Thanks for the replies!
I've been aware of malicious Flash installers and therefore have been very cautious to install Flash from the official Adobe website only. I haven't downloaded any program from non-official websites. Here's my download list in the past couple of days before I discovered the malware:
VLC 2.0 from the official website
Several files from my internal university page (I assume this isn't infected though, mostly zip files containing MATLAB and Maple scripts)
I tried to open the .so file in an editor to see if there was any more information about the malware in there, but when I did, Finder issued the following warning:
(renamed the files to "<filename>OLD")
Normally, when you download something, the respective download link is included in the file's info, so naturally I checked it out, but it did not contain a link.
So, I'm afraid I can't provide a link, sorry. Any chance there's a hidden directory of downloaded files somewhere?
To clarify about the files' contents:
~/.MacOSX/environment.plist contained (in the standard plist format which I didn't include):
<dict>
<key>DYLD_INSERT_LIBRARIES</key>
<string>/Users/Shared/.AiseesoftFLVConverter.so</string>
</dict>
Users/Shared/.AiseesoftFLVConverter.so is a ~420 KB file, I uploaded it to the following link.
Caution! Malware, download at your own risk
http://www.mediafire.com/?e3qlnmhs6y97ia2
Caution! Malware, download at your own risk
I only renamed it to "<filename>OLD" and I haven't tampered with it in any other way. (I also sent it to a friend to help me examine it and he wasn't infected, so I assume just downloading the file should be safe. I added a disclaimer so people don't blindly click on it without knowing what they're getting into. )
Skype crash report from yesterday when the "symptoms" of the virus occured
http://pastebin.com/cDYnWq06
java -version returns the following:
java version "1.6.0_29"
Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-10M3527)
Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)
My Mac OS X was also up to date with the exception of the security update from the beginning of February 2012, but I installed it following the incident.
I am also aware of all kinds of man-in-the-middle attacks using counterfeit certificates, so I'm very cautious when I see pop-ups like that. I'm sure I didn't approve any certificate like shown in the Intego article.
Any to clarify once more, I didn't update my Flash using anything other than the official Adobe site, and that must have been quite longer ago than two days.
So according to the file opening dialogue above, the AiseesoftFLVConverter.so file was downloaded on 19/02/2012. According to the Finder's own tools, the only two other files that were created during that day were the folder ".MacOSX" and the file in it, "environment.plist". AiseesoftFLVConverter.so itself was created on 21/01/2012, and no other relevant files were created during that day.
I deinstalled XCode a couple of months ago to have some space for other data, so I can't do this myself. But if someone who's interested in this stuff could try examining the .so file using otool and see if there's something interesting, that'd be really cool.
Although I'm almost sure I've deactivated the virus, I'll safe reformat my drive and put a clean install on it. Is there any further information I can provide at this time?
Is there any way for me to find out where I got the virus? To me there's no obvious answer, as I try to be as safe as possible when browsing the internet, apparently not safe enough though. I'd be glad to help prevent an attack like this from affecting others, so if there's anything I can do, please let me know. Also, is there a team at Apple directly who work on anti-malware who I can contact and send the files to?
Thanks for the help!