Please Help! Finder is displaying strange codes such as N80 and N201

X423424X wrote:

What a mess. And I I still don't know where all these people are downloading this thing from.

This is the only one that I've heard anything about: http://www.google.com/safebrowsing/diagnostic?site=vegweb.com

I don't understand that link. It just gets hung up with google safebrowsing and no way past it. veweb.com is just a recipe web site (I guess) and uninteresting.

An infected user said he was looking at a soup recipe there when he was infected. I took a look at the page, but it's clean now (he was infected on the 22nd). So I took a look at safe browsing and it said that the vegweb site had been serving up malware including 477 Trojans, so I think the chances are good he got it there. The site must be easy to hack so they pick some popular pages and put there Java Downloader applet there, bring their server up for a few hours to serve the rest of the Trojan then see what happens. They are probably subscribed to read this, as we speak.

Ok, I'll bite. How could going to a web page create, say the environments.plist, or any of the other files for that matter? Could you click on a recipe and some java(script) code download and save the files in the requisite places? I've been assuming that the trojan was inserted when an fake installer was downloaded and run like the fake adobe plugin installer.

Never mind. It's getting late and I reread your post about the Java.

X423424X wrote:

FWIW, I am an advocate of using LS. It is one of my "must haves" for my systems. But having said that, if this trojan, when embedded in a browser, calls home via the browser, say using port 80, then of course LS won't detect it unless you block the port. And you can't really do that since then you couldn't use the browser.

Far from the best, since it wouldn't prevent the connection, but you could see if the browser/port 80 or anything else was connecting somewhere strange by looking at the LS Network Monitor.

Little Snitch does not have to allow all traffic on port 80 - or any other port.

Go to the LS Rules and remove any references to allowing all traffic on port 80.

Most of your sites will then prompt a LS dialogue; choose the most restrictive settings - e.g. "exywisey.com and port 80".

If that trojan throws up a dialogue you can deny it and make a note of the address it was trying to access.

True, but the point X4 was making was "...if this trojan, when embedded in a browser, calls home via the browser, say using port 80...."

Of course, completely hypothetical.

WZZZ wrote:

Of course, completely hypothetical.

I'd call it more speculative than hypothetical. F-Secure pointed out that in previous versions of Flashback code was injected into Safari and Iomega has said

Flashback.G injects code into web browsers and other applications that access a network...

and later

This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites.

So it's not a big leap to guess that the same code then uses port 80 and Twitter to send the results to the mother ship.

I don't think I've mentioned it in this thread yet, but another infected user with backward engineering talents has said that the code is no longer injected into the application on the hard drive, but rather waits until it is launched into RAM, making it more difficult to detect and analyze.

X423424X wrote:

Ok, I'll bite. How could going to a web page create, say the environments.plist, or any of the other files for that matter? Could you click on a recipe and some java(script) code download and save the files in the requisite places?

Iomega has told me that it is not necessary to click on any javascript or other link. The simple act of opening the page in your browser will apparently run the "Downloader" applet if you have Java enabled in the browser. That, in turn, accesses the server where the rest of the code is downloaded, installed in appropriate places, etc. and then the original applet self-destructs.