Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: MAC ATTACKED
MAC ATTACKED Author
User level: Level 1
5 points

Malware reappearing in apple.safari.com cache.db

I recently got caught in a "onbeforeunload" trap that ended up with multiple windows loading. I tried to force quite Safari but when it was all over I had a fake Google page producing fake "blackhat" results.


I was quite suprized because I am new to MAC having just purchased a MacBook Pro. Everyone told me how secure they were and there was no wild malware that could infect it. With some research I was able to find a cookie 66.223.50.126 in the Safari Cache.


Using SQLite I discovered the cookie in cache.db is http://66.223.50.126/ph_md5.txt


The contents are;


39da1df7fb9fd5c9347b85eec4c730cb ./unstable/aph/ph_sign.slf

da813c755e0fa52e86b8844894179c71 ./unstable/aph/ph_white.txt

38092109754b7942c6a688b46ef77f13 ./unstable/aph/ph_trackers.slf

98b3894929fc051c963030db66babc4f ./unstable/aph/ph_trackers_assoc.txt


Later I was able to find the cookie in cache.db is http://66.223.50.126/ph_self.slf and there is the code for the goole page forgery.


Not sure what the next step are or how badly this machine is compromised. It seemd like everything is set up to attack a windows machine but whatever I do the 66.223.50.126 cookie comes back.


Please let me know what steps I can take to fix the problem or if necessary completely rebuid and prevent this from happening again.


Let me know if you want the code or any other files to see what I am talking about.


Thanks

MacBook Pro, Mac OS X (10.7.2)

Posted on Jan 25, 2012 3:07 PM

Reply
34 replies
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Jan 25, 2012 3:56 PM in response to MAC ATTACKED

As Linc says, the machine isn't compromised. You saw a web site that would have either tried to get personal information from you or convince you to install something (perhaps to "cure" the "virus" that it had "detected"). It may have put some cookies on your computer, but cookies are not and cannot be malware.


For more information, see my Mac Malware Guide:


http://www.reedcorner.net/guides/macvirus


(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

Reply
User profile for user: MAC ATTACKED
MAC ATTACKED Author
User level: Level 1
5 points

Jan 25, 2012 4:48 PM in response to Linc Davis

I have tried the most obvious next steps but the cookie and its contents keep coming back. Even wihout surfing any sites. With Safari open eventually the cookie reapears. It must be hiding somewhere on my system or worse. I am not familiar enough with OS X to understand where it might be.


This looks a lot like MAL/PHISH and I have the source code is anyone might be able to help.

Reply
User profile for user: MAC ATTACKED
MAC ATTACKED Author
User level: Level 1
5 points

Jan 25, 2012 5:07 PM in response to Paul Cuciti

The probelm started when I tried to close an advertisement for 888Poker. A dialogue box appeared asking me if I what to leave the page or cancel. I tried to avoid signaling a user event by Force Quiting Safari. When I reopened Safari it was slow loading. The google search box would not work. I went to google.ca and the page had a different banner than usual. Also the results didn't automatically change as you added new keywords.


Since then everything seems to work ok except this persistant cookie with all of the content that goes with it.




Here is some of what I found inside the cookie....


/**************************************************************************** ************

********************************** Reguli de legit ************************************

******************************************************************************** *********/


rule RULE_LONG_SIZE

{

condition: exec(H_LONG_SIZE);

actions: mark("LEGIT", 0);

metadata: priority = 10;

}


rule RULE_COSOI

{

condition: match("\.|%2e", HTML::Url, REGEX_INSENSITIVE);

actions: none;

metadata: none;

}


metarule RULE_COSOIUS

{

condition: RULE_COSOI == false;

actions: mark("LEGIT", 0);

metadata: priority = 1000;

}


rule RULE_URL_WITH_HTTPS

{

condition: match("^https://", HTML::Url, REGEX_INSENSITIVE);

actions: mark("LEGIT", 0);

metadata: priority = 5000;

}


rule RULE_LEGIT_HTTPS_ALN

{

condition: exec(H_PROTOCOL_IS_HTTPS);

actions: mark("LEGIT", 0);

metadata: priority = 5000;

}


rule RULE_VIEW_SOURCE_LEGIT_ALN

{

condition: match("^view-source:", HTML::Url, REGEX_INSENSITIVE);

actions: mark("LEGIT", 0);

metadata: priority = 5000;

}


rule RULE_URL_IS_HTTP

{

condition: exec(H_PROTOCOL_IS_HTTP);

actions: none;

metadata: none;

}


/* Urluri puse pe legit temporar, pana e dat releasul in care putem vedea numele semnaturilor de Fuzzy si Summary care au lovit*/

rule WHITE_LIST_TEMPORAR_ALN

{

condition: match("^zarahome\.com/|^scarlet\.be/|^res://ieframe\.dll/|^mybookface\.net /|^about:blank|^icsdelivery\.com/|^fuckbookhacked\.com|^posta\.amis\.net/|^spart oo\.co\.uk/|^whatsup\.ca/|^127\.0\.0\.1(:[0-9]{0,4})?/|^localhost/phpmyadmin|^ja vascript:|^vodacommessaging\.co\.za|^hyves\.nl|^sunrise\.ch", HTML::Url, REGEX);

actions: mark("LEGIT", 0);

metadata: priority = 9000;

}


/* Regula de LEGIT pusa pentru siteuri importante pentru a preintampina situatia in care WhiteListul fail-uieste (nu este initializat) */

rule WHITE_LIST_IMPORTANT_SITES_ALN

{

condition: match("^((login\.)?facebook\.com|twitter\.com|(offer\.|my\.)?ebay\.de|((ed it|login)\.)?yahoo\.com|caf\.fr|chase\.com|bankofamerica\.com|(ib\.)?absa\.co\.z a|schwab\.com|google\.com)/", HTML::Url, REGEX_INSENSITIVE);

actions: mark("LEGIT", 0);

metadata: priority = 9000;

}


rule RULE_BITDEFENDER_IP_LEGIT_ALN

{

condition: match("^91.199.104.43/", HTML::Url, REGEX);

actions: mark("LEGIT", 0);

metadata: priority = 5000;

}



/******************************************************************************* *********

********************************** Reguli de forgery *********************************

******************************************************************************** *********/



rule RULE_FORGERY_INPUT

{

condition: match("<input.{1,250}type=[\"' ]?password[\"' ]", HTML::Body, REGEX_INSENSITIVE, RAW);

actions: mark("FORGERY", 1000);

metadata: priority = 500;

}


/*rule RULE_FORGERY_PASS_ALL

{

condition: match("a", HTML::Body, REGEX_INSENSITIVE, RAW);

actions: mark("FORGERY", 1000);

metadata: priority = 500;

}

*/


rule RULE_FORGERY_BANK1

{

condition: match("BRD|BCR|Raiffeisen|Digipass|Money Manager|Bank of America|Digital Banking|PayPal|eBay|NationalCity|Intesa|HSBC|Bancorp Inc|Bancpost|Volksbank|Millennium|Online[ -]Banking|PIN:|Credit Europe Bank|Internal Revenue Service|Kennwort|Amazon|revenue|as_team|seb bank", HTML::Body, REGEX_INSENSITIVE, DECODED);

actions: mark("FORGERY", 1000);

metadata: priority = 500;

}


rule RULE_FORGERY_BANK2



There are hundreds of lines like this...

Reply
User profile for user: MAC ATTACKED
MAC ATTACKED Author
User level: Level 1
5 points

Jan 26, 2012 7:19 PM in response to Linc Davis

Isn't that wonderful that Safari would allow a malicious cookie just waiting to spam all of my contact if i were ever to set up a mail client on my MACbook Pro. It is so persistant it even survived a fresh install of Lion. I'm not sure what you Apple folks call a virus but in the PC world this qualifies.


Anyone want to buy a MacBook Pro? 6 weeks old with 3 years Crapple Care plan. I'm done.

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Jan 27, 2012 3:52 AM in response to MAC ATTACKED

Isn't that wonderful that Safari would allow a malicious cookie just waiting to spam all of my contact if i were ever to set up a mail client on my MACbook Pro.


I'm not sure where you get the idea that a cookie is capable of actually doing anything. They are not. An evercookie seems awfully malicious, but in the end, it's simply a cookie, and that means it's just data stored on your machine, not code that can be executed. An evercookie cannot do anything, and the sites that set the evercookie cannot do anything outside the little sandbox they're allowed to work inside on your computer.


This is absolutely NOT malware, no matter what OS you happen to be using.


It is so persistant it even survived a fresh install of Lion.


Not possible. Not by the proper definition of "fresh install." You must have imported data from the old system that included the cookie, or revisited the site that set that cookie.


Anyone want to buy a MacBook Pro? 6 weeks old with 3 years Crapple Care plan. I'm done.


Seriously? That is just about the dumbest thing I've heard anyone say in a long time. You're going to sell your Mac because you got a cookie?! Yeah, because the Mac is the only system in the world that allows cookies, and there's no way to prevent your Mac from accepting cookies! Enjoy getting back to a nice malware-free existence with Windows.User uploaded file

Reply
User profile for user: softwater
softwater
User level: Level 5
5,556 points

Jan 27, 2012 4:07 AM in response to thomas_r.

Technically correct, but practically it's a little more worrying than



Thomas A Reed wrote:


it's simply a cookie, and that means it's just data stored on your machine, not code that can be executed.


First of all, the evercookie contains some kind of active script that monitors the existence of multiple copies and can recreate them. That's how it works.


Secondly, cookies can be malign in the sense that although they may be "only" storing data, they can be exploited and used to compromise your security. In particular, they are necessary for the use of web bugs, which may or may not present a security risk, depending on what you're doing and what sites you're visiting.


Also have a look at wikipedia's general page about cookies and security here:


http://en.wikipedia.org/wiki/HTTP_cookie


While I accept the technical definition that evercookies may not be viruses or malware, I would not for that reason accept them as harmless.

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Jan 27, 2012 5:07 AM in response to softwater

First of all, the evercookie contains some kind of active script that monitors the existence of multiple copies and can recreate them. That's how it works.


No, that is not possible unless something has changed enormously and for the worse recently. Cookies are just data, not code. A web site cannot install code that runs independently on your computer.


As I understand the evercookie, the data is stored in a variety of places. Then, when you revisit the site that set that cookie, a script recreates any of that data that has been deleted, using copies in other locations. If you were never to revisit the site, you'd never see any of that happen.


Secondly, cookies can be malign in the sense that although they may be "only" storing data, they can be exploited and used to compromise your security


Cookies present more of a privacy concern than a security concern. I personally am not interested in worrying that some site might track what pages I have visited and when. I'm not even worried an ad banner on multiple sites logging that I have visited those sites, though I recognize that as something that some people won't like. A cookie can't identify me personally without my assistance, and can't do anything to access the data from other sites' cookies of from elsewhere on my machine. IMO, cookies are unreasonably vilified by people who do not fully understand how they work.

Reply
User profile for user: softwater
softwater
User level: Level 5
5,556 points

Jan 27, 2012 5:26 AM in response to thomas_r.

Thomas A Reed wrote:



As I understand the evercookie, the data is stored in a variety of places. Then, when you revisit the site that set that cookie, a script recreates any of that data that has been deleted, using copies in other locations. If you were never to revisit the site, you'd never see any of that happen.



You're overlooking the fact that some cookies work across multiple sites and domains owned, operated or managed by the same people/group/organisation, and you may not even know that they belong to each other.



Thomas A Reed wrote:


Cookies present more of a privacy concern than a security concern. I personally am not interested in worrying that some site might track what pages I have visited and when.


Then it is you who does not understand the dangers of cookies. Tracking your behaviour across multiple sites can reveal a lot about you, just as can trawling through someone's refuse. You might not think you're giving anything away, but patterns of behaviour over time eventually lead to everything being known about you and are the main technique of identity theft.


Your blaise attitude might be fine for you, but it's not something I'd recommend as a general policy.


From: Webopedia

Cookies normally do not compromise security, but there is a growing trend of malicious cookies. These types of cookies can be used to store and track your activity online. Cookies that watch your online activity are called malicious or tracking cookies. These are the bad cookies to watch for, because they track you and your surfing habits, over time, to build a profile of your interests.

Reply

Malware reappearing in apple.safari.com cache.db

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up