Question about Flashback.K Trojan

You're running Lion, by default java is not installed in Lion. Did you install java?

if you're not sure open a terminal and enter

java -version

If java is installed you'll get a version number if it is not installed you'll be asked i you want to install it, don't.

If it is not installed you don;t need to worry about this trojan. If is is installed post back.

Then turning off java in your browser is recommended.

The F-secure post isn't that clear, what I did was run the defaults check on each of the four files in my LauchAgents dir, like so:

MBP:~$ defaults read ~/Library/LaunchAgents/com.apple.SafariBookmarksSyncer.plist ProgramArguments( "/Applications/Safari.app/Contents/SafariSyncClient.app/Contents/MacOS/SafariSyncClient", "--sync", "com.apple.Safari", "--entitynames", "com.apple.bookmarks.Bookmark,com.apple.bookmarks.Folder" )

The F-secure post advises to look in the initial path of the LaunchAgents files's ProgramArguments for a leading dot ('.' indicating that it's pointing to some malware hidden in that directory. But further on in the document it advises to run these shell commands:

SHELL COMMAND: defaults read /Applications/Safari.app/Contents/Info LSEnvironment 2012-04-03 12:57:55.786 defaults[13101:707] The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist SHELL COMMAND: defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2012-04-03 12:58:11.147 defaults[13102:707] The domain/default pair of (/Users/gburke/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

If you get those "do not exist" errors then you're probably in the clear. At least, that's what I inferred from reading that F-secure doc.

Just because one anti-virus company claims there is some malware in existence doesn't mean it is actually true. They are in the business to sell fear and software. Even if we assume this exploit actually does exist, your chances of getting it are infinitesimally small. If you turn Java off in your web browser, then your chances are zero. If you haven't even installed Java at all, then less than zero.

Those instructions are just bogus. All they want you to do is call them so they can sell you more fear and software. It is perfectly normal to have any number of files in that directory.

At this point, there is a greater risk of damaging your system by incorrectly removing legitimate software and getting ripped off than there is of getting any virus.

Just turn off Java - that is all you need to do. And pass the word.

Just because one anti-virus company claims there is some malware in existence doesn't mean it is actually true. They are in the business to sell fear and software.

100% true to what etresoft just said.

Also keep in mind, that false-positives are infamous in this kind of software.

etresoft wrote:

Just because one anti-virus company claims there is some malware in existence doesn't mean it is actually true. They are in the business to sell fear and software. Even if we assume this exploit actually does exist, your chances of getting it are infinitesimally small.

Tell that to all the folks we struggled with this weekend who were smart enough to have installed Little Snitch which in this case prevented the installation phase .rserv wants to connect to cuojshtbohnt.com. How many folks who don't use Little Snitch are now infected?

In any case, Apple has released the version 31, so if you haven't taken other steps, launch Software Update now.

You will find in the Safari forums, that Little Snitch is one of the main causes of never ending problems over there. It's certainly done more harm than good.

Can't say I had a problem this weekend, despite not running Little Snitch.

Check Software Update for a Java update.

HACKINT0SH wrote:

You will find in the Safari forums, that Little Snitch is one of the main causes of never ending problems over there. It's certainly done more harm than good.

This is a support forum. You will find problems anywhere you look. Little Snitch is not the cause of any of them.

It's been relatively quiet here in the Lion forum, presumably because most Lion users don't have Java installed. However Java is installed by default in Snow Leopard, and also Snow Leopard has a "canary in a coal mine" early warning system that is not available in Lion - the presence of PPC apps which don't run after a "drive-by" Flashback infection. The result has been a flurry of activity in the Snow Leopard forum. These very recent Snow Leopard threads involved an operational problem directly shown to be caused by a Flashback variant, with no role played by anti-viral software:

Application began unexpectedly quitting

Unexpectedly quit problem

"Rosetta" applications suddenly stopped working

Skype won't open

Freehand not opening - Rosetta installed?

Office 2004 unexpectedly quits

Please Help! Finder is displaying strange codes such as N80 and N201

HACKINT0SH wrote:

Can't say I had a problem this weekend, despite not running Little Snitch.

Interestingly enough, you would probably not notice any problems unless did.

jsd2 wrote:

Snow Leopard has a "canary in a coal mine" early warning system that is not available in Lion - the presence of PPC apps which don't run after a "drive-by" Flashback infection.

Which only happens with a "Type 2" infection. If you are foolish enough to give up your admin password to a phoney Software Update dialog, then that warning system doesn't work as only Safari gets infected, as far as anybody knows. I don't recall seeing any Type 1 infections yet, so I don't know what the tell-tale signs are there.