navigation

crsud process with security update 2013-001

36820 Views 168 Replies Latest reply: Sep 8, 2013 9:10 AM by MadMacs0 RSS
  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 17, 2013 7:36 PM (in response to ds store)

    ds store wrote:

     

    ClamXav finds W32.Perelett.15399 on my Win 7 VM (Fusion) occassionally .

    ...

    I ran a scan and got the malware. Microsoft Security Essentials, ClamWin, MalwareBytes didn't pick it up.

     

    This has been going on for a few times now, I just roll back the snapshot and it's gone, allow the older one to connect online and it's there again.

    I can't explain what's going on. There have been several examples of issues when attempting to use ClamAav to keep look or watch for malware on a VM. Sometimes it's permissions, sometime apparent false alarms and although I don't recall an instance of non-detection, it is certainly possible.

     

    So I've been recommending that the VM be excluded and that users install a separate Windows A-V package to cover the VM. Since ClamWin uses the same virus definitions database, one would expect them to have identical results as long as similar options have been selected.

     

    As to W32.Perelett.15399, I guess I would have to suspect a false positive. I could only locate this analysis on VirusTotal, with just three of 46 scanners recognizing it, no comments and only one vote but on the "good" side. First seen about a year ago and last seen in February. The MD5 hash signature does on VT does not match the signature in the ClamAV database. It was added to that database a very long time ago 2003-09-26 with the following entry:

    Submission: 362-web

    Sender: Farit

    Virus: Win32.Stepar.dr

    Added: W32.Perelett.14919

    Added: W32.Perelett.15399

    Not much to go on.

    Also the Cs2 download, once installed in Win 7, ClamWin picks up Ramnit.

     

    So Adobe is hosting malware.

    I found 814 Ramnit definitions, almost all hash definitions, and couldn't even begin to comment on that.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 17, 2013 7:41 PM (in response to ds store)

    ds store wrote:

     

    Because Apple ... said they did install a anti-malware scanner.

    But they have been saying that since MacDefender days and from the looks of the installer, it still has the same MRT elements that have always been there. It certainly sounds like the same thing that has been distributed with every Security and Java update over the past year that runs once and then deletes itself.

  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    Mar 17, 2013 10:09 PM (in response to WZZZ)

    crsud looks at

    https://swscan.apple.com/content/catalogs/others/index-cr-lion-1.sucatalog.gz

    (change lion for snowleopard)

     

    and finds details of any 'critical' updates… for now, just a SecUpdBase2013-001Test.pkg

    these are then downloaded & installed - in the case of this 'test' package, installing an invisible 2 byte payload at /var/.emptypayload

    the test package also contains a post-install action, which looks at

    https://swscan.apple.com/content/catalogs/others/index-mountainlionseed-1.sucatalog.gz

    and searches for a particular 'part number' , downloading it if found… The one looked for by the test package does not exist currently.

     

    So -looking at WZZZ's screenshot earlier - he's already had that test update silently installed - as did I, on first boot to Lion following the 2013-0001 update

  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    Mar 17, 2013 10:15 PM (in response to andyBall_uk)

    as  might be expected - the .pkm file for the update contains a section

    content-type="critical-update"

    in addition to all the usual stuff - so it would be possible to have a single Software Update catalog URL, although that's not currently the case from what I've seen.

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Mar 18, 2013 5:30 AM (in response to andyBall_uk)

    That's really impressive Andy. I wouldn't know how to begin to get in and find all that stuff and then examine it. Way above my pay grade. That's great information. Thanks. (Sometime, when you have nothing better to do, I'd love to know how you did that.)

     

    This is interesting:

     

    /private/var/.emptypayload

     

    2 bytes with a created and modified of 5/29/12

     

    I wonder how that arrived, since it pre-dates this current update by many months.

     

    Message was edited by: WZZZ

  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    Mar 18, 2013 7:59 AM (in response to WZZZ)

    >>/private/var/.emptypayload

    >>2 bytes with a created and modified of 5/29/12

    >>I wonder how that arrived, since it pre-dates this current update by many months.

     

    my check was in Lion, which apparently changed the modified date to last night, although the creation date is also May 2012 - either Snow does something slightly different (the test package from cr-snowleopard is the same one) or some other difference between the way it ran on our two systems.

     

    It was there on your pre-update backup ? likely not, just un-modified during/after install.

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Mar 18, 2013 12:16 PM (in response to andyBall_uk)

    Yep, not there on pre-update clone.

  • baltwo Level 9 Level 9 (59,150 points)
    Currently Being Moderated
    Mar 18, 2013 1:51 PM (in response to andyBall_uk)

    FWIW, not seeing /var/.emptypayload in my SL or ML boot volumes, both with the latest updates installed. Strange stuff here.

    27" i7 iMac SL, Lion, OS X Mountain Lion (10.8.3), G4 450 MP w/Leopard, 9.2.2
  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    Mar 18, 2013 2:07 PM (in response to WZZZ)

    >Sometime, when you have nothing better to do, I'd love to know how you did that

    a passing knowledge of software update & the catalog format / url's -

    then strings command on crsud, as I suggested to you on the other side,

    then did nothing about it since I figured you or ds would be all over it using Little Snitch.

     

    saw your screeny showing the test pkg, but carelessly thought was a rename for testing.

    noticed the crsud.plist for root was altered after Lion update, containing an entry mentioning the same test pkg as your screenshot... so I looked more closely at Strings output & found that for now, at least, there's a different URL for critical updates (previously checked the main catalog for 'critical' or anything likely-sounding)

  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    Mar 18, 2013 3:09 PM (in response to baltwo)

    Hi Baltwo

    is xprotect disabled on the 10.6.8 mac ? - the  strings suggest that crsud won't run if that's so. otherwise check the crsud plist & cache + console for ideas.

    re ML - we know there's no crsud, so perhaps no 'test' package either?. I'm not sure what's in place for ML to ensure critical updates.

  • billcole Level 1 Level 1 (30 points)
    Currently Being Moderated
    Mar 18, 2013 3:14 PM (in response to MadMacs0)

    MadMacs0 wrote:

    curl is a common process for transferring data with URL syntax. I see it used by a number of routines with my setup and it has been permanently approved with port 80 for a very long time.

    So why keep using Little Snitch at all?

    There is nothing protecting curl from malicious or surreptitious use and it is a very flexible and powerful tool. It is common practice for software that seeks to operate without being noticed to use common tools (e.g. curl, ssh, etc.) to do things like network access which are often watched, so as to look more like routine activity.

  • baltwo Level 9 Level 9 (59,150 points)
    Currently Being Moderated
    Mar 18, 2013 4:26 PM (in response to andyBall_uk)

    andyBall_uk wrote:

     

    …is xprotect disabled on the 10.6.8 mac ?

    Not as far as know. At least I've not disabled it. Do note that both Java and Flash Player are totally up to date.

    re ML - we know there's no crsud, so perhaps no 'test' package either?. I'm not sure what's in place for ML to ensure critical updates.

    I'm not aware of anything except XProtect, which doesn't do any updating, but turns those off. I never do autoupdates of anything, but do keep up to date and manually install all updates.

    27" i7 iMac SL, Lion, OS X Mountain Lion (10.8.3), G4 450 MP w/Leopard, 9.2.2
  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 18, 2013 4:45 PM (in response to baltwo)

    baltwo wrote:

     

    FWIW, not seeing /var/.emptypayload in my SL or ML boot volumes, both with the latest updates installed. Strange stuff here.

    Did you check the box for "Automatically install important security updates"? I realize that's not something you would normally do, but it didn't sound like you would get the test package installation unless it was.

  • baltwo Level 9 Level 9 (59,150 points)
    Currently Being Moderated
    Mar 18, 2013 5:09 PM (in response to MadMacs0)

    Did you check the box for "Automatically install important security updates"?

    Never and don't expect to experiment with that.

    27" i7 iMac SL, Lion, OS X Mountain Lion (10.8.3), G4 450 MP w/Leopard, 9.2.2
  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    Mar 18, 2013 5:11 PM (in response to MadMacs0)

    good idea - also the crsud.plist should have a last run successfully entry

    the 10.6.8 update here installed emptypayload on first boot - the automatic checkbox was already checked when first seen.

     

    WZZZ - my 10.6.8 one wasn't modified - showed May 2012  like yours. Something different on Lion, or just this system

1 2 3 4 5 ... 12 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.