.rserv wants to connect to cuojshtbohnt.com

foodguylargo wrote:

Gotcha. Found it:

...

<key>Label</key><string>com.zeobit.keep</string><key>

Good, so you have found everything we know about. Another exercise would be to use EasyFind or Find Any File to search for any other files that first appeared in that time frame.

And you've shown that you can be infected with an up-to-date Java and no admin password.

I think I can say without going too far out on a limb that this is the same infection we saw yesterday with different file names. I'm sure the downloader is programmed to install whatever files are shipped to it by the server at the time.

I suppose the big mystery is what are they after?

With Flashback it seems to have been a modest income from occassionally redirecting Safari to ad sites, but mostly they were pilfering username/password pairs for mostly financial sites and passing them on to the Mother Ship via Twitter. Haven't heard they they were able to score anything from these yet, but the potential is certainly there. They were able to use Safari to do their dirty work by injecting code into the the application, either on the hard drive where it was easy enough to spot if you knew what you were looking for, or doing the same thing after it was launched into RAM where it was all but impossible to find.

So right now it looks like the only active process is the .rserv / .mkeeper process, but there could well be more and we don't have the slightest idea what those processes do other than try to phone home.

One user has it under observation in a controlled environment and hopefully the A-V vendor blogs will have something for us early next week, but right now I'm out of ideas.

Best advise tonight would be to either restore from TimeMachine to a point prior to 1:00 and if you can't do that follow Linc Davis' recommendations for recovering from Flashback:

I suggest you take the following steps immediately:

1. Back up all data to at least two different devices, if you haven't already done so.

2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup drive. This action will destroy all data on the drive, so you must be sure of your backups.

3. Install the Mac OS.

4. Reboot and go through the initial setup process to create an account. Don’t import anything from your backups at this stage.

5. If running Mac OS X 10.6.x or earlier, run Software Update.

6. Restore the contents of all the top-level subfolders of your home folder except “Library” from the most recent backup. You can also restore the files in the Library folder, but don’t restore any of its subfolders; only the files contained in those folders, and only if they’re visible in the Finder. Don’t restore any hidden files or folders, no matter where they are.

7. If you’re running Mac OS X 10.5.x or earlier, disable Java in Safari’s preferences, and leave it disabled until you upgrade to Mac OS X 10.6.8 or later, including all available updates. The Java web plugin is unsafe to use under older versions of the Mac OS. Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similarity in the names.

8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.

9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated. If you use any third-party web browsers under Mac OS X 10.5.x or earlier, disable Java in their preferences, as you did with Safari in step 7.

easthollow wrote:

I found this in ~/Library/LaunchAgents/com.adobe.reader.plist

...

<array><string>/Users/[my username]/.rserv</string>

Yes, that's it, so you must have been infected some time yesterday. If you have a TimeMachine backup you need to determine the exact date/time those two files were installed and restore from before that time.

You should also disconnect that computer from the internet in case it's found a different way to phone home with information about your computer, at least until you can disable the .rserv process. To do that open the Terminal app (found in /Applications/Utilities/), copy and paste the following command after the "$ " prompt and hit return.

launchctl unload -w com.adobe.reader

followed by:

launchctl list com.adobe.reader

which should return "launchctl list returned unknown response" to indicate the process was halted, the LaunchAgent has been removed from the queue and marked as disabled for future log ins. Then you can move them to a safe spot.

Next step is up to you. We have no idea what this thing does nor if those two files are all that was installed. If you can't restore from TimeMachine, then my best advise at the moment is at the end of my post here.

I guarantee that it's backdoor Flashback. You could check file .mkeeper on virustotal.com.

virustotal

The exploit is CVE-2012-0507, which is fixed in Java Update 31. Latest Mac Java is only Update 29.

It means likely all Mac users are vulnerable and the best solution is to disable Java immediately.

http://arstechnica.com/apple/news/2012/04/mac-trojan-exploits-unpatched-java-vul nerability-no-password-needed.ars

Really noobish question below.

Here's the scenario. I upgraded from Snow Leopard to Lion last year. It seems I do not have Java installed on my machine, as when I attempted to update Java from my machine it said I needed to install it. However I noticed in Safari that I still had the box checked to "Enable" Java. I also have Chrome installed, but did not check to see what the Java status there was.

So I'm wondering, does this mean Java can be active in a browser without being installed on a machine? (Alternatively, I could be misunderstanding the message I recevied.).

As relevant to this thread, if I haven't installed Java on my machine, am I still susceptible to this particular Flashback attack?

Thanks for any help.

lytic wrote:

I guarantee that it's backdoor Flashback.

I'll take some of that....

It's definitely Flashback like, but I believe it's a cheap knock-off based on the same Blackhole exploitation kit that came out last week to take advantage of the CVE-1012-0507 Java vulnerability and here's why I think it's different.

The approach to infection is relative simplistic by using easily spotted techniques that are a step way back from what Flashback currently uses.

It does not check for the presence of malware detectors (e.g. Little Snitch) making it far too easy to detect.

It uses a different C&C server (mother ship) than the one long associated with Flashback.

But the bad news is we have little to know information on what it is doing to exploit the user, other than making life miserable for them.

Bottom line would appear to be to disable Java until Apple gets 1.6.0_31 posted for Snow Leopard and above.

condrome wrote:

Here's the scenario. I upgraded from Snow Leopard to Lion last year. It seems I do not have Java installed on my machine, as when I attempted to update Java from my machine it said I needed to install it. However I noticed in Safari that I still had the box checked to "Enable" Java. I also have Chrome installed, but did not check to see what the Java status there was.

Open Java Preferences (found in /Applications/Utilities/) and it will tell you for sure if Java was removed when you installed Lion. I would think so, but not knowing the type of installation you did nor having any personal experience with that upgrade, I can't say for certain.

So I'm wondering, does this mean Java can be active in a browser without being installed on a machine? (Alternatively, I could be misunderstanding the message I recevied.).

I don't see how. Some browsers come with their own plugin to take advantage of Java, which is also available for separate download, but I'm pretty sure they simply hook you into the J2SE installation Apple provides.

As relevant to this thread, if I haven't installed Java on my machine, am I still susceptible to this particular Flashback attack?

I don't see how, at this time, but none of us know what the next variant will bring.

Finally...Instructions for full removal of the Flashback.K variant can be found here: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml. Those of you that were infected please check to see if you removed everything this outlines.

Not that I trust these instructions any more than I have in the past. Still better to restore from TM backup or follow Linc's instructions, but at least now we know where else to look.

Added: The infection described here could still be different from the ones described in this thread, but there is enough commonality to warrant double-checking.

Message was edited by: MadMacs0

Thanks for your help MacMacs0.

Here is the message I get when I attempt to open up the Java Preferences. To open "Java Preferences", you need a Java runtime. Would you like to install one now?". Taking that to mean I don't have Java on this machine.

You're on Lion. Java is not installed by default on Lion, so you take it correctly.

MadMacs0 wrote:

The approach to infection is relative simplistic by using easily spotted techniques that are a step way back from what Flashback currently uses.

How do you know? It could simply be a bug. After all, we became aware of each of the other strains due to bugs, and nothing else. The truly frightening thing is that, if this thing had been bug-free, we'd still be none the wiser.

But, as I said earlier, what this thing does and how it does it is more important that the name.

Bottom line would appear to be to disable Java until Apple gets 1.6.0_31 posted for Snow Leopard and above.

Don't hold your breath.

fane_j wrote:

MadMacs0 wrote:

The approach to infection is relative simplistic by using easily spotted techniques that are a step way back from what Flashback currently uses.

How do you know? It could simply be a bug. After all, we became aware of each of the other strains due to bugs, and nothing else. The truly frightening thing is that, if this thing had been bug-free, we'd still be none the wiser.

I don't know and hope I never said that, just a suspicion at the time. Now that F-Secure has posted their analysis I feel better about assuming we've got Flashback.K here, but would feel even better about it if somebody confirmed the presence of any of the other files mentioned. It probably is the result of having to integrating the latest Blackhole exploitation kit into their work and not performing some of the checks they were previously making. Changing the C&C server could also be an enhancement they have made.

But, as I said earlier, what this thing does and how it does it is more important that the name.

Absolutely, I just want to know if we have a Flashback clone that does something differently and installs additional files to do that or is this just more of the same.

fane_j wrote:

MadMacs0 wrote:

Bottom line would appear to be to disable Java until Apple gets 1.6.0_31 posted for Snow Leopard and above.

Don't hold your breath.

I read somewhere that it's been out to developers for about a month. I should think they would be able to rush it if they got enough complaints.

MadMacs0 wrote:

It's definitely Flashback like, but I believe it's a cheap knock-off based on the same Blackhole exploitation kit that came out last week to take advantage of the CVE-1012-0507 Java vulnerability and here's why I think it's different.

The approach to infection is relative simplistic by using easily spotted techniques that are a step way back from what Flashback currently uses.

You are right. This sample spread through exploit CVE-1012-0507. We've seen first version since 19.03.2012.

It does not check for the presence of malware detectors (e.g. Little Snitch) making it far too easy to detect.

It does:

/Library/Little Snitch

/Developer/Applications/Xcode.app/Contents/MacOS/Xcode

/Applications/VirusBarrier X6.app

/Applications/iAntiVirus/iAntiVirus.app

/Applications/avast!.app

/Applications/ClamXav.app

/Applications/HTTPScoop.app

/Applications/Packet Peeper.app

It uses a different C&C server (mother ship) than the one long associated with Flashback.

New version of Flashback uses different method for download payload from C&C. It's like fast-flux. Everyone who notice connection to:

vxvhwcixcxqxd.com

cuojshtbohnt.com

rfffnahfiywyd.com

please tell additional dns info.

P.S.

I'm from DrWeb.