Ralph Deen

Q: new malware disguised as flash installer

I'm a dummy....fell for the ruse, any ideas on how to get rid of this new malware?  thanks

iMac, Mac OS X (10.6.8)

Posted on Sep 27, 2011 7:45 AM

Close

Q: new malware disguised as flash installer

  • All replies
  • Helpful answers

first Previous Page 6 of 9 last Next
  • by pcbjr,

    pcbjr pcbjr Sep 28, 2011 11:38 AM in response to Louie Sherwin
    Level 2 (282 points)
    Mac OS X
    Sep 28, 2011 11:38 AM in response to Louie Sherwin

    See a bunch of stuff, but no .MacOSX

     

    Is the command a 1 or I (one or capital I)?

     

    This is all I get:

     

    .            .crash_report_frames    Movies

    ..            .crash_report_preview    Music

    .CFUserTextEncoding    .cups            Pictures

    .DS_Store        Desktop            Public

    .Trash            Documents        Sites

    .bash_history        Downloads

    .crash_report_checksum    Library

  • by Linc Davis,

    Linc Davis Linc Davis Sep 28, 2011 11:38 AM in response to pcbjr
    Level 10 (208,037 points)
    Applications
    Sep 28, 2011 11:38 AM in response to pcbjr

    Files with names that begin with a "." (period) are hidden in the Finder. Launch the Terminal application and copy or drag -- do not type -- the following text into the window, then press return:

     

    rm -r .MacOSX

     

    You can then quit Terminal.

  • by pcbjr,

    pcbjr pcbjr Sep 28, 2011 11:45 AM in response to Linc Davis
    Level 2 (282 points)
    Mac OS X
    Sep 28, 2011 11:45 AM in response to Linc Davis

    Did that and get only this:

     

    $ rm -r .MacOSX

    rm: .MacOSX: No such file or directory

  • by cathy fasano,

    cathy fasano cathy fasano Sep 28, 2011 11:46 AM in response to Linc Davis
    Level 2 (350 points)
    Mac OS X
    Sep 28, 2011 11:46 AM in response to Linc Davis

    Don't go telling people to delete their .MacOSX directory.  I have a completely legit environment.plist file in mine, from 2007 -- it contains this code:

     

    % cat ~/.MacOSX/environment.plist

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

        <key>PATH</key>

        <string>/sw/bin:/sw/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin</string>

    </dict>

    </plist>

  • by Linc Davis,

    Linc Davis Linc Davis Sep 28, 2011 11:51 AM in response to pcbjr
    Level 10 (208,037 points)
    Applications
    Sep 28, 2011 11:51 AM in response to pcbjr

    No such file or directory

     

    Then it's already gone, or was never there.

  • by Louie Sherwin,

    Louie Sherwin Louie Sherwin Sep 28, 2011 11:54 AM in response to Linc Davis
    Level 1 (0 points)
    Sep 28, 2011 11:54 AM in response to Linc Davis

    Linc Davis wrote:

     

    @Linc - see the pkg at mailinator, I've sent the url again.

     

    Thanks. The installer does not need root privileges to run. The BOM file contains only an empty text file; the payload is entirely contained in the "preinstall" executable, which in this case is a binary. It installs the files listed below, attempts to disable "Little Snitch" (if present), loads a launchd job, and relaunches Safari and Firefox.

     

    Here is a complete list of the files installed:

     

    1. .MacOSX/environment.plist
    2. Library/LaunchAgents/com.apple.SystemUI.plist
    3. Library/Preferences/perflib
    4. Library/Preferences/Preferences.dylib
    5. Library/Logs/swlog

     

     

     

    Thanks  Linc,

     

    It seems that file 5 is replaced by a text file "softwareupdate" or I was infected by a slightly different variant. This file I found in the Logs directory had two hex strings and was created on the day I was infected and modified one day later.

     

    -louie

     

    Message was edited by: Louie Sherwin

  • by Linc Davis,

    Linc Davis Linc Davis Sep 28, 2011 11:58 AM in response to cathy fasano
    Level 10 (208,037 points)
    Applications
    Sep 28, 2011 11:58 AM in response to cathy fasano

    Don't go telling people to delete their .MacOSX directory.

     

    Why not?

     

    I have a completely legit environment.plist file in mine, from 2007 -- it contains this code...

     

    Which belongs in your shell initialization file, not in the file that sets the environment for all launchd sub-processes. In any case, the trojan replaces the existing file.

  • by andyBall_uk,

    andyBall_uk andyBall_uk Sep 28, 2011 12:03 PM in response to Linc Davis
    Level 7 (20,495 points)
    Sep 28, 2011 12:03 PM in response to Linc Davis

    >> File 1 is an empty plist, merely a placeholder at this stage, apparently.

     

    not here : it had the following content

     

     

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict> 

    <key>DYLD_INSERT_LIBRARIES</key><string>/Users/xyz/Library/Preferences/Preferenc es.dylib</string>                                                                                                   <key>DYLD_INSERT_LIBRARIES</key><string>/Users/xyz/Library/Preferences/Preferen ces.dylib</string>

    </dict>

    </plist>

     

  • by MadMacs0,

    MadMacs0 MadMacs0 Sep 28, 2011 12:00 PM in response to cathy fasano
    Level 5 (4,801 points)
    Sep 28, 2011 12:00 PM in response to cathy fasano

    cathy fasano wrote:

     

    I have a completely legit environment.plist file in mine, from 2007

    As do I, but it's from 2005 and contains:

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

              <key>QDTEXT_ANTIALIASING</key>

              <string>1</string>

              <key>QDTEXT_MINSIZE</key>

              <string>12</string>

    </dict>

    </plist>

  • by cathy fasano,

    cathy fasano cathy fasano Sep 28, 2011 12:03 PM in response to Ralph Deen
    Level 2 (350 points)
    Mac OS X
    Sep 28, 2011 12:03 PM in response to Ralph Deen

    Does anybody else have an application 'Adobe Flash Player Install Manager' in their /Applications/Utilities directory?  Mine was installed there Sep 21, 2011 at 10:17 AM, while the install_flash_player_osx_intel.dmg in my downloads directory is timestamped Sep 21, 2011 at 10:06 AM

  • by Linc Davis,

    Linc Davis Linc Davis Sep 28, 2011 12:07 PM in response to MadMacs0
    Level 10 (208,037 points)
    Applications
    Sep 28, 2011 12:07 PM in response to MadMacs0

    That file is really intended only for developers to use while testing. It would be a good idea, in my opinion, for anyone who doesn't know he needs the file to delete it.

  • by Linc Davis,

    Linc Davis Linc Davis Sep 28, 2011 12:10 PM in response to cathy fasano
    Level 10 (208,037 points)
    Applications
    Sep 28, 2011 12:10 PM in response to cathy fasano

    Does anybody else have an application 'Adobe Flash Player Install Manager' in their /Applications/Utilities directory?

     

    Not part of the trojan, at least not the one I saw.

  • by cathy fasano,

    cathy fasano cathy fasano Sep 28, 2011 1:03 PM in response to Linc Davis
    Level 2 (350 points)
    Mac OS X
    Sep 28, 2011 1:03 PM in response to Linc Davis

    Thanks, Linc, I am becoming pretty confident that the Flash upgrading itself activity I have been seeing is legitimate "automatic update" behavior, and not malware.  So I've turned off automatic update and consider myself lucky that I dodged this bullet.

  • by WZZZ,

    WZZZ WZZZ Sep 28, 2011 1:10 PM in response to cathy fasano
    Level 6 (13,112 points)
    Mac OS X
    Sep 28, 2011 1:10 PM in response to cathy fasano

    Don't turn off automatic update. If you get a notice to update it may be real and by turning off auto update you may not realize there's an update for quite some time. Many, if not most, of the Flash updates are patches for "critical" vulnerabilities, which appear relentlessly.

     

    Of course, don't click on any link provided by an update notification. But use the notification to visit the Adobe site to see if there really is an update.

     

    You can easily check for updates in the Advanced panel of the Flash Player Preference Pane in Sys Prefs.

  • by cathy fasano,

    cathy fasano cathy fasano Sep 28, 2011 1:47 PM in response to WZZZ
    Level 2 (350 points)
    Mac OS X
    Sep 28, 2011 1:47 PM in response to WZZZ

    I installed the update that I downloaded from the adobe site, and my version went from 10.3.183.7 to 10.3.183.10.  Turned automatic update back on, and have now resolved that when the suto updates appear I'll kill them and head for the adobe site and do the update manually.

first Previous Page 6 of 9 last Next