Previous 1 2 Next 16 Replies Latest reply: Mar 14, 2012 12:39 AM by Dchan86
Dchan86 Level 1 Level 1 (0 points)

Yesterday I was trying to find an old news article by using a search engine. I clicked a website from the returned list which had the information highlighted that I was looking for. Seconds after visiting the website, the address changed and I was brought to another website which made safari stop responding, so I used force quit. Moments later, I began noticeing other applications were not functioning properly. I went to check my disk permissions and several had been changed. I repaired them, and it states they are "repaired" but after running the verify again it reports that the same permissions which were just repaired have been altered.  When using a guest account, everything works fine, but I'm worried something serious has been done to my administrator account. I want to reformat, but I am currently working in Japan and I foolishly left my Snow Leopard disc back in the U.S. If anyone has any suggestions or insight to what may be the problem, it would be greatly appreciated. Thank you.


MacBook Pro (13-inch Mid 2010), Mac OS X (10.6.8)
  • MadisonP Level 5 Level 5 (4,735 points)

    Greetings,

     

    There are a variety of permissions errors that will not be fixed by Disk Utility as they are considered "normal".  If thats what you are seeing then don't be alarmed: http://support.apple.com/kb/TS1448

     

    Force quiting doesn't make the computer happy although it can be necessary at times.

    SafeBoot your computer and then restart again to take yourself out of SafeBoot (this will repair the drive and dump some caches for you): http://support.apple.com/kb/HT1455

     

    If things are still acting strangely, please describe exactly what programs are not working and how they are not working.

     

    Hope that helps.

  • X423424X Level 6 Level 6 (14,215 points)

    What you are describing (failing browser and other instabilities) may (repeat may) be the "Flashback" trojan.  In terminal copy paste the following lne and hit return:

     

    defaults read ~/.MacOSX/environment

     

    Post the results.  If you see a line that specifies DYLD_INSERT_LIBRARIES then you probably do have the trojan.

     

    Some recent articlas on this are as follows.  But this trojan is changing now almost weekly so this info is already slightly out of date but at least it will give you some orientation:

     

    Beware the Morphing Flashback Malware

     

    Intego finds new, insidious strain of Mac Flashback Trojan horse

     

    Here's a google search on flashback within just these apple discussions. Sample some of the more recent ones.

     

    Note, while there are bunch of files installed with this trojan (as mentioned in those two articles I linked to above), it is believed (hoped) that all of it is dependent on that .MacOSX/environment file in your home directory.  That is why you saw a stable system when you logged into another account.   The initial fix would be to remove that file.  But don't do anything yet.  Post whether that defaults command shows anything other than a "does not exist" error message.

     

    Intego (makers if VirusBarrier) are the ones closely tracking this trojan.  See their blog for the current info on Flashback and its various strains.

  • fane_j Level 4 Level 4 (3,660 points)

    Both MadisonP and X423424X are correct.

     

    If the repair permissions procedure has completed successfully, you may ignore those messages, which will be repeated each time and do not indicate any problem.

     

    The issues you noticed with Safari and possibly other apps are not related to permissions. You may have been infected by this latest Trojan Horse. I rather doubt it, but there is a possibility. Unfortunately, X423424X was wrong on one point -- it appears that the latest mutation no longer requires that specific file.

     

    Copy the script below in a new document in AppleScript Editor and run it. It will place the results on the clipboard; paste them in your reply. They should show if you do have this malware or not.

     

    --script begins

    property theItems : {"defaults read ~/.MacOSX/environment", "ls -al /Applications/Safari.app/Contents/Resources/*COAA*", "java -version"}

    on run

              set myClip to ""

              repeat with i in theItems

                        try

      do shell script i

                                  set myClip to myClip & result & return & return

                        on error errText

                                  set myClip to myClip & i & " -- " & errText & return & return

                                  set myClip to result

                        end try

              end repeat

      set the clipboard to myClip

    end run

    --script ends

     

    (If you're not afraid of Terminal, you can run the commands listed above in theItems property yourself.)

  • X423424X Level 6 Level 6 (14,215 points)

    I can't keep up with these strains without a "program"

  • MadMacs0 Level 5 Level 5 (4,660 points)

    fane_j wrote:

     

    Unfortunately, X423424X was wrong on one point -- it appears that the latest mutation no longer requires that specific file.

    And I did verify with Intego that no other files associated with the "G" version are installed. I suppose that doesn't preclude files such as the log from being produced later on, but they are minor players in any case.

    defaults read ~/.MacOSX/environment", "ls -al /Applications/Safari.app/Contents/Resources/*COAA*"

    The one issue I have with that is that Intego speculates "these file names may change" which I'm sure you will recall from the "G" version.

     

    Have you confirmed the "N" infection with any user? I found one more infected with "G" tonight, but that's it.

  • X423424X Level 6 Level 6 (14,215 points)

    I'm glad someone is tracking this crap.  So with the target moving apparently on a weekly basis I wish I knew the proper generic wording for a response when this subject comes up in a thread.  In other words what do we tell these people without panicking them too much?

     

    What's been happening so far is on a thread-by-thread basis.  A reply is made about flashback and what to do about it (apparently somewhat out of date in this thread by me) and then a bunch of followups are posted in the thread about what to do "today" for that user to try to fix the problem.  And then we go through this all over again when another thread implies the same problem.

     

    It would be great if we could refer to some central place where the current info is documented.  The intego blog IMO is not the place for most users.

  • Carolyn Samit Level 10 Level 10 (100,370 points)

    Seconds after visiting the website, the address changed and I was brought to another website which made safari stop responding,

     

    Hi

     

    Your ISP is redirecting your browser.

     

    Use OpenDNS for better speed, more security, it's free, and no more re directs.

     

    Open System Preferences then select the Network tab. Click the Advanced tab then click the DNS tab.

     

    Click +

     

    Enter these addresses exactly as you see them here.

     

    208.67.222.222

     

    Click +

     

    208.67.220.220

     

    Then click OK and restart your Mac.

     

    More about OpenDNS here >  Topic : Manually provided DNS server addresses are higher priority than DHCP's

     

    This issue is unrelated to disk permissions.

     

    When you click Repair Permissions, when it's done, if you see: Permissions Repair Complete (or Permissions verification complete). That's good... These aren't "errors" you are seeing just messages by developers and have nothing to do with the browser issues you are experiencing.

     

     

    other applications were not functioning properly.

     

    How much free space on the startup disk? 

     

    Right or control click the MacintoshHD icon. Click Get Info. In the Get Info window you will see Capacity and Available. Make sure there's a minimum of 15% free disk space.

     

    You can do a live verification of the startup disk but if it needs repairing, you will need your install disc.

     

    Launch Disk Utility located in /Applications/Utilties

     

    Select the startup disk on the left then select the First Aid tab.

     

    Click:  Verify Disk   (not Verify Disk Permissions)

     

    If Disk Utility reports problems, when you have access to your install disc follow the instructions for Using Disk Utility to verify or repair disks

     


  • fane_j Level 4 Level 4 (3,660 points)

    MadMacs0 wrote:

     

    The one issue I have with that is that Intego speculates "these file names may change" which I'm sure you will recall from the "G" version.

    Yes, but what's the alternative? For lack of something better, we can use a list of files for diagnosis -- even one match confirms it; but for the cure, that's a completely different matter. Unless the malware is well understood and not evolving any more, reliance on a list of files is dangerous, because even one miss may be one miss too many.

    Have you confirmed the "N" infection with any user? I found one more infected with "G" tonight, but that's it.

    No, but I haven't been tracking this thing as closely as you have.

  • MadMacs0 Level 5 Level 5 (4,660 points)

    fane_j wrote:

     

    MadMacs0 wrote:

     

    The one issue I have with that is that Intego speculates "these file names may change" which I'm sure you will recall from the "G" version.

    Yes, but what's the alternative? For lack of something better, we can use a list of files for diagnosis -- even one match confirms it; but for the cure, that's a completely different matter. Unless the malware is well understood and not evolving any more, reliance on a list of files is dangerous, because even one miss may be one miss too many.

    Certainly agree with that. I have been searching for an alternative since the article came out. Since there are no normally hidden files in that directory, I thought looking for anything hidden there as being a clue, but I can't find a command that shows me only the hidden files in /Applications/Safari.app/Contents/Resources/. I keep getting more than I ask for.

    Have you confirmed the "N" infection with any user? I found one more infected with "G" tonight, but that's it.

    No, but I haven't been tracking this thing as closely as you have.

    Actually, I don't feel that I am tracking this one at all. Could be that Intego made the whole thing up (doubtful) or that nobody has been infected as they have all turned Java off (slim chance of that). But I think the worst case is that the bad guys solved all the problems with the symptoms (alphanumeric menus, crashing Safari/Skype, etc.) and we have folks out there with no clue their ID's have been compromised. Guess we'll find out in a week or so when money starts disappearing.

     

    One last comment on your script. When I run it, it fails to give me the results of the "java -version" command. When I use the Terminal command:

     

         defaults read ~/.MacOSX/environment | ls -al /Applications/Safari.app/Contents/Resources/*COAA* | java -version

     

    that works fine. Can't figure out why, but I'm just a hack when it comes to AppleScript.

  • fane_j Level 4 Level 4 (3,660 points)

    MadMacs0 wrote:

     

    One last comment on your script. When I run it, it fails to give me the results of the "java -version" command.

    My mistake. Many thanks for pointing it out.

     

    Java's output needs to be re-directed to be caught by AppleScript.

     

    java -version

     

    will work in Terminal but not in an AS script, while

     

    java -version 2>&1

     

    will work in the script, though not in Terminal

     

    So the correct script is

     

    --script begins

    property theItems : {"defaults read ~/.MacOSX/environment", "ls -al /Applications/Safari.app/Contents/Resources/*COAA*", "java -version 2>&1"}

    on run

              set myClip to ""

              repeat with i in theItems

                        try

      do shell script i

                                  set myClip to myClip & result & return & return

                        on error errText

                                  set myClip to myClip & i & " -- " & errText & return & return

                                  set myClip to result

                        end try

              end repeat

      set the clipboard to myClip

    end run

    --script ends

     

    To run the commands in Terminal, do

     

    defaults read ~/.MacOSX/environment;ls -al /Applications/Safari.app/Contents/Resources/*COAA*;java -version

     

    The reason I didn't use this in the script is to make it easier to add new commands -- just add each one as a new item in theItems list.

    I can't find a command that shows me only the hidden files in /Applications/Safari.app/Contents/Resources/

    Either of

     

    ls -a /Applications/Safari.app/Contents/Resources/ | grep "^\."

    find /Applications/Safari.app/Contents/Resources/ -name "\.*" -depth 1

     

    should work.

  • Dchan86 Level 1 Level 1 (0 points)

    Thank you everyone for the suggestions. I was away at a wedding this weekend, sorry I couldn't reply sooner. After reading all the suggestions, I was slightly overwhelmed as to what to do first. I ran the final posted script and here are the results.

     

    tell current application

              do shell script "defaults read ~/.MacOSX/environment"

                        --> "{

        \"DYLD_INSERT_LIBRARIES\" = \"/Users/Shared/.libgmalloc.dylib\";

    }"

              do shell script "ls -al /Applications/Safari.app/Contents/Resources/*COAA*"

                        --> error "ls: /Applications/Safari.app/Contents/Resources/*COAA*: No such file or directory" number 1

              do shell script "java -version 2>&1"

                        --> "java version \"1.6.0_29\"

    Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-10M3527)

    Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)"

    end tell

    tell application "AppleScript Editor"

      set the clipboard to "{

        \"DYLD_INSERT_LIBRARIES\" = \"/Users/Shared/.libgmalloc.dylib\";

    }

     

    ls -al /Applications/Safari.app/Contents/Resources/*COAA* -- ls: /Applications/Safari.app/Contents/Resources/*COAA*: No such file or directory

     

    java version \"1.6.0_29\"

    Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-10M3527)

    Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)

     

    "

    end tell

     

    Should I do anything else? after reading all the other posts I feel like I have the trojan everyone is mentioning. If so, what actions should I take to protect my information in the meantime, while I work toward removing and repairing the problem?

  • MadMacs0 Level 5 Level 5 (4,660 points)

    Dchan86 wrote:

     

    ...I ran the final posted script and here are the results.

     

    tell current application

              do shell script "defaults read ~/.MacOSX/environment"

                        --> "{

        \"DYLD_INSERT_LIBRARIES\" = \"/Users/Shared/.libgmalloc.dylib\";

    }"

    This indicates that you have been infected by the OSX/Flashback.G Trojan described here. Since the last part of the test indicates that your Java installation is up-to-date, you must have approved the fake certificate pictured in the article.

     

    ...what actions should I take to protect my information in the meantime, while I work toward removing and repairing the problem?

    Disconnect your computer from the internet, but that's similar to closing the door after the horse has escaped. Stop using network applications that require using a username/password for access (e.g. browsers & Skype).

     

    Since we do not have complete information about everything this Trojan is capable of and the location of everything it installs, the advise of most of us has been to make sure you have all your data files backed up and using your installation disks, format your hard drive, install a clean, fully updated OS X and all applications from source, then restore only your data files from backup.

     

    Another choice, if you have a TimeMachine backup would be to determine when you were infected and restore your hard drive to the condition it was in just prior to the infection.

     

    Lastly you can choose to take a chance and remove the files we know about which should remove all the obvious problems you have discovered, but may not completely disable all of the Trojan's functions. Do not undertake this without guidance, as there is a good chance of locking yourself out of your account if you don't remove all the files in order.

     

    No matter which choice you make you will need to change some passwords as the Trojan has almost certainly already harvested some of your username/password pairs and used Twitter to send them to the bad guys.

     

    Let us know how we can be of further help.

  • Dchan86 Level 1 Level 1 (0 points)

    Thank you again for all the help. I may have made a serious mistake though, I was trying to remove the infected files mentioned in the the blogs and discussions, and now when I access my admin account....no Icons appear. I can still access my guest account and use everything normally. Is there a way for me to back up my files from the guest account? mainly I want to back up my music and photos, since I don't have an external back up of many. 

     

    As for reformatting and reinstalling Snow Leopard, I'm currently in Japan without my OS dvd, I have apple care though,  and I live near an apple store.

  • janetfrommountainview Level 1 Level 1 (0 points)

    Disregard.

Previous 1 2 Next