You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

"Rosetta" applications suddenly stopped working

I've got a problem with my computer at work. It's running Snow Leopard 10.6.8. I've got a number of older apps, including Quark 6, Epson scanner software, Disc Catalog, etc, that have all been working fine for the last number of years. As of yesterday afternoon, I was still scanning with the Epson software and everything was running fine. When I came in to work this morning and fired up the computer, NONE of my pre-Snow Leopard apps work.


At first, when a few of my apps didn't work, I suspected a font issue, because at the end of the previous day, I was working on a "problem job" that had conflicts with my basic system fonts. But, as the hours passed, I began to realize none of my older apps worked. At that point, I started to suspect a problem with Rosetta.


Hours and hours of searching, both here and across the internet came up with nothing. A few sites gave step by step instructions to drop into terminal to reset bindings, delete preferences, etc. Nothing worked.


Most of the older apps I NEED for our company. Many of those don't have upgrades available, and some are just too expensive to justify.


After almost an entire day of getting nowhere, I decided to set up another "user" called Troubleshooting. Lo-and-behold, all of the apps worked fine. So, that ruled out a problem with the Rosetta interface, and the suspeced Security update in the recent past that was said to cause problems with the whole Rosetta interface.


So, my question is, since only my original Administrator User is not functioning properly, is there possilby a preference .plist file that could be causing the problem? Could there still be a font issue? Is there anything I can do in Terminal to reset to a default?


I wasted an entire day banging my head on the desk trying to wrap my brain around it. Repairing permissions, disc check, etc. did nothing to help the issue.

I COULD get around the problem by logging into my "Troubleshooting" user to use the apps...but that's beside the point. I COULD do that, but I really want to figure out what's going on with my main User workspace.


So, before I need to come into work on Monday and spend another whole day not knowing what to do, can anyone offer any ideas?


Thanks in advance.


Brad

PowerMac, Mac OS X (10.6.8)

Posted on Mar 23, 2012 6:37 PM

Reply
128 replies

Mar 29, 2012 2:56 PM in response to MadMacs0

MadMacs0 wrote:


One of the other users found out by double-clicking one of the files and having a quarantine warning pop-up (which is the first confirmation that quarantine even works with this variant), but that's not the safest method.


The file that you are referring to was called .FlashEXEShell.tmp and located in ~/Library/Application Suport/ this file is 404KB in size, and I suspect contains the code for doing the majority of the trojans dirty work.


This file was referenced from within the .libgmalloc.dylib which in turn was referenced from the environment.plist.


I didn't risk opening .FlashEXEShell.tmp by double clicking it, but I <ctrl> clicked it and used the "Open With" command to open it with TextEdit - this resulted in the warning pop up that shows what downloaded it and when it was downloaded :


User uploaded file

Its a pity it doesn't list where it was downloaded from - does anyone know where this information comes from?

Mar 29, 2012 5:03 PM in response to Brian Stroud

A few comments.


(1)

Brian Stroud wrote:


does anyone know where this information comes from?

I suspect it comes from the com.apple.quarantine extended attribute. It may be read with


$ xattr -p com.apple.quarantine path_to_file


Interpreting the result, though… that's another matter.


(2)


Regarding spreading through e-mail—that's unlikely. The Trojan Horse relies on two methods. First, it's ye olde social engineering trick, pretending to be a Flash installer, or Software Update, or something like that. As such, this is not possible in Mail. An app containing this code could be mailed as an attachment, but the user would have to jump through one or two hoops to execute it—it can't be no more than a pop-up asking for authentication (as it can in a web browser).


Second, it's using the Java vulnerability, which doesn't require user interaction. Mail doesn't do Java, so that's out.


(3)


Regarding getting rid of it. In a previous conversation with MadMacs0, a couple of weeks or so ago, I expressed my unease at the reliance on file names and paths to control this thing. I warned that there were other ways than environment.plist to load shared libraries, and, sure enough, its author(s) were using other ways.


So, yes, you can disable it with environment.plist, and get rid of the shared libraries, and go through all Info.plists and get rid of any shared library referenced by LSEnvironment keys. But how do you know that was all? How do you know there's no shared code library left behind in some convenient nook or cranny; and, that next week, or the week after that, they won't figure a way of getting back in (there are a dozen or so still unpatched vulnerabilities in Java), and, this time, instead of getting the payload from a remote server, it'll just look for something left behind by the previous infection? These guys are a little too clever for comfort; call me paranoid if you like, but I think that the only safe way of getting rid of it is a clean slate.

Mar 29, 2012 7:05 PM in response to Brian Stroud

Brian Stroud wrote:


MadMacs0 wrote:


One of the other users found out by double-clicking one of the files and having a quarantine warning pop-up (which is the first confirmation that quarantine even works with this variant), but that's not the safest method.


The file that you are referring to was called .FlashEXEShell.tmp and located in ~/Library/Application Suport/ this file is 404KB in size, and I suspect contains the code for doing the majority of the trojans dirty work.


This file was referenced from within the .libgmalloc.dylib which in turn was referenced from the environment.plist.


I didn't risk opening .FlashEXEShell.tmp by double clicking it, but I <ctrl> clicked it and used the "Open With" command to open it with TextEdit - this resulted in the warning pop up that shows what downloaded it and when it was downloaded...

Thanks for refreshing my memory. I would normally have gone back to check, but this thread has grown so large and my time has been short today, so I failed to do that.


For anybody reading this, it's important to note that the file names are randomly assigned so don't waste your time looking for those specific names. If it's a hidden file, it's certainly suspicious. True, some of these directories do have legitamate hidden files in them, but most do not. The extensions should be the same for the same Trojan variant, but the rest of the file name will most probably be different for every user. So far we've seen hidden files with extensions of ".so", ".xls", ".png" and ".tmp" IIRC.

Its a pity it doesn't list where it was downloaded from - does anyone know where this information comes from?

I think we know where they come from. The server's IP address has been well documented by the A-V vendors blogs for quite some time. It distributes the Trojan components, records vital statistics about every infected machine, receives Tweets from all infected machines periodically, provides command and control of each infected machine and probably is capable of updating the Trojan to provide bug fixes and additional capability.


Let us know if your xattr check reveals any additional info.

Mar 30, 2012 10:00 AM in response to MadMacs0

Quick question....(I've kind of lost track in my own thread) 😉


Not knowing where these beasties install all of their files on the system, is it generally "assumed" that most of the files are installed within the user's home folder? At the start of the thread, we were talking about how a new user didn't have any of the symptoms the infected user had.


It was also said the Safari is definitely infected. So, if a person were to uninstall Safari, download a new version and deactivate, if not entirely delete the original user account, would a system tend to be safe to use?

Brad

Mar 30, 2012 11:10 AM in response to NuLynx

Remember that the DYLD_INSERT_LIBRARIES defined by environment.plist defined /Users/Shared/.libgmalloc.dylib so that's already a file outside your home directory, i.e., in /Users/Shared. And if code is injected into Safari, that's Safari counts as two. And it was said no one is 100% sure where or if other code may be inserted into your system. So until or if (remember it's a moving target with each new strain of the trojan) it can be determined what files are inserted and where the best that can be recommended is the "shotgun" approach and replace everything.

Mar 30, 2012 11:40 AM in response to NuLynx

In addition to what X4 says, not a solution, but, for now, if you keep that computer off line, which seems its usual posture, nothing will be able to get out and back to the bad guys. But doesn't mean they don't already have some stuff from when it was connected. Only you can know if there was or is anything senstive or worth worrying about.

Mar 30, 2012 12:18 PM in response to X423424X

X423424X wrote:


if code is injected into Safari, that's Safari counts as two. And it was said no one is 100% sure where or if other code may be inserted into your system. So until or if (remember it's a moving target with each new strain of the trojan) it can be determined what files are inserted and where the best that can be recommended is the "shotgun" approach and replace everything.

According to F-Secure, a Flashback.I Type 1 infection puts 2 files into /Applications/Safari.app/Contents/Resources/ and adds a line to /Applications/Safari.app/Contents/Info.plist.


a Type 2 infection adds a total of three files to ~/Library/Application Support/, /Users/Shared/ and ~/.MacOSX/. It only injects code into applications after they are launched into RAM.


Of course there is no guarantee that this is the "I" variant and in previous versions there have been additional files produced during operation, such as logs that are probably harmless, just taking up space.


In any case, your point is well taken.

Mar 30, 2012 10:18 PM in response to NuLynx

Brad,


A quick question if you haven't done anything to that infected Mac yet. Can you double check on what version of Java that machine is running, either by entering "java -version" without quotes in Terminal or opening Java Preferences (found in /Applications/Utilities/)? It will say J2SE 6.0 and version 1.6.0_xx.... If xx is 29 then it's up-to-date and I don't understand how it could have been infected.

Apr 2, 2012 8:11 AM in response to MadMacs0

From F-Secure news, April 2, 2012


----------------

A new Flashback variant (Mac malware) has been spotted exploiting CVE-2012-0507 (a Java vulnerability). We've been anticipating something like this for a while now.

..

Oracle released an update that patched this vulnerability back in February… for Windows.


But — Apple hasn't released the update for OS X (yet).


It appears that the Flashback gang is keeping up with the latest in exploit kit development. Last week, Brian Krebs reported that the CVE-2012-0507 exploit has been incorporated into the latest version of the Blackhole exploit kit. And that's not all. Though it is unconfirmed, there are rumors of yet another available exploit for an "as-yet unpatched critical flaw in Java" on sale.


So if you haven't already disabled your Java client, please do so before this thing really become an outbreak. Check out our previous post for instructions on how to disable Java on your Mac.

--------------------

Apr 2, 2012 3:29 PM in response to jsd2

Thanks, jsd2. That clears up a few things.

Oracle released an update that patched this vulnerability back in February… for Windows.


But — Apple hasn't released the update for OS X (yet).

Hm. Business as usual for Apple. I guess all the bright ones have moved to iOS. (Btw, my Fujitsu Lifebook, despite of its being still under XP, has been safe from this for weeks.)

"Rosetta" applications suddenly stopped working

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.