.rserv wants to connect to cuojshtbohnt.com

lytic wrote:

Submit your Mac UUID to this Express-check form.

Doctor Web will check if there was a connection from your computer to the botnet control server.

First I wanted to pass on my thanks for providing this service to the Mac Community. It should prove to be very useful. But I do want to also make some observations concerning feedback I'm getting on this site. Sorry to do so in such a public manner, but I don't know any other way of communicating with you.

I've had a couple of users get back to me saying that you did not find them in your database therefore they were clean and going about business as usual. If I understand the methodology you used correctly then your database may contain as little as 5% of the 600,000 you estimated were infected at the time. If that is correct I think you need to add emphasis on the site that users who are not identified in your database need to take further steps to check, such as downloading Dr.Mac Light.

Next, some of are paranoid about entering identity information on any site for any reason. Nowhere on the web site is there a link to your priavcy policy explaining to us what you will do with this information. Not a complete solution, but much better than nothing.

Also, it doesn't comfort us to find that the url given is not https: (i.e. using SSL) so our UUID is being broadcast to over the internet in the clear. I'm not aware of any way that such information can be exploited (other than what's currently going on with Flashback), nvertheless it's still identity information and sooner or later somebody will figure it out.

And when I attempt to force SSL I get this:

So if you can persuade the powers that be to update the site you'll turn a good service into a great one, IMHO.

What about those users who are identified in the database but don't have any malware?

chadonline wrote:

When I started this thread, I didn't know it would get this much attention. Could you please summarize where we are and what would users like me need to do?

Wow, what does that say about this forum? A week and fourteen pages and we still haven't answered the OP's question?

I'm afraid you may have opened the floodgates here as there were about as many suggestions thrown out as there are participants now, except that many have been refined based on what we all learned.

Not sure why you picked me. I don't recall what suggestions I may have made. I did summarize almost all the solutions I could find in some forum today, so I could repeat all that for you. I could also rumage through all 200+ entries and write up a summary for you or just rumage through all fourteen pages to see what you have done already, but it's Easter and my taxes are due and I think my time is worth more than yours right now, so how about at least telling us what it is you need. All I remember you asking was what was ".rserv"?

etresoft wrote:

What about those users who are identified in the database but don't have any malware?

You evidently know something I don't. I think that would be a question for Dr. Web, wouldn't it?

MadMacs0 wrote:

etresoft wrote:

What about those users who are identified in the database but don't have any malware?

You evidently know something I don't. I think that would be a question for Dr. Web, wouldn't it?

https://discussions.apple.com/thread/3859741

I initially got excited thinking someone would be able to test my checker/removal script against the real thing. I have tested it against a similar trojan I wrote myself, but a real test is always best.

I have little interest in Dr. Web. I am interested in that 5% value. I'm very suspicious of this whole mess.

etresoft wrote:

I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271

A very useful script, but it will flag false positives, related to MobileMe, FaceTime, Google Chrome Update, and others. The default button will be "Keep", but that may be a little too subtle for some users. You may wish to add a note to that effect. Or perhaps, instead of offering an option to delete those executables, saving a list to a file or to clipboard.

chadonline wrote:

When I started this thread, I didn't know it would get this much attention. Could you please summarize where we are and what would users like me need to do?

thank you!

If you're looking for something that briefly -- I don't know of any one article that covers this in great depth -- sums up what is known overall about this attack, and bear in mind it may be changing as we speak:

http://community.f-secure.com/t5/Protection/Flashback-Mac-OS-X-Remover/m-p/10887 #M2223

For possibly more complete information on detection, see also my post (courtesy of X423424X) in this thread

https://discussions.apple.com/thread/3859741?start=0&tstart=0

If you need more, there are hundreds of topics all over the place about this.

fane_j wrote:

etresoft wrote:

I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271

A very useful script, but it will flag false positives, related to MobileMe, FaceTime, Google Chrome Update, and others. The default button will be "Keep", but that may be a little too subtle for some users.

Absolutely. If the first character of the executable is ".", which means it is trying to hide, then the default button switches to "Delete".

You may wish to add a note to that effect. Or perhaps, instead of offering an option to delete those executables, saving a list to a file or to clipboard.

Unfortunately, due to the nature of the problem and my desire to keep everything transparent (downloading mystery programs to fix other myster programs) I had to write the program in Applescript. Some professional software engineers have difficulty with Applescript. I can barely get it to do anything. I can't even get it to tell me if a file exists. I find Applescript far more dificult than C++ or Perl.

Anyone with more experise in Applescript is more than welcome to improve it. It's not that I don't want to improve it, I just don't have the ability or time.

etresoft wrote:

I can't even get it to tell me if a file exists.

This should evaluate to true if <~/.MacOSX/environment.plist> exists.

--script begins

path tohome folderfromuser domainastext

exists (result & ".MacOSX:environment.plist") as alias

--script ends

etresoft wrote:

I have little interest in Dr. Web. I am interested in that 5% value. I'm very suspicious of this whole mess.

I've re-thought that 5% figure, even though I have not heard back from lytic, I think I misunderstood what was being said. If each infected Mac only contacts one of the 50-60 servers then capturing only three gives me a worst case of 5%. But in reading the articles from Dr. Web and Kaspersky, they seem to be saying that each Mac picks a rotational or perhaps random server each time it sends something out, in which case the three servers would only see 5% of the contacts, but ultimately close to 100% of the bots (assuming some get disabled before they get to one of the three). So maybe their database does contain almost 100% of all the infected machines that were out there since they started collecting, apparently on April 3.

MadMacs0 wrote:

maybe their database does contain almost 100% of all the infected machines that were out there since they started collecting, apparently on April 3.

Perhaps even more than 100% 🙂

Here is what a reputable anti-virus company says about the situation: http://www.symantec.com/security_response/writeup.jsp?docid=2011-093016-1216-99

etresoft wrote:

Here is what a reputable anti-virus company says about the situation: http://www.symantec.com/security_response/writeup.jsp?docid=2011-093016-1216-99

Not sure why you find Symantec any more reputable, but I'll accept it as a data point. Be interesting to know if they have changed any of the numbers since September.

The problem with all this is that most of the experts and almost all of the resources necessary to address this subject work for either an A-V vendor or the Government and the latter isn't talking until they make an arrest. I follow SANS pretty closely as they seem to have some degree of expertise and independence, but since they sell training there is still an opportunity for them to market through exaggeration.

Use program free program Easyfind Version 4.8.2 (4.8.2) will find and delete.

dhnyprod wrote:

Use program free program Easyfind Version 4.8.2 (4.8.2) will find and delete.

Sorry, but I don't know what entry of mine you are responding to. That's where the quote thing comes in handy.

Certainly Easyfind and Find Any File are capable of doing that if you know what you are looking for, but the problem is there are too many possibilities these days.