.rserv wants to connect to cuojshtbohnt.com

I just got a Little Snitch notice re: .rserv trying to connect to cuojshtbohnt.com. Here is the file that was installed in my home directory:

And, I do recall getting one the other day with something trying to connect to gangstasparadise.rr.nu. Looking at my firefox history, it appears that I was sent there while visiting the D-Link website at the exact time that .rserv was created (Mar 30 13:01). History shows these 3 entries at that time:

http://www.dlink.com/products/?pid=71

http://www4.firstmn-army.com/?8800f2x=XK2ZlKNnsJicmN%2Fnqptfh%2Bbh5XVoYWiblayZm9 ispJE%3D

http://gangstasparadise.rr.nu/13f/?said=5826&ref=http://www.dlink.com/products/? pid=71

Hopefully this is helpful in troubleshooting.

On the mac of my girlfriend LS told that ...

".flserv" want´s to connect to vxvhwcixcxqxd.com

.flserv is located in her home folder "/Volumes/Data/Username/.flserv"

What kind of trojan is it and how can I remove it?

I tried the following guide: https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml

But in the plist files is nothing to find and all the other files we could not find.

TopperHarley wrote:

On the mac of my girlfriend LS told that ...

".flserv" want´s to connect to vxvhwcixcxqxd.com

.flserv is located in her home folder "/Volumes/Data/Username/.flserv"

What kind of trojan is it and how can I remove it?

Sounds like the "K" version. There are two types.

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

Message was edited by: MadMacs0 to remove references to the "I" type.

Can the Sophos Anti-Virus detect and remove that virus?

Nothing definitive yet, but have a look here. I wouldn't rely on Sophos scrubbing it out completely, even if it gets listed in their definitions. This thing keeps changing; I don't know if I'd trust any AV with the ranch.

http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Flashback/m-p/5707

lytic wrote:

MadMacs0 wrote:

It's definitely Flashback like, but I believe it's a cheap knock-off based on the same Blackhole exploitation kit that came out last week to take advantage of the CVE-1012-0507 Java vulnerability and here's why I think it's different.

The approach to infection is relative simplistic by using easily spotted techniques that are a step way back from what Flashback currently uses.

You are right. This sample spread through exploit CVE-1012-0507. We've seen first version since 19.03.2012.

Thanks for getting back to us on this. Appreciate all the details. Had I known you had a sample, my conjectures would have been somewhat different as I did not at the time, but do have access to one now.

Wow, 19 March, that's a long time to stay under the radar. Perhaps it took them awhile to proliferate it to poisoned web sites.

It does not check for the presence of malware detectors (e.g. Little Snitch) making it far too easy to detect.

It does:

/Library/Little Snitch

/Developer/Applications/Xcode.app/Contents/MacOS/Xcode

/Applications/VirusBarrier X6.app

/Applications/iAntiVirus/iAntiVirus.app

/Applications/avast!.app

/Applications/ClamXav.app

/Applications/HTTPScoop.app

/Applications/Packet Peeper.app

What I didn't consider was the presence of the updater process first, which is what prompts the LS alerts, so the checks must be made after the updater does it's thing and before the actual Trojan installation begins. Guess the malware developer didn't think of that either.

New version of Flashback uses different method for download payload from C&C. It's like fast-flux. Everyone who notice connection to:

vxvhwcixcxqxd.com

cuojshtbohnt.com

rfffnahfiywyd.com

please tell additional dns info.

After reading the F-Secure writeups, I now realize that.

I'll have to do some checking on additional dns info as I thought I saw one other, but can't be certain.

P.S.

I'm from DrWeb.

I do uncompensated Tech Support for the ClamXav Forum and am somewhat out of my league here as a result of getting caught up in the chase for MacDefender some time ago. I wish more of folks like you were around to help so I could do more of my day and hobby jobs.

Message was edited by: MadMacs0 due to premature posting.

TopperHarley wrote:

Can the Sophos Anti-Virus detect and remove that virus?

Since you asked me I'll respond by echoing what WZZZ said. They may be able to detect parts of it right now, but all the A-V folks have cautioned that they probably cannot remove all of it. At this moment, only F-Secure seems to have an approach to it. Most all of us here recommend against using A-V software to clean up this form of malware and suggest what I posted before from Linc Davis.

paddlesource wrote:

I just got a Little Snitch notice re: .rserv trying to connect to cuojshtbohnt.com. Here is the file that was installed in my home directory:

-rwxrwxrwx@

1 scott staff 59848 Mar 30 13:01 .rserv

And, I do recall getting one the other day with something trying to connect to gangstasparadise.rr.nu. Looking at my firefox history, it appears that I was sent there while visiting the D-Link website at the exact time that .rserv was created (Mar 30 13:01)....

Hopefully this is helpful in troubleshooting.

Thanks for posting. I assume you know what you have to do next.

Ok, I tried the removal but I don´t find the requested files.

In the first step with

ls -lA ~/Library/LaunchAgents/

I only get:

-rw-rw-r-- 1 Katscha staff 697 9 Aug 2010 com.adobe.AAM.Updater-1.0.plist

-rw-r--r-- 1 Katscha staff 601 10 Aug 2010 com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

-rw-r--r--@ 1 Katscha staff 495 30 Mär 14:03 com.adobe.flp.plist

-rw-r--r--@ 1 Katscha staff 809 30 Jul 2011 com.google.keystone.agent.plist

And the following step

defaults read ~/Library/LaunchAgents/%filename_obtained_in_step2% ProgramArguments

ends then in

Katscha$ defaults read ~/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

2012-04-03 22:31:47.490 defaults[4931:903]

Domain /Volumes/Data/Katja/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist does not exist

I don´t think that the .plist files are from the Virus.

TopperHarley wrote:

Ok, I tried the removal but I don´t find the requested files.

In the first step with

ls -lA ~/Library/LaunchAgents/

I only get:

-rw-rw-r-- 1 Katscha staff 697 9 Aug 2010 com.adobe.AAM.Updater-1.0.plist

-rw-r--r-- 1 Katscha staff 601 10 Aug 2010 com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

-rw-r--r--@ 1 Katscha staff 495 30 Mär 14:03 com.adobe.flp.plist

-rw-r--r--@ 1 Katscha staff 809 30 Jul 2011 com.google.keystone.agent.plist

I don´t think that the .plist files are from the Virus.

Based on the dates, I would bet on "com.adobe.flp.plist" making the date/time of infection 20 Mar 14:30 local.

Apple sent the following announcement "APPLE-SA-2012-04-03-1 Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7"

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

APPLE-SA-2012-04-03-1 Java for OS X 2012-001 and

Java for Mac OS X 10.6 Update 7

Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7 is now

available and addresses the following:

Java

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,

OS X Lion v10.7.3, OS X Lion Server v10.7.3

Impact: Multiple vulnerabilities in Java 1.6.0_29

Description: Multiple vulnerabilities exist in Java 1.6.0_29, the

most serious of which may allow an untrusted Java applet to execute

arbitrary code outside the Java sandbox. Visiting a web page

containing a maliciously crafted untrusted Java applet may lead to

arbitrary code execution with the privileges of the current user.

These issues are addressed by updating to Java version 1.6.0_31.

Further information is available via the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

CVE-ID

CVE-2011-3563

CVE-2011-5035

CVE-2012-0497

CVE-2012-0498

CVE-2012-0499

CVE-2012-0500

CVE-2012-0501

CVE-2012-0502

CVE-2012-0503

CVE-2012-0505

CVE-2012-0506

CVE-2012-0507

Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7

may be obtained from the Software Update pane in System Preferences,

or Apple's Software Downloads web site:

http://www.apple.com/support/downloads/

For Mac OS X v10.6 systems

The download file is named: JavaForMacOSX10.6.dmg

Its SHA-1 digest is: f76807153bc0ca253e4a466a2a8c0abf1e180667

For OS X Lion systems

The download file is named: JavaForOSX.dmg

Its SHA-1 digest is: 176ac1f8e79b4245301e84b616de5105ccd13e16

Information will also be posted to the Apple Security Updates

web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,

and details are available at:

https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJPezVqAAoJEGnF2JsdZQee7gIIALa7b5hVTKL7kOXF7EYT6wjx

VnAmxoQbjEwpBkdzPzqqhCQ303/iBdLdHr2O/yxdaX0tFuB+5+4iInPU2t6O+PNh

7iJ3rhQszzIj5q/qGDXyzIQEjurNfvrEKAxQ3T7uj1At+n/9YVBaw8p6i+HopbRc

Fo6Jrxy0Qf/MyeGO4lqxht2Aq8omh+pEBNP68EglqrJp/CjZTYGaFAHVGvnm8/gA

wjcpIRQBacXcBCJ3K8pZhuQvXhm+GVLWYgc2KGsZ/l7jbQX5Bi67b7CFf7lBHlyd

V7ss6N/0T/O3nspdhg+jhnvcaia1Ow3GikC/707NNkM8Dm3lm0DFVMBBgpNvPcU=

=Pf96

-----END PGP SIGNATURE-----

MadMacs0 wrote:

TopperHarley wrote:

Ok, I tried the removal but I don´t find the requested files.

In the first step with

ls -lA ~/Library/LaunchAgents/

I only get:

-rw-rw-r-- 1 Katscha staff 697 9 Aug 2010 com.adobe.AAM.Updater-1.0.plist

-rw-r--r-- 1 Katscha staff 601 10 Aug 2010 com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

-rw-r--r--@ 1 Katscha staff 495 30 Mär 14:03 com.adobe.flp.plist

-rw-r--r--@ 1 Katscha staff 809 30 Jul 2011 com.google.keystone.agent.plist

I don´t think that the .plist files are from the Virus.

Based on the dates, I would bet on "com.adobe.flp.plist" making the date/time of infection 20 Mar 14:30 local.

But why do I get a "... does not exist"?

Katscha$ defaults read ~/Library/LaunchAgents/com.adobe.flp.plist ProgramArguments

2012-04-03 23:15:12.170 defaults[4964:903]

The domain/default pair of (/Volumes/Data/Katja/Library/LaunchAgents/com.adobe.flp.plist, ProgramArguments) does not exist

TopperHarley wrote:

But why do I get a "... does not exist"?

Katscha$ defaults read ~/Library/LaunchAgents/com.adobe.flp.plist ProgramArguments

2012-04-03 23:15:12.170 defaults[4964:903]

The domain/default pair of (/Volumes/Data/Katja/Library/LaunchAgents/com.adobe.flp.plist, ProgramArguments) does not exist

Not sure, try it without "ProgramArguments"

TopperHarley wrote:

Katscha$ defaults read ~/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

The syntax is wrong. When using defaults to read an arbitrary .plist file, omit the file name extension (.plist). It should read

$ defaults read ~/Library/LaunchAgents/com.adobe.AAM.Updater-1.0

(Incidentally, I believe this is a legitimate file launch agent, used by Acrobat.)

fane_j wrote:

The syntax is wrong. When using defaults to read an arbitrary .plist file, omit the file name extension (.plist). It should read

Ah yes, of course.

Try

defaults read ~/Library/LaunchAgents/com.adobe.flp ProgramArguments