.rserv wants to connect to cuojshtbohnt.com

MadMacs0 wrote:

Was this on a fully patched OS X (and what version, BTW) or did it use Java exploit CVE-2011-3544 to install the Type 2 infection? I've asked F-Secure about this, but they have not gotten back to me.

When I described the F-Secure described "Type 2" behavior that I was able to evoke from this threat,I referred to a mostly-patched 10.6.8v1.1 machine. Java there was 1.6.0_29. The only missing patches were the most recent Safari and iTunes updates.

foodguylargo wrote:

ditto.

I found this thread after a google seach for .mkeeper turned up nothing and searched the cuojshtbohnt.com domain.

what should I do? I am not very mac smart but have little snitch!

Sorry, this thread has pretty much wound down and concerns a process called ".rserv". Are you reporting a new process called ".mkeeper" also attempting to contact cuojshtbohnt.com? Is this new process located somewhere in your home folder? (It's invisible, so you may not be able to see it in the Finder). Need a few more details or maybe it's time for a new thread as this one is fairly disorganized.

correct. .mkeeper that is invisable in my home folder is trying to contact that same domain. It just started a few hours ago. I keep denying, obviously, but want to know what it is and how to fix it!

I am the second person in this thread to mention .mkeeper

MWMWMW wrote:

MadMacs0 wrote:

Was this on a fully patched OS X (and what version, BTW) or did it use Java exploit CVE-2011-3544 to install the Type 2 infection? I've asked F-Secure about this, but they have not gotten back to me.

When I described the F-Secure described "Type 2" behavior that I was able to evoke from this threat,I referred to a mostly-patched 10.6.8v1.1 machine. Java there was 1.6.0_29. The only missing patches were the most recent Safari and iTunes updates.

That's what I thought you were saying. So you were able to infect that machine by simply visiting the web page and canceling the Software Upgrade dialog requesting your admin password. That certainly sounds like the behavior demonstrated by a "V-word" malware. Don't want to panic anybody yet, but that sounds pretty serious. I think most of us have thought the only way infection could be accomplished was with out-of-date Java or social engineering.

I did some more digging in my situation.

.mkeeper file was installed at 1:00pm

Right at 1:00 I visited sourceforge and downloaded/installed "paintbrush"

There is no question that I got this from either sourceforge or the paintbrush download.

Hope this can maybe shed some light on the .rserv issue too.... seeing as they're trying to go to the same odd domain.

foodguylargo wrote:

correct. .mkeeper that is invisable in my home folder is trying to contact that same domain.

My assumption would be that it's the same thing; just the process name is different, which is not entirely surprising. See also this thread.

<Entered password, concerned about hacking>

MadMacs0 wrote:

Sorry, this thread has pretty much wound down and concerns a process called ".rserv". Are you reporting a new process called ".mkeeper" also attempting to contact cuojshtbohnt.com?

I don't think we should be too strict on process and file names. What it does and how it does it is more important; as we've seen previously, the actual names can be more or less random. Any executable, especially an invisible one, in one's Home directory, and that one don't know about and didn't put there must be highly suspect.

Thanks for the reply.

That thread mentions software update boxes and admind passwords, etc.

I did not do that.

I run software update often (anal about it) and always keep things up to date.

I have not had to enter my admin password in at least a week and would never do it after not specifically doing something that I know would require it.

Wrapping up a loose end here, I did join the party a few hours late here yesterday, but have never been able to locate a "cuojshtbohnt.com" using any network utility I have and I whois.com says I can own it for less than $10US. That could be just a test for Little Snitch.

"gangstaparadise.rr.nu" is a different story. It comes back to 67.208.74.71 and Google has several references to rr.nu domains as being malware distributors. None of my whois checks tell me anything about the site or even rr.nu. In any case, this IP address is not the C&C server that has been associated with all of the Flashback Trojans, as near as I can tell. It could have easily moved, of course, but it could also mean this is a Flashback clone as fane_j and others have theorized.

The domain listed: cuojshtbohnt.com is bunk, but under "more info" on LS

it says: IP Address: 204.232.137.207

Which has an open proxy (google search) and other issues.

foodguylargo wrote:

Right at 1:00 I visited sourceforge and downloaded/installed "paintbrush"

There is no question that I got this from either sourceforge or the paintbrush download.

The Flashback model we've been dealing with over the last month or so involves a drive-by rendering of a Java applet which installs a Trojan Downloader in a temp directory, downloads and installs the components using either one of two Java exploit that were patched by Apple in Nov 2011 or social engineering (the request for admin password you saw). The version from mid-March or so installed two different types of types of Trojan, depending on whether or not it had an admin password.

At least one other Trojan started using this same model, but it apparently came from China and was targetted on Tibet.

I looked around the sourceforge download site (since I'm on a PPC Mac with Java off) and don't see any signs of poisoning, but I probably don't know what I'm looking for since it's never been described. I also downloaded Paintbrush, which comes as a zipped application with no installer and will poke around inside, but probably not try to run it.

In the meanwhile, take a look in your ~/Library/LaunchAgents/ directory (folder) and see if you can find the .plist responsible for launching and maintaining the .mkeeper process. A text editor or QuickLook should be all you need for that.

Then open up Java Preferences (found in /Applications/Utilities/) and tell us what version of Java you have. Since you are posting to the Snow Leopard forum I'm guessing it should be J2SE 6.0 version 1.6.0_29... if it's up-to-date.

I found this in ~/Library/LaunchAgents/com.adobe.reader.plist

Note the reference to the .rserv file.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.reader</string><key>Progr amArguments</key><array><string>/Users/[my username]/.rserv</string></array><key>RunAtLoad</key><true/><key>StartInterval</key><integer>421 2</integer><key>StandardErrorPath</key><string>/dev/null</string><key>StandardOu tPath</key><string>/dev/null</string></dict></plist>

Nothing in my /LaunchAgents/ that is out of place. Only 4 items there, 2 are littlesnitch and 2 are other programs I've had on here quite a while. They also have no mention of .mkeeper in them.

Java is 1.6.0_29

I moved the .mkeeper file and renamed it.

foodguylargo wrote:

There is no question that I got this from either sourceforge or the paintbrush download.

I shouldn't be quite so positive. It may have been earlier. Check messages in Console as here

<https://discussions.apple.com/thread/3844172?answerId=18010355022#18010355022>

Try filtering for the string 'mkeeper', and then check immediately previous and succeeding messages.

Nothing in my /LaunchAgents

Look in <~/Library/LaunchAgents/>. If you don't find it, get EasyFind and search contents of plist files for the string "mkeeper".

foodguylargo yu are looking at the wrong LaunchAgents. It's ~/Library/LaunchAgents, i.e., the one in your home directory, Not in the boot Library system Library directory.

Gotcha. Found it:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.zeobit.keep</string><key>Progra mArguments</key><array><string>/Users/foodguy/.mkeeper</string></array><key>RunA tLoad</key><true/><key>StartInterval</key><integer>4212</integer><key>StandardEr rorPath</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/nu ll</string></dict></plist>

Zeobit... Checked their website (MacKeeper) I don't have any of those products, nor have I ever installed any (manually).

This plist was also created at 1:00pm today. The exact time I went to sourceforge/paintbrush (firefox history) That is the only thing I was doing around then. I both went to the site (from a google search) and installed it both at exactly 1pm, so don't know which it was.

The console has no mention of .mkeeper other than:

4/1/12 9:57:38.807 PM com.apple.launchd.peruser.501: (com.zeobit.keep[161]) posix_spawn("/Users/foodguy/.mkeeper", ...): No such file or directory

(I moved and renamed it)