Previous 1 5 6 7 8 9 Next 128 Replies Latest reply: Oct 24, 2011 12:59 PM by MadMacs0 Go to original post
  • Shirley Drabble1 Level 3 Level 3 (975 points)

    I have auto updates turned on to check but I have final say when I look at the details so every week I get that reminder.

    I find that is the best way especially when I had some old software I had not got around to deleting., I have since done that. BUT feel safer doing it this way.

  • WZZZ Level 6 Level 6 (12,635 points)

    That's what I meant. Get the update notification. Then do the update manually. The option I'm referring to is only to Check for updates automatically. I never update anything automatically.

  • cathy fasano Level 2 Level 2 (340 points)

    The problem is that this wicked little piece of malware showed a flaw of that strategy (which, nonetheless, I think is still the best way to go.)  We've got our user's machines locked down pretty tight so that if they try to accept REAL updates they won't get past the step where they need the Administrator's password.  But since this one only infects the user's own personal account, writing to files that the user has access to, a naive user is not protected against it.

     

    The real automatic updates, which fail for non-priv'd users, desensitize them so that they don't come get me when the panel comes up.  And they will always hit "OK" to dismiss any panel -- even if the panel says "Start global thermonuclear now?"

  • andyBall_uk Level 7 Level 7 (20,495 points)

    Cathy - can you restrict user access by disallowing access to the installer bundle/folder in coreservices ?

    don't know if it works - but seems to.

  • MadMacs0 Level 5 Level 5 (4,415 points)

    Linc Davis wrote:

     

    @Linc - see the pkg at mailinator, I've sent the url again.

     

    Thanks.

    Linc,

     

    As you will recall the site would not download the package to me but a colleague was successful in doing so and I just wanted to compare some basic notes.

     

    The file is named "FlashPlayer-11-macos.pkg". The MD5 hash is c2819c3c183bbf7547cf76c6a004ea15 which does not match the ClamXav signature nor either of the ones Apple published in yesterday's XProtect update.

     

    I uploaded it to VirusTotal and none of the 43 AV scanners identified it as anything.  A second person has since uploaded the identical file with the same results.

     

    Checking it in Pacifist was pretty much a waste of time, but everything I was able to inspect seems to match your results. 

     

    One other thing that my colleague passed on as being unusual was that he used Safari to download the file which should have automatically given it the Apple quarantine label.  He manually updated XProtect before attempting to launch it (he was aware of what it was and stopped at the install step) but was never given a red alerted by XProtect (probably because the signatures don't match) nor did he recieve the standard yellow alert that he was attempting to open something downloaded from the internet.

  • Linc Davis Level 10 Level 10 (147,235 points)

    Checking it in Pacifist was pretty much a waste of time, but everything I was able to inspect seems to match your results.

     

    The installer package is obfuscated. As I wrote earlier, the only working part of it is the preinstall script (actually a binary.)

     

    ...nor did he recieve the standard yellow alert that he was attempting to open something downloaded from the internet.

     

    I can't think of a good explanation for that. I'm unable to confirm because I disabled those warnings.

     


  • BradenThomas Level 1 Level 1 (0 points)

    Can someone send please the source URL back to flashbacktrojan mailinator?  Thanks!

  • andyBall_uk Level 7 Level 7 (20,495 points)

    >>The MD5 hash is c2819c3c183bbf7547cf76c6a004ea15

    Same here

     

    >>Checking it in Pacifist was pretty much a waste of time...

    easy  to see the environment.plist & DYLD_INSERT_LIBRARIES in preinstall

     

    & yes to safari/xprotect and not picking it up

  • MadMacs0 Level 5 Level 5 (4,415 points)

    BradenThomas wrote:

     

    Can someone send please the source URL back to flashbacktrojan mailinator?

    It's there now.

  • Shirley Drabble1 Level 3 Level 3 (975 points)

    Everytime I try to scan with my CLAMXAV it crashes.

    I have other odd things happening too is this trojan likely to be responsible.

    Do I have to buy Intego to get a fix as someone reported they now have a fix for it?

    How much is it?

    help

    I have done lots of my banking online in the last few days.

    now really worried.

    What can I do to find if I relly have it

    I need step by step as not too familiar.

    I can use terminal if I know what i have to type.

    I need to do some banking tomorrow.

    Possibly I can use my cluunky pc laptop for it. but much easier to use my MBP if I know it is clean

    thanks

  • MadMacs0 Level 5 Level 5 (4,415 points)

    Shirley Drabble1 wrote:

     

    Everytime I try to scan with my CLAMXAV it crashes.

    Please come to the ClamXav User's Forum and get help with that.

    I have other odd things happening too is this trojan likely to be responsible.

    No. As far as we know all it currently does is send information about your computer, not you, to a server.  It's easy enough to see if any of the five files listed by Linc Davis earlier have been installed on your computer.  If they aren't then chances are really good that it's not this Trojan.

  • MadMacs0 Level 5 Level 5 (4,415 points)

    The Apple XProtect has been updated to v26 and v1007 which ups the number of hash signatures for OSX.FlashBack.A from two to eight! That means they are able to change the signature of the file without changing the way it works. I'm not certain that Apple will be able to keep up with this race the way they did with MacDefender.

     

    To update your definitions, Open System Preferences->Security, uncheck the box next to "Automatically update safe downloads list" and then recheck the box. This is the only method recommended for manual update of the list.

  • Shirley Drabble1 Level 3 Level 3 (975 points)

    I get this page when I use that link.

     

    http://www.http.com//*******  markallan.co.uk/BB*******   /viewforum.php?f=1

     

    added **** and spaces to break it up and hope it leads to nothing nasty

    is that right it just a page of  sponsored lists.

    Or was this a test to see if I would click on just any link?

    :-(

    you got me.

    I trust people here. maybe I shouldn't.WE don't know who  might be a mole!

    I am on another support email group ( health related) that has a mole and has fed back an email to a named consultant where someone was asking questions about a that person  and the consultant threatened to sue for libel.

    Sick people do not need that added stress.

    So I hope this was just something that went wrong as I cannot see ClamXav listed on that page at all,

    :-(

     

    please re assure me and I am just going to check that other email to see if I can find any of those other files.

    This is so worrying when I have other things I need to think about right at this moment.

  • andyBall_uk Level 7 Level 7 (20,495 points)

    Hi Shirley

     

    That's just a mangled link - nothing to worry about,

    it should be this:

     

    http://markallan.co.uk/BB/viewforum.php?f=1

     

    but somehow got posted with an extra 'http' at the start.

  • cathy fasano Level 2 Level 2 (340 points)

    MadMacs0 wrote:

     

    To update your definitions, Open System Preferences->Security, uncheck the box next to "Automatically update safe downloads list" and then recheck the box. This is the only method recommended for manual update of the list.

    What version of the OS has the "safe downloads list" functionality?

Previous 1 5 6 7 8 9 Next