Previous 1 2 3 4 5 6 Next 227 Replies Latest reply: Apr 12, 2012 8:53 PM by MadMacs0 Go to original post
  • fane_j Level 4 Level 4 (3,660 points)

    X423424X wrote:

     

    Why use the id "com.adobe.Reader" if it wasn't associated with Adobe Reader?

    It isn't, it's "com.adobe.reader". The identifier can be any unique string.

  • bgw1 Level 1 Level 1 (0 points)

    That does not ring a bell.  For now, I'll just delete the .rserv file.  It never got through Little Snitch (thank you, Little Snitch). Not sure what would have happened if it had connected.  And Find Any File found it right away. 

     

    Thanks, everyone, for your help!

  • fane_j Level 4 Level 4 (3,660 points)

    bgw1 wrote:

     

    There is no Adobe .plist file at the locations you asked about. […]

     

    Did you see my earlier post that I found the .rsvr file, it's 59.9K […]

    If the file you found is named ".rsvr", not ".rserv", then, as I believe X423424X said, it could be a different matter. It also could be the same malware, but not necessarily implemented in the same way. We do know that, with this threat, file names vary.

     

    Likewise with the plist. If it's there, the plist itself may be named something else. trungson showed how to look for it with grep. If the malware file is ".rsvr", then it's

     

    $ grep -r 'rsvr' ~/Library/LaunchAgents/

     

    (where $ is your prompt).

  • X423424X Level 6 Level 6 (14,205 points)

    fane_j wrote:

     

    The plist has nothing to do with Adobe Reader. The Label key is a unique identifier, required by launchd to keep track of agents. But it can be any string. If launchd's database is case-sensitive, and the Adobe Reader identifier is, as I suspect, com.adobe.Reader, then it's enough.

     

     

    The CFBundleIdentifier for Adobe reader is indeed com.adobe.Reader.

     

    As to how it  was installed… My bet would still be CVE-2011-3544.

     

    Yes, but who installed it?  I can't believe it is a apple security update.  But since I use 10.6.5 and don't have any security updates beyond that I don't know for sure (10.6.5 because the app store started in 10.6.6 -- another process that calls home without my permission, don't know when, don't know what it sends, possibly can bypass LS during boot time, back to apple, my same paranoiac philosophy).

  • bgw1 Level 1 Level 1 (0 points)

    No, it's one file, .rserv.  The other one was a typo once when referring to it.

     

    I ran the grep command and DID get the adobe reader .plist results.  There is the reference to .rserv buried right in the middle of it!

     

     

    Eirs-MacBook:~ EirUser$ grep -r 'rserv' ~/Library/LaunchAgents/

     

    /Users/EirUser/Library/LaunchAgents/com.adobe.reader.plist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.reader</string><key>Progr amArguments</key><array><string>/Users/EirUser/.rserv</string></array><key>RunAtLoad</key><true/><key>StartInterval</key><integer>421 2</integer><key>StandardErrorPath</key><string>/dev/null</string><key>StandardOu tPath</key><string>/dev/null</string></dict></plist>

    Eirs-MacBook:~ EirUser$

  • X423424X Level 6 Level 6 (14,205 points)

    You said you didn't have that launchagent!  That's what set of the wild goose chase.

  • bgw1 Level 1 Level 1 (0 points)

    My apologies.  The request was for these three, and they only exist in the top level Library.  My answer was for these:

     

      /Library/LaunchAgents

      /Library/LauncDaemons

      /Library/StartupItems

     

    In addition, I was a little blind-sided because Adobe Reader is not on my machine so I wasn't really looking for that file.

     

    Anyway, after you asked me to grep for .rsev, I did find the Adobe Reader .plist file.  I had to go into Onyx to turn on hidden files in order to browse the Usrs /Library and look for the arrival date of the file in Time Machine.

     

    The file showed up on Friday, March 30 according to Time Machine.  It was not on the machine before that.

  • fane_j Level 4 Level 4 (3,660 points)

    X423424X wrote:

     

    who installed it?

    A Java applet would be my guess. As it's in the user's home directory, no special permissions or authentication would be required.

     

    Talking of Java. Everyone, would you check your version

     

    $ java -version

     

    The latest SL should be

     

    java version "1.6.0_29"

     

    in which this vulnerability was supposed to have been fixed.

     

    Also, could you check the Java (not JavaScript, which is a different beast) settings in all your browsers?

     

    In Safari, it's Safari > Preferences > Security > Web Content > Enable Java

  • trungson Level 1 Level 1 (0 points)

    I found some additional details from "Applications/Utilities/Console" under "All Messages", around the time the file was created. It does look like it's with Java (CVE-2011-3544) as suggested.

     

    3/31/12 4:36:28 PMfirefox[189]Process manager already initialized -- can't fully enable headless mode.

     

    3/31/12 4:36:40 PMFirewall[77]java is listening from ::ffff:0.0.0.0:0 proto=6

     

    3/31/12 4:38:27 PMcom.apple.launchd.peruser.501[105](com.adobe.reader[3712]) Exited with exit code: 1

     

    I have Mac 10.6.8, Java is from Apple 1.6.0_29 (don't think I can upgrade to 1.7 since it's Apple's Java). I just disabled Java in the browsers (Firefox, Chrome, Safari) but still don't know where I got infected from and if it accessed/downloaded anything and how to really fix this.

  • X423424X Level 6 Level 6 (14,205 points)

    bgw1 wrote:

     

    My apologies.  The request was for these three, and they only exist in the top level Library.  My answer was for these:

     

    The link I pointed (here's that link again) at in my above post explicitly said right at the beginning:

     

    In ~/Library/LaunchAgents/, there is only Little Snitch and Splashtop.

     

    At any rate trash the thing and be done with it.  Or leave it in or block or not block with Little Snitch.  Your decision.

     

    Personally, I would trash it.

  • bgw1 Level 1 Level 1 (0 points)

    Seems to be the right version.

     

    Eirs-MacBook:~ EirUser$ java -version

    java version "1.6.0_29"

    Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-11D50b)

    Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)

    Eirs-MacBook:~ EirUser$

     

    It is enabled in Safari Preferences.

     

    What about Chrome?

  • bgw1 Level 1 Level 1 (0 points)

    FWIW,  I used FindAnyFile application to find and delete .rserv.  I also deleted the com.adobe.reader.plist.

     

    As for how to prevent another infection, I don't know the answer to that, but I will definitely keep Little Snitch running to prevent it from calling home.

  • bgw1 Level 1 Level 1 (0 points)

    Thanks everyone for your help.

  • fane_j Level 4 Level 4 (3,660 points)

    trungson wrote:

     

    I found some additional details from "Applications/Utilities/Console" under "All Messages", around the time the file was created. […]

     

    I have Mac 10.6.8, Java is from Apple 1.6.0_29 […]

    Good work, but bad news. CVE-2011-3544 was supposed to have been fixed after update 27, so either it hasn't been really fixed, or they use another vulnerability. IMHO, that's serious stuff, and I'm considering whether or not I should remove Java altogether.

    bgw1 wrote:

     

    It is enabled in Safari Preferences.

     

    What about Chrome?

    Disable it in Safari right away. I don't know about Chrome, but check this

     

    <http://www.maclife.com/article/howtos/how_disable_java_your_mac_web_browser>

  • trungson Level 1 Level 1 (0 points)

    I agree that it is a bit worrisome since it might be a new variant. The hexdump plaintext for .rserv is here:

     

    http://pastebin.com/TVkbfYSn

Previous 1 2 3 4 5 6 Next