Previous 1 2 3 4 5 Next 128 Replies Latest reply: Oct 24, 2011 12:59 PM by MadMacs0 Go to original post
  • MadMacs0 Level 5 Level 5 (4,660 points)

    Sam Beaver wrote:

     

    thanks for the heads up. this install flash thing had popped open earlier today, but never got around to installing it.

    Any luck on a URL for this thing?  We really need to get this thing to the right folks.  It should still be in your browser history.  Send the URL in a message to <makeupanyname>@mailinator.com and let us know what "makeupanyname" is.

  • Linc Davis Level 10 Level 10 (173,125 points)

    If you installed a trojan, as you say you did, and you haven't removed it, then no, you're not safe. I don't know what you installed, nor do I know whether the information being promulgated about one particular trojan (not necessarily the same one) is accurate.

     

    What I would do in your place is to back up my data, erase the startup volume, reinstall the OS, run Software Update, then carefully restore my user files, including only what I recognized as legitimate. I'd also reinstall all my third-party software from fresh downloads or original media.

  • andyBall_uk Level 7 Level 7 (20,490 points)

    >>If you installed a trojan, as you say you did...

     

    Steve didn't say that - just that he had what may be the dmg of a genuine beta of Flash. If finder doesn't say where its from, or it's not from adobe/macromedia - then Steve should worry.

  • SteveKir Level 3 Level 3 (545 points)

    Thanks. Will do.

     

    Final question: Do youknow what the risks are? Eg., keyboard logging (which must be the most dangerous), corrupting system files, email or internet snooping, etc. etc.

  • WZZZ Level 6 Level 6 (12,775 points)

    SteveKir wrote:

     

    Thanks. Will do.

     

    Final question: Do youknow what the risks are? Eg., keyboard logging (which must be the most dangerous), corrupting system files, email or internet snooping, etc. etc.

    I don't think anyone knows just yet. It's only just now being analyzed. Intego seems to be one of the first to the game. Maybe Intego will give an update.

     

    There hasn't been an XProtect update since the 24th, which was for the OSX Revir.A Trojan. So I don't think Apple has included this yet.

  • SteveKir Level 3 Level 3 (545 points)

    andyBall_uk wrote:

     

    If finder doesn't say where its from..

     

    So how can I use Finder to discover where it is from? GetInfo does not show that. It often includes a copyright reference, although a producer of malware could do that.

  • Király Level 6 Level 6 (9,595 points)

    Hi Ralph,

     

    The easiest way to get rid of it is to restore the last full system backup that was made before the "oops" moment.  Had you been using Time Machine?  If not, what other recent backups do you have? 

  • MaryThomas Level 1 Level 1 (30 points)

    > What I would do in your place is to

    > back up my data,

    > erase the startup volume,

     

    In Disk Utility? Erase the drive ABOVE where it says Macintosh HD?

     

    > reinstall the OS,

     

    How does one do that with a 2011 MacBook Air? Information I found about Lion Recovery

    http://support.apple.com/kb/HT4718

    requires a wifi connection as does loading it remotely from a DVD in my mac mini. Doesn't the trojan require wifi to access an infected computer? (I don't have a DVD or thumb drive with Lion on it since I bought it from the Mac App Store.)

     

    > run Software Update, then carefully restore my user files, including only what I recognized as legitimate. I'd also > reinstall all my third-party software from fresh downloads or original media.

     

    This is the easy part...

     

    Thanks for any help anyone can provide.

  • WZZZ Level 6 Level 6 (12,775 points)

    SteveKir wrote:

     

    andyBall_uk wrote:

     

    If finder doesn't say where its from..

     

    So how can I use Finder to discover where it is from? GetInfo does not show that. It often includes a copyright reference, although a producer of malware could do that.

    Get EasyFind.

     

    http://www.devon-technologies.com/download/index.html

  • andyBall_uk Level 7 Level 7 (20,490 points)

    the OS should record 'where from' & display it in get-info.

    If you can't verify it by checking your browser history - then without checking the dmg, you might have a problem.

  • jsd2 Level 5 Level 5 (6,200 points)

    It looks as if Apple just added this trojan to its malware-detection quarantine feature, which should help protect against future infection.

    I just looked at

     

    /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

     

    with a property list editor, and found

    Screen Shot 2011-09-27 at 5.59.02 PM.png

    The file was last modified today.

  • WZZZ Level 6 Level 6 (12,775 points)

    Thanks. I booted up early this morning and it hadn't yet been distributed. That's good to know that Apple appears to be staying on top of all the latest emerging malware. I was kind of skeptical at first, thinking it was mainly a PR response to the MacDefender episode.

     

    (Off topic, but I replied to you here about preventing Flash Cookies.)

  • MadMacs0 Level 5 Level 5 (4,660 points)

    SteveKir wrote:

     

    Do youknow what the risks are? Eg., keyboard logging (which must be the most dangerous), corrupting system files, email or internet snooping, etc. etc.

    All we think we know is in the Intego announcement Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package where they say "Intego’s security researchers are analyzing the injected code and we will issue more information as soon as possible."

  • WZZZ Level 6 Level 6 (12,775 points)

    Steve, I wouldn't be in a mad rush to erase and reinstall. Wait until there's a full analysis and then run one of the AVs. Maybe MadMacs0 will let us know as soon as ClamX has cataloged it.

  • MadMacs0 Level 5 Level 5 (4,660 points)

    Actually, Intego just posted an update More About the Flashback Trojan Horse in which they reveal how sophisticated the code is, but nothing more about what it installs where nor how to remove it.  Currently it appears that all it does is upload information about your hardware ID, whether intel or PPC and what version of Mac OS X you are running.  It is capable of updating itself and download additional software, but is currently not doing this.

Previous 1 2 3 4 5 Next