Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Possible new version of Flashback trojan

Dear all,


today I experienced some problems just like the people in these two threads:


https://discussions.apple.com/thread/3355170?tstart=0

https://discussions.apple.com/thread/3350734?answerId=16280207022#16280207022


Among others, my finder sidebar suddenly said SD5, SD6, SD7 instead of "Devices", "Shared" etc., and Skype crashed when trying to start it.

Examining Skype's crash report revealed the following line:


0x154c000 - 0x1574ff3 +.AiseesoftFLVConverter.so ??? (???) <23EEF509-128B-B224-D44D-313574EE83D3> /Users/Shared/.AiseesoftFLVConverter.so


which happened to share resemblance with the file <user>/.MacOSX/environment.plist, the content of which contained :


<dict>

<key>DYLD_INSERT_LIBRARIES</key>

<string>/Users/Shared/.AiseesoftFLVConverter.so</string>

</dict>


While I've renamed the two files, and my system has returned to normal behaviour, I'm not entirely sure I've deleted every part of the trojan. As for the files that are mentioned in the links above, I've moved and renamed the environment.plist file, but I wasn't able to find any of the other files mentioned:


  1. .MacOSX/environment.plist
  2. Library/LaunchAgents/com.apple.SystemUI.plist
  3. Library/Preferences/perflib
  4. Library/Preferences/Preferences.dylib
  5. Library/Logs/swlog

I'll be happy to provide any further information/trojan files if someone thinks there's something they can do with it.

One problem remains, as can be seen in the following screen shot. My <user>/Library/Preferences/ directory seems to have been altered or tampered with in some way, is there any chance there is still an active and malicious part of the trojan on my computer?

User uploaded file


All help is appreciated! Thanks in advance

MacBook Pro, Mac OS X (10.6.8)

Posted on Feb 20, 2012 4:47 PM

Reply
23 replies

Feb 20, 2012 11:21 PM in response to X423424X

X423424X wrote:


can you post the download link from where you got it?

Don't post it here, that will just bring the heat to delete it.


Go to http://mailinator.com/, establish a mailbox of your choice (e.g. malware@mailinator.com), post the url there then come back here and tell us what the mailbox is called. That will keep curious folks from accidently infecting themselves.


The information provided is much appreciated. This is the first reference I've seen to these files. You said there were two files. I assume one was /Users/Shared/.AiseesoftFLVConverter.so. Did you post the contents of that file above, or was that just what you read was in /.MacOSX/environment.plist? If it's different from that, please post.


What was the path to, name of and contents of the second file?

is there any chance there is still an active and malicious part of the trojan on my computer?

I would guess most certainly, but can't give you many clues. If you didn't have to use your admin password for this installation, then it must be in your home folder somewhere and probably the Library, but they have used several different places in the past and used file names that don't give you much of a clue as to what they contain. About the only thing they might have in common is the date/time. You could use something like Find Any File or EasyFind to search for all files with the same date/time as the two you found.


Also, is your OS completely up-to-date? Specifically, what Java are you using? The Terminal app command "java -version" without the quotes and followed by a return should tell you or open the Java Preferences app in your Utilities folder. If it's not J2SE 1.6.0_29 it has not been updated. Use Software Update to do that or download it from http://support.apple.com/kb/DL1360.


If your Java is up to date, did you see anything like the Certificate window shown in the Intego article?


Did you see anything on a web site recently asking you to update Flash Player? We don't really know if this is still being sold as that or something else.

Feb 21, 2012 3:41 AM in response to MadMacs0

Thanks for the replies!

I've been aware of malicious Flash installers and therefore have been very cautious to install Flash from the official Adobe website only. I haven't downloaded any program from non-official websites. Here's my download list in the past couple of days before I discovered the malware:


VLC 2.0 from the official website

Several files from my internal university page (I assume this isn't infected though, mostly zip files containing MATLAB and Maple scripts)


I tried to open the .so file in an editor to see if there was any more information about the malware in there, but when I did, Finder issued the following warning:

User uploaded file (renamed the files to "<filename>OLD")


Normally, when you download something, the respective download link is included in the file's info, so naturally I checked it out, but it did not contain a link.

So, I'm afraid I can't provide a link, sorry. Any chance there's a hidden directory of downloaded files somewhere?


To clarify about the files' contents:


~/.MacOSX/environment.plist contained (in the standard plist format which I didn't include):


<dict>

<key>DYLD_INSERT_LIBRARIES</key>

<string>/Users/Shared/.AiseesoftFLVConverter.so</string>

</dict>


Users/Shared/.AiseesoftFLVConverter.so is a ~420 KB file, I uploaded it to the following link.


Caution! Malware, download at your own risk

http://www.mediafire.com/?e3qlnmhs6y97ia2

Caution! Malware, download at your own risk


I only renamed it to "<filename>OLD" and I haven't tampered with it in any other way. (I also sent it to a friend to help me examine it and he wasn't infected, so I assume just downloading the file should be safe. I added a disclaimer so people don't blindly click on it without knowing what they're getting into. )


Skype crash report from yesterday when the "symptoms" of the virus occured

http://pastebin.com/cDYnWq06



java -version returns the following:

java version "1.6.0_29"

Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-10M3527)

Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)


My Mac OS X was also up to date with the exception of the security update from the beginning of February 2012, but I installed it following the incident.

I am also aware of all kinds of man-in-the-middle attacks using counterfeit certificates, so I'm very cautious when I see pop-ups like that. I'm sure I didn't approve any certificate like shown in the Intego article.

Any to clarify once more, I didn't update my Flash using anything other than the official Adobe site, and that must have been quite longer ago than two days.


So according to the file opening dialogue above, the AiseesoftFLVConverter.so file was downloaded on 19/02/2012. According to the Finder's own tools, the only two other files that were created during that day were the folder ".MacOSX" and the file in it, "environment.plist". AiseesoftFLVConverter.so itself was created on 21/01/2012, and no other relevant files were created during that day.


I deinstalled XCode a couple of months ago to have some space for other data, so I can't do this myself. But if someone who's interested in this stuff could try examining the .so file using otool and see if there's something interesting, that'd be really cool.

Although I'm almost sure I've deactivated the virus, I'll safe reformat my drive and put a clean install on it. Is there any further information I can provide at this time?

Is there any way for me to find out where I got the virus? To me there's no obvious answer, as I try to be as safe as possible when browsing the internet, apparently not safe enough though. I'd be glad to help prevent an attack like this from affecting others, so if there's anything I can do, please let me know. Also, is there a team at Apple directly who work on anti-malware who I can contact and send the files to?

Thanks for the help!

Feb 21, 2012 9:03 AM in response to joblard

Thanks everyone. I installed Little Snitch instantly after discovering it was a trojan.


joblard, you seem to have some insight into this matter, could you provide links to the articles/threads on virustotal.com? I couldn't neither find the applet samples, nor an explanation of what the trojan actually does. Also, is there a way to find out where it actually came from, like the website or the actual download link?

Feb 21, 2012 9:37 AM in response to shellmayr

The trojan consists in a code injection targeting the launched applications like Safari. It intercepts HTTP requests, on google.com by instance, and sends it back encrypted to the malware group. The trojan has an autoupdate mechanism.


You should look at your Java cache folder to get the original Java applet binary. It must still be there.

~/Library/Caches/Java/cache/6.0


Open all of the folders you'll see: but pay attention with the files inside.


May I suggest you to scan your mac with a good AV scanner?


With all the laws in our wonderful world I can't give links to malware.

Feb 21, 2012 11:28 AM in response to joblard

joblard wrote:


With all the laws in our wonderful world I can't give links to malware.

Giving a link to the VirusTotal analysis page isn't the same as linking to malware. We have been posting such links in the Forum for quite some time now. Can you at least give us that so we can judge what AV scanner might work for this one?


I'm not aware of any ability for the average user to download malware from VT in any case.

Possible new version of Flashback trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.