.rserv wants to connect to cuojshtbohnt.com

/Library/LaunchAgents

Only Little Snitch and Splashtop are here

/Library/LaunchDaemons

M-Audio DAC

Little Snitch

Splashtop

HDAPM

All the above are old-dated

/Library/StartupItems

Only my M-Audio USB DAC is here

Thanks for your help on this in general...

I ran the defaults read ~/.MacOSX/environment command in terminal and got a does not exist.

Looking around on google it seems like similar behavior to the flashback trojan as well as the rr.nu domains.

bgw1 I have no idea where your .rserv is being launched. Unless we actually are dealing with a trojan here I would have expected yours to come from the same Adobe Reader LaunchAgent as the OP.

fane_j wrote:

There's another possibility. It just occurred to me to look at the date. I hope we haven't been taken in by a hoax.

I'm really going to be pi$$ed off wasting all this time if this is a April Fools joke.

Is this the correct environment command in Terminal? I am running Lion.

defaults read ~/.MacOSX/environment

Eirs-MacBook:~ EirUser$ defaults read ~/.MacOSX/environment

2012-04-01 01:06:10.966 defaults[1677:707]

Domain /Users/EirUser/.MacOSX/environment does not exist

Eirs-MacBook:~ EirUser$

sthej wrote:

Thanks for your help on this in general...

I ran the defaults read ~/.MacOSX/environment command in terminal and got a does not exist.

Looking around on google it seems like similar behavior to the flashback trojan as well as the rr.nu domains.

Well you seemed to satisfy yours but I would download Adobe Reader from the Adobe Site. I am still curious how that LaunchAgent got in there in the first place.

I'm sure the mere mention of the word "trojan" is going to attract certain interested readers to this thread. So just in case, to make it easier for them, here's that adobe reader LaunchAgents plist in a more readable (i.e., formatted) form:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.adobe.reader</string>

<key>ProgramArguments</key>

<array>

<string>/Users/trungson/.rserv</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>4212</integer>

<key>StandardErrorPath</key>

<string>/dev/null</string>

<key>StandardOutPath</key>

<string>/dev/null</string>

</dict>

</plist>

Why would a launchd plist in a user's LaunchAgents have to specify RunAtLoad (it would run at login anyhow) and a StartInterval (or is this why RunAtLoad is needed)?

trungson wrote:

/Users/trungson/Library/LaunchAgents/com.adobe.reader.plist:

(I'll assume this is on the level.)

The syntax is valid; also, it has nothing to do with Adobe Reader. (The latter's identifier is probably "com.adobe.Reader", and there would be no need for it to implement anything as a launch agent.)

This plist implements a launch agent. It tells launchd to run </Users/trungson/.rserv> every 4212 seconds, discarding any output and error. The process is not kept alive—launchd runs it, it does whatever it was designed to do, then terminates, and launchd runs it again some 70 mins later. (Which explains why ps didn't list it.) If I were to speculate (without any evidence), I'd say it's trying to connect to the mothership to download the actual payload.

It's just these kind of things why I consider Little Snitch a "must have" on my systems. The last thing I want is something, anything, sent back to adobe, no matter what.

The syntax is valid; also, it has nothing to do with Adobe Reader. (The latter's identifier is probably "com.adobe.Reader", and there would be no need for it to implement anything as a launch agent.)

Why use the id "com.adobe.Reader" if it wasn't associated with Adobe Reader? I do know the current AR doesn't instll this.

I don't have Adobe Reader, but I do have Acrobat Professional 8. There is no Adobe .plist file at the locations you asked about.

Did you see my earlier post that I found the .rsvr file, it's 59.9K and it was downloaded by PluginProcess.app on March 30, 2012 (part of the webkit2 framework)? I could try to Zip it and email it to someone you if you want it.

Did you see my earlier post that I found the .rsvr file, it's 59.9K and it was downloaded by PluginProcess.app on March 30, 2012 (part of the webkit2 framework)? I could try to Zip it and email it to someone you if you want it.

I guess I missed that. I don't know what PluginProcess.app is. So long as you found it, ok.

X423424X wrote:

here's that adobe reader LaunchAgents plist in a more readable (i.e., formatted) form:

That's useful. Just a couple of comments.

The plist has nothing to do with Adobe Reader. The Label key is a unique identifier, required by launchd to keep track of agents. But it can be any string. If launchd's database is case-sensitive, and the Adobe Reader identifier is, as I suspect, com.adobe.Reader, then it's enough.

RunAtLoad key is optional key "used to control whether your job is launched once at the time the job is loaded". (It's in the launchd.plist manpage.)

As to how it was installed… My bet would still be CVE-2011-3544.

It's been quiet for the last hour. I think it hit Little Snitch about 5 times. I'm interested in resolving this for the community if it's a new threat otherwise I'm just wondering how to quarantine it or positively delete it.

bgw1 wrote:

it was downloaded by PluginProcess.app on March 30, 2012

PluginProcess lives here

</System/Library/PrivateFrameworks/WebKit2.framework/PluginProcess.app>

So this was in all likelihood downloaded by Safari (possibly also Chrome?). You should make a list of all sites visited on that date. Any Wordpress blogs among them?

X423424X wrote:

Why use the id "com.adobe.Reader" if it wasn't associated with Adobe Reader?

It isn't, it's "com.adobe.reader". The identifier can be any unique string.