Q: Finder shows strange letter and number strings, programs "quit unexpectedly"

As for the photos, mp3s and other documents, it's perfectly OK, in fact essential, to back them up to an external before re-installing.

+1 for this suddenly happening. Finder has numbers in the menus and contextual menus. Programs crashing on startup - Skype, anything Power PC (originally I thought it was the recent Apple security update that crashed Rosetta, but Software Update says everything up to date, and anyway Skype is Intel).

I did click on a Flash installer way back in the middle of 2011 before this became a known stupid thing to do (although I recognise it was stupid anyway). But that didn't come to anything as far as I can tell. I've had a look through some of the other threads referred to, and the only one of the 'five files' I can find is .MacOSX/Environment.plist

Anyway, I can be dead sure I haven't clicked on another one of those Flash installers since, so no idea what the infection pathway was (sorry).

I've got a day off in a couple of days, so I guess I'll be spending that time doing the reformat and reinstall (sigh). Any other advice?

BTW, I've been trying to look at that site on the Intego Blog, and I get a "Server Not Responding" message. I can get to the Intego site, but their links to news about the Trojan also get the same response. Almost as if it knows I'm on to it, so it's blocking my access to those pages... (cue spooky music). Can you post the gist of it here?

Any other advice as to what I should do from here? Anything I can do to help with tracking the critter down?

Not sure how up to date my sig is, so - MBP 17" 2009, 10.6.8.

Intego site is up again. (turns off spooky music).

Paul Graveson wrote:

 

I've got a day off in a couple of days, so I guess I'll be spending that time doing the reformat and reinstall (sigh). Any other advice?

Change your passwords if you use the same one for multiple sites, especially financial ones.

BTW, I've been trying to look at that site on the Intego Blog...Can you post the gist of it here?

There have been three different postings. Most informative:

We recently reported about a new variant of the Flashback Trojan horsewhich is using novel techniques to infect Macs. Since then, we have discovered a number of samples of this latest variant, Flashback.G, and have seen evidence that many Mac users have been infected by this malware.

How this malware infects Macs

This new variant of the Flashback Trojan horse uses three methods to infect Macs. The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention. If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.

blog.intego…java-certificate.png

It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question. It does this to avoid detection. It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected.

Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension. Here are some examples of users posting logs on forums about certain applications crashing. In each case, a file in /Users/Shared is present:

/Users/Shared/.PCImageEditor.so

/Users/Shared/.AllXilisoftVideo.so

/Users/Shared/.memalloc.so

/Users/Shared/.DocumentConverterdocPrint.so

/Users/Shared/.InternetHistoryKiller.so

There is also a file created at:

/Users/Shared/.svcdmp

and a plist file, used to patch applications, at:

~/.MACOSX/environment.plist

And logs are stored at:

~/Library/Logs/vmLog

What this malware does

This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites. (Hint: don’t use the same password for all websites!)

One of the clues that a Mac is infected is that certain applications will crash. This is notably the case for web browsers, such as Safari, or other network programs, such as Skype. This is because the injected code interferes with the program making it unstable.

This malware also has an automatic update module that checks a number of websites for new versions.

Means of protection

Most of the cases of infection we are seeing are on Macs running OS X 10.6 Snow Leopard. As we reported in our previous post, OS X Lion does not come with Java pre-installed, but Snow Leopard does. It is therefore essential that anyone running OS X 10.6 update Java immediately. To do this, run Software Update, from the Apple menu; if you do not have the latest version of Java, an update will be available.

Nevertheless, many Macs are getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple, as shown in our screenshot above. If you see this, don’t trust it, and cancel the process.

Intego VirusBarrier X6 detects Flashback.G and all other variants of this Trojan horse. In this case, the mere presence of VirusBarrier X6 causes the malware’s installer to abort, so even if users do not have VirusBarrier X6′s real-time scanner active, the Trojan will look elsewhere.

This malware is particularly insidious, as users don’t download anything or double-click any file to launch an installer. Be careful if you see the screenshot above, and check to see if you need to update Java.

If you are infected by this malware, look for a Java applet in ~/Library/Caches and send it tosample@virusbarrier.com before deleting it. We’d like to see as many samples as possible.

Update: It is important to note that this version of the Flashback Trojan horse does notpresent an installer, as previous versions did. If a user visits a web page, and their Java is not up to date, the installation will occur without their intervention. If their Java is up to date, they will only see the certificate alert that we show above: they will never be asked for a password, and won’t have to launch any other software to allow the installation to take place.

While we’re still calling this the Flashback Trojan horse, because the actual malware code is similar to the first version of Flashback, its actions are different. In this case, the initial code that is installed on a Mac then downloads more code from a remote server, and deletes the original. What we see here is an exploit, which installs a downloader, which then downloads a backdoor, which in turn injects code into applications.

other advice as to what I should do from here? Anything I can do to help with tracking the critter down?

The biggest mystery is still where this thing is coming from. Almost surely it's a web page which seems to no longer offer you an update to FlashPlayer, but must be something else. Don't even know if you must click on something to activate it or whether just viewing it is enough to launch the Java applet that starts the process. There should be a cache file in ~/Library/Caches/Java/cache/6.0/ which contains the applet, but it must be like hunting a needle in a hay stack. Perhaps you can find it based on the date/time of the other files involved. If you do Intego, VirusTotal and clamav sites would like it uploaded. Your browser history file might also tell you where you were at the time. Most of the other infected users said it happened around Feb 18.

The other thing I've asked Intego about is what applications need to be replaced. They have said browser and network applications, but the only ones I'm sure of are Safari and Skype. There may be a way to clean them, but we don't have enough info about it to know where to look. Apparently those applications are the ones giving up your passwords to the mother ship.

You can find the exact name of the invisible .so file in /Users/Shared/ by using "defaults read ~/.MacOSX/environment" in the Terminal app, without the quotes and hitting return. It should say something about "DYLD_INSERT_LIBRARIES".

"Almost as if it knows I'm on to it, so it's blocking my access to those pages... (cue spooky music)."

That may well be the case.

It sounds like FlashBack G, which no-one as yet has a full understanding off.

Not sure I can get all this in one post, but here goes -

Flashback Mac Trojan Horse Infections Increasing with New Variant

We recently reported about a new variant of the Flashback Trojan horse which is using novel techniques to infect Macs. Since then, we have discovered a number of samples of this latest variant, Flashback.G, and have seen evidence that many Mac users have been infected by this malware.

How this malware infects Macs

This new variant of the Flashback Trojan horse uses three methods to infect Macs. The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention. If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.

It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question. It does this to avoid detection. It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected.

Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension. Here are some examples of users posting logs on forums about certain applications crashing. In each case, a file in /Users/Shared is present:

http://community.skype.com/t5/Mac/cant-open-skype-on-my-macbook/td-p/506175
/Users/Shared/.PCImageEditor.so

https://discussions.apple.com/thread/3755322?start=0&tstart=0
/Users/Shared/.AllXilisoftVideo.so

https://discussions.apple.com/thread/3748919?start=0&tstart=0
/Users/Shared/.memalloc.so

http://community.skype.com/t5/Mac/Skype-quits-unexpectedly-on-start-up-yep-anoth er-one/td-p/508077
/Users/Shared/.DocumentConverterdocPrint.so

http://community.skype.com/t5/Mac/Skype-crashing-as-soon-as-I-try-to-open-it/m-p /492045

https://discussions.apple.com/thread/3727882?start=0&tstart=0
/Users/Shared/.InternetHistoryKiller.so

There is also a file created at:

/Users/Shared/.svcdmp

and a plist file, used to patch applications, at:

~/.MACOSX/environment.plist

And logs are stored at:

~/Library/Logs/vmLog

What this malware does

This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites. (Hint: don’t use the same password for all websites!)

One of the clues that a Mac is infected is that certain applications will crash. This is notably the case for web browsers, such as Safari, or other network programs, such as Skype. This is because the injected code interferes with the program making it unstable.

This malware also has an automatic update module that checks a number of websites for new versions.

Means of protection

Most of the cases of infection we are seeing are on Macs running OS X 10.6 Snow Leopard. As we reported in our previous post, OS X Lion does not come with Java pre-installed, but Snow Leopard does. It is therefore essential that anyone running OS X 10.6 update Java immediately. To do this, run Software Update, from the Apple menu; if you do not have the latest version of Java, an update will be available.

Nevertheless, many Macs are getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple, as shown in our screenshot above. If you see this, don’t trust it, and cancel the process.

Intego VirusBarrier X6 detects Flashback.G and all other variants of this Trojan horse. In this case, the mere presence of VirusBarrier X6 causes the malware’s installer to abort, so even if users do not have VirusBarrier X6′s real-time scanner active, the Trojan will look elsewhere.

This malware is particularly insidious, as users don’t download anything or double-click any file to launch an installer. Be careful if you see the screenshot above, and check to see if you need to update Java.

If you are infected by this malware, look for a Java applet in ~/Library/Caches and send it to sample@virusbarrier.com before deleting it. We’d like to see as many samples as possible.

Update: It is important to note that this version of the Flashback Trojan horse does not present an installer, as previous versions did. If a user visits a web page, and their Java is not up to date, the installation will occur without their intervention. If their Java is up to date, they will only see the certificate alert that we show above: they will never be asked for a password, and won’t have to launch any other software to allow the installation to take place.

While we’re still calling this the Flashback Trojan horse, because the actual malware code is similar to the first version of Flashback, its actions are different. In this case, the initial code that is installed on a Mac then downloads more code from a remote server, and deletes the original. What we see here is an exploit, which installs a downloader, which then downloads a backdoor, which in turn injects code into applications.

{From blog Virus Barrier X}

"There should be a cache file in ~/Library/Caches/Java/cache/6.0/ which contains the applet, but it must be like hunting a needle in a hay stack."

Actually, not much there. Sixty-odd numbered folders, but only three files in them, all with creation/modification/LastOpened dates of 3rd April 2011, and a single file "lastAccessed" with same date.

The file in Shared appears to be ".AllSoundRecorder.so"

My browser history file only goes back a week, I'm afraid.

@Paul Graveson

Open your Console Application and search for the string java

other strings:

AppletX

msf

You have been infected with a hidden Java exploit used by the OSX/FlashBack malware.

If you want some help, contact the VirusBarrier researchers at Intego, who discovered the threat.

sample@virusbarrier.com

For anyone who's facing the same situation - whatever you do, don't just delete the .so file in the Shared folder. I tried it, as did someone else I was talking to about this issue in another forum - in both cases, the computer became completely unresponsive and non-bootable within a few minutes. Seems the Trojan has some way of making itself essential, so if you kill it it brings you down with it.

Luckily, I had already cloned the (corrupted) drive, so could then restore. Still needed to fix the problem though. The way that worked for me was to go to a Time Machine backup that predated the Trojan. The crucial date seems to have been 18th Feb or soon afterwards. Sure enough, that .so file is present in my TM for all backups from 19th Feb onwards, not before. (Use Onyx to make invisible files visible in Finder, and they show up in your TM backups too - which is nice).

So I restored the 17th Feb system complete. Then straightaway I did full software updates, and then went back to my most recent TM backups (the ones with corrupt Finder) and selectively restored my fully up to date Documents folder, Desktop, Mail and Mail Downloads (in Library), etc. Just don't restore your Shared folder, or your whole User/Library folder (since that might contain suspect or damaged files from the Trojan).

So far that's worked perfectly for me. All programs work, everything back to normal. I've left invisible files as visible for now, and keep checking back on the Shared folder for any sign of a new .so file, and keep checking the menus in Finder for any sign of the options turning to numbers. All good so far. Also installed Little Snitch to watch for anything trying to 'contact the mother ship', and turned off Java in Safari.

Cross fingers!

Message was edited by: Paul Graveson. Clarified sequence of restore.

Hi all, I've recently discovered this bit of nastiness on my MacBook. I tried deleting the files mentioned earlier, perhaps a bit hastily, and I missed two. I hadn't read far enough into this thread to know after I logged out I wouldn't be able to log back in, and now when I do try, I just get a blank screen. Do I have any chance of fixing this?? I have a time capsule and another user account that I can access.

Any help would be much appreciated

Do what I did - installer disc, Utilities menu > Disk Utility to wipe the drive, then Utilities menu > Install from a Time Machine archive (something like that - it's the bottom option anyway). Choose a backup from before the contamination (17th Feb should be okay). Bingo - working and uncorrupted file. Then do full software updates, and then use TM from a more recent archive to restore individual folders and documents of things you have changed since 17th Feb - just be careful with this step to not restore things that are contaminated. Things outside of User/library and Shared seem to be okay.

Thanks very much, I'll let you know how it goes

Do I have any chance of fixing this?? I have a time capsule and another user account that I can access.

Another user with an early version of Flashback was able to use his other admin account to remove it. It's a bit tricker, but I can probably walk you through it if you are still able.

The other thing that might work is if you reboot into "Safe Mode" (hold the Shift key immediately after your Mac starts up) and also hold the shift key down when you log into that account. Can't guarantee that it doesn't load the environment.plist, but it could make things easier.

Would that be holding the shift key to log into the infected account?

Danish26 wrote:

 

Would that be holding the shift key to log into the infected account?

Yes, that seems to stop a few more things from happening, such as any open windows will be closed and any login items won't launch. I'm just not certain it will keep the troublesome environment file from loading.

Then theoretically I could delete the troublesome files?