.rserv wants to connect to cuojshtbohnt.com

*Anyone who has seen evidence...

Sorry.

I don't think this has anything to do with Flashback. I don't know if it is a trojan or not but in my opinion the flashback creaters are a lot more sneaky than the obvious stuff going on here. This is too simple and much easier to spot.

The basis for my conclusion was that I infected a test machine. I was able to observe behavior that followed the pattern of Flashback exactly, with no apparent additions or modifications (right down to attempting to mimic software update to root the system). The standard Flashback manual removal process was successful, from what I have seen so far. I will report further observations if I discover more to report. So far, it would seem that only the initial delivery mechanism has evolved.

fane_j wrote

Good work, but bad news. CVE-2011-3544 was supposed to have been fixed after update 27, so either it hasn't been really fixed, or they use another vulnerability. IMHO, that's serious stuff, and I'm considering whether or not I should remove Java altogether.

Yes, but if it cannot use either of the two exploits in CVE-2011-3544 it tries social engineering to install. The two examples we have are the un-trusted fake Apple Certificate and the phony software update dialog asking for admin password. That's why I suggested to Linc yesterday that he modify his guidance to have everybody who doesn't require it to disable it, either in the browser or in Java Preferences.

MWMWMW wrote:

The basis for my conclusion was that I infected a test machine. I was able to observe behavior that followed the pattern of Flashback exactly, with no apparent additions or modifications (right down to attempting to mimic software update to root the system). The standard Flashback manual removal process was successful, from what I have seen so far. I will report further observations if I discover more to report. So far, it would seem that only the initial delivery mechanism has evolved.

Although I would agree with you that this appears to be the next evolution of Flashback, the installation pattern is completely different from any we have seen before. In the F-Secure reference you cited neither of the two types of infection involve a launchagent or an executable at the root level of the home folder. It was either files added to Safari in Type 1 or the old environment.plist and an ".so" dylib file. I'm not understanding how you could have used the removal process specified by F-Secure to have found the two files that have been discussed here.

In any case, nobody has suggested submitting them as samples, so I'll ask that anybody that has anything to please send/upload them to sample@virusbarrier.com and virustotal.com

This was caught by Little Snitch this morning on my system as well, except mine tried to connect to gangstasparadise.rr.nu. File .rserv is in my user folder. Other details per this thread:

$ defaults read ~/.MacOSX/environment

{

PATH = "/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/opt/local/bin:/usr/ local/git/bin";

}

$ java -version

java version "1.6.0_29"

Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-11D50)

Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)

Thoughts?

I agree that the LaunchAgent is a fairly unsophisticated and transparent step in the delivery mechanism, but the remaining payload is extremely familiar.

I refused the "software update" authentication prompt, so the "Type 2" environment.plist infection method was used in the only test case I've had a chance to review, and the corresponding removal technique was successful. If I get a chance to reset my test environment and prompt a Type 1 scenario later today, I'll post results.

MadMacs0 wrote:

Although I would agree with you that this appears to be the next evolution of Flashback, the installation pattern is completely different from any we have seen before. In the F-Secure reference you cited neither of the two types of infection involve a launchagent or an executable at the root level of the home folder. It was either files added to Safari in Type 1 or the old environment.plist and an ".so" dylib file. I'm not understanding how you could have used the removal process specified by F-Secure to have found the two files that have been discussed here.

easthollow wrote:

This was caught by Little Snitch this morning on my system as well, except mine tried to connect to gangstasparadise.rr.nu. File .rserv is in my user folder. Other details per this thread:

$ defaults read ~/.MacOSX/environment

{

PATH = "/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/opt/local/bin:/usr/ local/git/bin";

}

I've not seen the environment.plist used to provide a path profile before. What is in "/usr/local/git/bin/"?

$ java -version

java version "1.6.0_29"

Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-11D50)

Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)

Java is up-to-date.

MWMWMW wrote:

I refused the "software update" authentication prompt, so the "Type 2" environment.plist infection method was used in the only test case I've had a chance to review, and the corresponding removal technique was successful.

Was this on a fully patched OS X (and what version, BTW) or did it use Java exploit CVE-2011-3544 to install the Type 2 infection? I've asked F-Secure about this, but they have not gotten back to me.

Emmm... I'm on Lion and just got a tip off from Little Snitch about ".mkeeper" in my user directory trying to connect to the same site. 😟

Is this thing definitely some sort of malware?

I can imagine where i'd of gotten it from.

MadMacs0 wrote:

I've not seen the environment.plist used to provide a path profile before. What is in "/usr/local/git/bin/"?

git is a version control system used by programmers. I installed it myself, so that's nothing of concern.

.rserv is the file of concern. Where did it come from, why is it trying to contact this bizarre site?

Baroncee wrote:

Emmm... I'm on Lion and just got a tip off from Little Snitch about ".mkeeper" in my user directory trying to connect to the same site. 😟

Is this thing definitely some sort of malware?

I can imagine where i'd of gotten it from.

I'd be willing to bet on it as there should be no hidden processes running out of the root level of your home folder. Recent versions are being spread by a Java applet rendered from a web page (recently WordPress blogs) using one of at least three methods of then downloading and installing the Trojan. Appears to be new as of the 30th, so we have not seen much analysis done on it other than what is in this thread.

easthollow wrote:

MadMacs0 wrote:

I've not seen the environment.plist used to provide a path profile before. What is in "/usr/local/git/bin/"?

git is a version control system used by programmers. I installed it myself, so that's nothing of concern.

Thanks.

.rserv is the file of concern. Where did it come from, why is it trying to contact this bizarre site?

It appears to be either a new variant of the Flashback Trojan or a copycat using the same technique to download and infect your computer. Everything known about it now is in this thread unless somebody has run across more details today.

MadMacs0 wrote:

I've not seen the environment.plist used to provide a path profile before.

It looks like this strain doesn't use environment.plist (hardly surprising).

As I've said before, there's more than one person, and perhaps more than one group, behind this. These people have their own boards, where they exchange ideas, code, and techniques. And, as you said yourself, some of them, no doubt, are reading these posts as we speak.

ditto.

I found this thread after a google seach for .mkeeper turned up nothing and searched the cuojshtbohnt.com domain.

what should I do? I am not very mac smart but have little snitch!