chadonline

Q: .rserv wants to connect to cuojshtbohnt.com

I have the message:

 

.rserv wants to connect to cuojshtbohnt.com

 

what is .rserv?  I googled it and couldn't locate anything ligitimate.

 

thanks

MacBook Pro, Mac OS X (10.6.8)

Posted on Mar 31, 2012 3:18 PM

Close

Q: .rserv wants to connect to cuojshtbohnt.com

  • All replies
  • Helpful answers

first Previous Page 8 of 16 last Next
  • by lytic,

    lytic lytic Apr 3, 2012 4:54 AM in response to MadMacs0
    Level 1 (5 points)
    Apr 3, 2012 4:54 AM in response to MadMacs0

    MadMacs0 wrote:

     

    It's definitely Flashback like, but I believe it's a cheap knock-off based on the same Blackhole exploitation kit that came out last week to take advantage of the CVE-1012-0507 Java vulnerability and here's why I think it's different.

     

    The approach to infection is relative simplistic by using easily spotted techniques that are a step way back from what Flashback currently uses.

     

    You are right. This sample spread through exploit CVE-1012-0507. We've seen first version since 19.03.2012.

     

    It does not check for the presence of malware detectors (e.g. Little Snitch) making it far too easy to detect.

     

    It does:

     

    /Library/Little Snitch

    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode

    /Applications/VirusBarrier X6.app

    /Applications/iAntiVirus/iAntiVirus.app

    /Applications/avast!.app

    /Applications/ClamXav.app

    /Applications/HTTPScoop.app

    /Applications/Packet Peeper.app

     

    It uses a different C&C server (mother ship) than the one long associated with Flashback.

     

    New version of Flashback uses different method for download payload from C&C. It's like fast-flux. Everyone who notice connection to:

    vxvhwcixcxqxd.com

    cuojshtbohnt.com

    rfffnahfiywyd.com

    please tell additional dns info.

     

    P.S.

    I'm from DrWeb.

  • by paddlesource,

    paddlesource paddlesource Apr 3, 2012 10:05 AM in response to lytic
    Level 1 (0 points)
    Apr 3, 2012 10:05 AM in response to lytic

    I just got a Little Snitch notice re: .rserv trying to connect to cuojshtbohnt.com.  Here is the file that was installed in my home directory:

     

    -rwxrwxrwx@

    1 scott  staff   59848 Mar 30 13:01 .rserv

     

    And, I do recall getting one the other day with something trying to connect to gangstasparadise.rr.nu.  Looking at my firefox history, it appears that I was sent there while visiting the D-Link website at the exact time that .rserv was created (Mar 30 13:01).  History shows these 3 entries at that time:

     

    http://www.dlink.com/products/?pid=71

    http://www4.firstmn-army.com/?8800f2x=XK2ZlKNnsJicmN%2Fnqptfh%2Bbh5XVoYWiblayZm9 ispJE%3D

    http://gangstasparadise.rr.nu/13f/?said=5826&ref=http://www.dlink.com/products/? pid=71

     

    Hopefully this is helpful in troubleshooting.

  • by TopperHarley,

    TopperHarley TopperHarley Apr 3, 2012 11:55 AM in response to lytic
    Level 1 (0 points)
    Apr 3, 2012 11:55 AM in response to lytic

    On the mac of my girlfriend LS told that ...

     

    ".flserv" want´s to connect to vxvhwcixcxqxd.com

     

    .flserv is located in her home folder "/Volumes/Data/Username/.flserv"

     

    What kind of trojan is it and how can I remove it?

     

    I tried the following guide: https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml

     

    But in the plist files is nothing to find and all the other files we could not find.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 3, 2012 12:08 PM in response to TopperHarley
    Level 5 (4,801 points)
    Apr 3, 2012 12:08 PM in response to TopperHarley

    TopperHarley wrote:

     

    On the mac of my girlfriend LS told that ...

     

    ".flserv" want´s to connect to vxvhwcixcxqxd.com

     

    .flserv is located in her home folder "/Volumes/Data/Username/.flserv"

     

    What kind of trojan is it and how can I remove it?

    Sounds like the "K" version. There are two types.

     

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

     

    Message was edited by: MadMacs0 to remove references to the "I" type.

  • by TopperHarley,

    TopperHarley TopperHarley Apr 3, 2012 12:55 PM in response to MadMacs0
    Level 1 (0 points)
    Apr 3, 2012 12:55 PM in response to MadMacs0

    Can the Sophos Anti-Virus detect and remove that virus?

  • by WZZZ,

    WZZZ WZZZ Apr 3, 2012 1:07 PM in response to TopperHarley
    Level 6 (13,112 points)
    Mac OS X
    Apr 3, 2012 1:07 PM in response to TopperHarley

    Nothing definitive yet, but have a look here. I wouldn't rely on Sophos scrubbing it out completely, even if it gets listed in their definitions. This thing keeps changing; I don't know if I'd trust any AV with the ranch.

     

    http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Flashback/m-p/5707

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 3, 2012 1:18 PM in response to lytic
    Level 5 (4,801 points)
    Apr 3, 2012 1:18 PM in response to lytic

    lytic wrote:

     

    MadMacs0 wrote:

     

    It's definitely Flashback like, but I believe it's a cheap knock-off based on the same Blackhole exploitation kit that came out last week to take advantage of the CVE-1012-0507 Java vulnerability and here's why I think it's different.

     

    The approach to infection is relative simplistic by using easily spotted techniques that are a step way back from what Flashback currently uses.

     

    You are right. This sample spread through exploit CVE-1012-0507. We've seen first version since 19.03.2012.

    Thanks for getting back to us on this. Appreciate all the details. Had I known you had a sample, my conjectures would have been somewhat different as I did not at the time, but do have access to one now.

     

    Wow, 19 March, that's a long time to stay under the radar. Perhaps it took them awhile to proliferate it to poisoned web sites.

    It does not check for the presence of malware detectors (e.g. Little Snitch) making it far too easy to detect.

     

    It does:

     

    /Library/Little Snitch

    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode

    /Applications/VirusBarrier X6.app

    /Applications/iAntiVirus/iAntiVirus.app

    /Applications/avast!.app

    /Applications/ClamXav.app

    /Applications/HTTPScoop.app

    /Applications/Packet Peeper.app

    What I didn't consider was the presence of the updater process first, which is what prompts the LS alerts, so the checks must be made after the updater does it's thing and before the actual Trojan installation begins. Guess the malware developer didn't think of that either.

    New version of Flashback uses different method for download payload from C&C. It's like fast-flux. Everyone who notice connection to:

    vxvhwcixcxqxd.com

    cuojshtbohnt.com

    rfffnahfiywyd.com

    please tell additional dns info.

    After reading the F-Secure writeups, I now realize that.

     

    I'll have to do some checking on additional dns info as I thought I saw one other, but can't be certain.

    P.S.

    I'm from DrWeb.

    I do uncompensated Tech Support for the ClamXav Forum and am somewhat out of my league here as a result of getting caught up in the chase for MacDefender some time ago. I wish more of folks like you were around to help so I could do more of my day and hobby jobs.

     

    Message was edited by: MadMacs0 due to premature posting.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 3, 2012 1:26 PM in response to TopperHarley
    Level 5 (4,801 points)
    Apr 3, 2012 1:26 PM in response to TopperHarley

    TopperHarley wrote:

     

    Can the Sophos Anti-Virus detect and remove that virus?

    Since you asked me I'll respond by echoing what WZZZ said. They may be able to detect parts of it right now, but all the A-V folks have cautioned that they probably cannot remove all of it. At this moment, only F-Secure seems to have an approach to it. Most all of us here recommend against using A-V software to clean up this form of malware and suggest what I posted before from Linc Davis.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 3, 2012 1:29 PM in response to paddlesource
    Level 5 (4,801 points)
    Apr 3, 2012 1:29 PM in response to paddlesource

    paddlesource wrote:

     

    I just got a Little Snitch notice re: .rserv trying to connect to cuojshtbohnt.com.  Here is the file that was installed in my home directory:

     

    -rwxrwxrwx@

    1 scott  staff   59848 Mar 30 13:01 .rserv

     

    And, I do recall getting one the other day with something trying to connect to gangstasparadise.rr.nu.  Looking at my firefox history, it appears that I was sent there while visiting the D-Link website at the exact time that .rserv was created (Mar 30 13:01)....

    Hopefully this is helpful in troubleshooting.

    Thanks for posting. I assume you know what you have to do next.

  • by TopperHarley,

    TopperHarley TopperHarley Apr 3, 2012 1:29 PM in response to MadMacs0
    Level 1 (0 points)
    Apr 3, 2012 1:29 PM in response to MadMacs0

    Ok, I tried the removal but I don´t find the requested files.

     

    In the first step with

     

    ls -lA ~/Library/LaunchAgents/

     

    I only get:

     

    -rw-rw-r--  1 Katscha  staff  697  9 Aug  2010 com.adobe.AAM.Updater-1.0.plist

    -rw-r--r--  1 Katscha  staff  601 10 Aug  2010 com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

    -rw-r--r--@ 1 Katscha  staff  495 30 Mär 14:03 com.adobe.flp.plist

    -rw-r--r--@ 1 Katscha  staff  809 30 Jul  2011 com.google.keystone.agent.plist

     

    And the following step

     

    defaults read ~/Library/LaunchAgents/%filename_obtained_in_step2% ProgramArguments

     

    ends then in

     

    Katscha$ defaults read ~/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

    2012-04-03 22:31:47.490 defaults[4931:903]

    Domain /Volumes/Data/Katja/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist does not exist

     

     

    I don´t think that the .plist files are from the Virus.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 3, 2012 1:53 PM in response to TopperHarley
    Level 5 (4,801 points)
    Apr 3, 2012 1:53 PM in response to TopperHarley

    TopperHarley wrote:

     

    Ok, I tried the removal but I don´t find the requested files.

     

    In the first step with

     

    ls -lA ~/Library/LaunchAgents/

     

    I only get:

     

    -rw-rw-r--  1 Katscha  staff  697  9 Aug  2010 com.adobe.AAM.Updater-1.0.plist

    -rw-r--r--  1 Katscha  staff  601 10 Aug  2010 com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

    -rw-r--r--@ 1 Katscha  staff  495 30 Mär 14:03 com.adobe.flp.plist

    -rw-r--r--@ 1 Katscha  staff  809 30 Jul  2011 com.google.keystone.agent.plist

     

    I don´t think that the .plist files are from the Virus.

    Based on the dates, I would bet on "com.adobe.flp.plist" making the date/time of infection 20 Mar 14:30 local.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 3, 2012 2:00 PM in response to chadonline
    Level 5 (4,801 points)
    Apr 3, 2012 2:00 PM in response to chadonline

    Apple sent the following announcement "APPLE-SA-2012-04-03-1 Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7"

    -----BEGIN PGP SIGNED MESSAGE-----

    Hash: SHA1

     

    APPLE-SA-2012-04-03-1 Java for OS X 2012-001 and

    Java for Mac OS X 10.6 Update 7

     

    Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7 is now

    available and addresses the following:

     

    Java

    Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,

    OS X Lion v10.7.3, OS X Lion Server v10.7.3

    Impact:  Multiple vulnerabilities in Java 1.6.0_29

    Description:  Multiple vulnerabilities exist in Java 1.6.0_29, the

    most serious of which may allow an untrusted Java applet to execute

    arbitrary code outside the Java sandbox. Visiting a web page

    containing a maliciously crafted untrusted Java applet may lead to

    arbitrary code execution with the privileges of the current user.

    These issues are addressed by updating to Java version 1.6.0_31.

    Further information is available via the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

    CVE-ID

    CVE-2011-3563

    CVE-2011-5035

    CVE-2012-0497

    CVE-2012-0498

    CVE-2012-0499

    CVE-2012-0500

    CVE-2012-0501

    CVE-2012-0502

    CVE-2012-0503

    CVE-2012-0505

    CVE-2012-0506

    CVE-2012-0507

     

     

    Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7

    may be obtained from the Software Update pane in System Preferences,

    or Apple's Software Downloads web site:

    http://www.apple.com/support/downloads/

     

    For Mac OS X v10.6 systems

    The download file is named: JavaForMacOSX10.6.dmg

    Its SHA-1 digest is: f76807153bc0ca253e4a466a2a8c0abf1e180667

     

    For OS X Lion systems

    The download file is named: JavaForOSX.dmg

    Its SHA-1 digest is: 176ac1f8e79b4245301e84b616de5105ccd13e16

     

    Information will also be posted to the Apple Security Updates

    web site: http://support.apple.com/kb/HT1222

     

    This message is signed with Apple's Product Security PGP key,

    and details are available at:

    https://www.apple.com/support/security/pgp/

     

    -----BEGIN PGP SIGNATURE-----

    Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

    Comment: GPGTools - http://gpgtools.org

     

    iQEcBAEBAgAGBQJPezVqAAoJEGnF2JsdZQee7gIIALa7b5hVTKL7kOXF7EYT6wjx

    VnAmxoQbjEwpBkdzPzqqhCQ303/iBdLdHr2O/yxdaX0tFuB+5+4iInPU2t6O+PNh

    7iJ3rhQszzIj5q/qGDXyzIQEjurNfvrEKAxQ3T7uj1At+n/9YVBaw8p6i+HopbRc

    Fo6Jrxy0Qf/MyeGO4lqxht2Aq8omh+pEBNP68EglqrJp/CjZTYGaFAHVGvnm8/gA

    wjcpIRQBacXcBCJ3K8pZhuQvXhm+GVLWYgc2KGsZ/l7jbQX5Bi67b7CFf7lBHlyd

    V7ss6N/0T/O3nspdhg+jhnvcaia1Ow3GikC/707NNkM8Dm3lm0DFVMBBgpNvPcU=

    =Pf96

    -----END PGP SIGNATURE-----

  • by TopperHarley,

    TopperHarley TopperHarley Apr 3, 2012 2:16 PM in response to MadMacs0
    Level 1 (0 points)
    Apr 3, 2012 2:16 PM in response to MadMacs0

    MadMacs0 wrote:

     

    TopperHarley wrote:

     

    Ok, I tried the removal but I don´t find the requested files.

     

    In the first step with

     

    ls -lA ~/Library/LaunchAgents/

     

    I only get:

     

    -rw-rw-r--  1 Katscha  staff  697  9 Aug  2010 com.adobe.AAM.Updater-1.0.plist

    -rw-r--r--  1 Katscha  staff  601 10 Aug  2010 com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

    -rw-r--r--@ 1 Katscha  staff  495 30 Mär 14:03 com.adobe.flp.plist

    -rw-r--r--@ 1 Katscha  staff  809 30 Jul  2011 com.google.keystone.agent.plist

     

    I don´t think that the .plist files are from the Virus.

    Based on the dates, I would bet on "com.adobe.flp.plist" making the date/time of infection 20 Mar 14:30 local.

    But why do I get a "... does not exist"?

     

    Katscha$ defaults read ~/Library/LaunchAgents/com.adobe.flp.plist ProgramArguments

    2012-04-03 23:15:12.170 defaults[4964:903]

    The domain/default pair of (/Volumes/Data/Katja/Library/LaunchAgents/com.adobe.flp.plist, ProgramArguments) does not exist

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 3, 2012 2:44 PM in response to TopperHarley
    Level 5 (4,801 points)
    Apr 3, 2012 2:44 PM in response to TopperHarley

    TopperHarley wrote:

     

    But why do I get a "... does not exist"?

     

    Katscha$ defaults read ~/Library/LaunchAgents/com.adobe.flp.plist ProgramArguments

    2012-04-03 23:15:12.170 defaults[4964:903]

    The domain/default pair of (/Volumes/Data/Katja/Library/LaunchAgents/com.adobe.flp.plist, ProgramArguments) does not exist

    Not sure, try it without "ProgramArguments"

  • by fane_j,

    fane_j fane_j Apr 3, 2012 3:34 PM in response to TopperHarley
    Level 4 (3,677 points)
    Apr 3, 2012 3:34 PM in response to TopperHarley

    TopperHarley wrote:

     

    Katscha$ defaults read ~/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

    The syntax is wrong. When using defaults to read an arbitrary .plist file, omit the file name extension (.plist). It should read

     

    $ defaults read ~/Library/LaunchAgents/com.adobe.AAM.Updater-1.0

     

    (Incidentally, I believe this is a legitimate file launch agent, used by Acrobat.)

first Previous Page 8 of 16 last Next