Previous 1 2 Next 29 Replies Latest reply: Apr 12, 2012 7:13 AM by benzdoc Branched to a new discussion.
stellamaris5 Level 1 Level 1 (95 points)

Is it true that there was a Trojan detected and that the Java update yesterday was to patch the hole?

 

So it begins.....

  • sig Level 8 Level 8 (35,780 points)

    No.

  • benzdoc Level 1 Level 1 (0 points)

    yes

  • dominic23 Level 7 Level 7 (33,810 points)

    Apple does not say anything about any Trojan.

     

    This is just a java security update from Apple.

     

    For more info:

     

    http://www.macworld.com/article/1166195/apple_releases_java_security_updates.htm l

     

    Anything about Trojan could be speculation

     

    Best.

  • thomas_r. Level 7 Level 7 (30,460 points)

    There is malware (called Flashback) that has been actively taking advantage of Java vulnerabilities on Macs, installing as a drive-by download with no user interaction required when visiting a malicious web site.  Apple's latest Java update patches these vulnerabilities, though it's still possible for that malware to use social exploits to trick you into installing it.  You would do best to turn off Java in your web browser...  you probably won't miss it at all.

     

    See:

     

    http://www.reedcorner.net/news.php?tag=flashback

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

  • benzdoc Level 1 Level 1 (0 points)

    Your kidding right ?

  • arlene220 Level 1 Level 1 (0 points)

    Are you serious?

  • arlene220 Level 1 Level 1 (0 points)

    I am running the latest software the link you gave is old!

  • thomas_r. Level 7 Level 7 (30,460 points)

    Are you serious?

     

    Absolutely.

     

    BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

  • arlene220 Level 1 Level 1 (0 points)

    The link is very old!!!!

    Thomas A Reed wrote:

     

    Are you serious?

     

    Absolutely.

     

    BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

    Thomas A Reed wrote:

     

    Are you serious?

     

    Absolutely.

     

    BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

  • X423424X Level 6 Level 6 (14,215 points)

    Thomas A Reed wrote:

     

    BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.

     

    Maybe you can answer a question for me.  Why is it every one of the public flashback checkers and articles, including yours, seem to be ignoring one of the more recent strains of (flashback?) trojan that was found in these forums a few weeks ago?  Specially I am referring to the the variant that installs a user launchagent that launches a dot file in the users directory (~/.filename, where filename is any number of names).

     

    The only place I see this even addressed outside of these forums is F-Secure's Trojan-Downloader:OSX/Flashback.K article (steps 16, 17, 18).  I always include it my set of basic trojan checking commands which I have been posting in these forums (for example, see this post).

  • petermac87 Level 5 Level 5 (6,550 points)

    Thomas A Reed wrote:

     

    BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

    Thomas, thanks for a very condensed yet in-depth look at this Trojan. This is the all-in-one info I have been looking for. Seem to be all clear here, and Java now off.

     

    Thank You

     

    Pete

  • thomas_r. Level 7 Level 7 (30,460 points)

    The link is very old!!!!

     

    What link is very old?  The page at the link in the post you just replied to is dated April 7, 2012.

  • thomas_r. Level 7 Level 7 (30,460 points)

    Why is it every one of the public flashback checkers and articles, including yours, seem to be ignoring one of the more recent strains of (flashback?) trojan that was found in these forums a few weeks ago?  Specially I am referring to the the variant that installs a user launchagent that launches a dot file in the users directory (~/.filename, where filename is any number of names).

     

    I haven't actually seen any documentation of such a variant beyond the fairly vague information on F-Secure's page, which does not describe exactly what the contents of the file placed in LaunchAgents are.  However, it is obvious from reading posts from infected folks on forums like these that the instructions - no matter what they may be - are inadequate.  As are the numerous detection and removal tools based on those instructions.  As that has become more clear, I have significantly modified my instructions, and have been considering pulling them altogether.

     

    More and more, it's looking like anti-virus software is the best way to detect an infection.  As for removal, that's similarly difficult for novice users.  I would have to say that if you can't find and remove the pieces on your own, without needing to rely on instructions, you shouldn't be trying.  Either erase the hard drive and reinstall everything from scratch, or get a tech guru who really knows what he/she is doing to take care of the removal for you.  Any other recommendation, at this point, is starting to look irresponsible.

  • X423424X Level 6 Level 6 (14,215 points)

    I haven't actually seen any documentation of such a variant beyond the fairly vague information on F-Secure's page, which does not describe exactly what the contents of the file placed in LaunchAgents are.

     

    I think the following is the primary thread where this variant first appeard in these forums:

     

    .rserv wants to connect to cuojshtbohnt.com

     

    And if you look at page 3 of that (still growing) thread you will see a typical example of the launchagent.

     

    However, it is obvious from reading posts from infected folks on forums like these that the instructions - no matter what they may be - are inadequate.

     

    I think they are adequate to find the top-level insertions of the current trojans.  Not find every piece of code that may have been injected.

     

    If there's a variant out ther that adds some control, injects its payload, and removes the control code, other than, for example, injecting code into browsers, then I haven't heard about it yet.

     

    As are the numerous detection and removal tools based on those instructions.

     

    I agree with that.

     

     

    As that has become more clear, I have significantly modified my instructions, and have been considering pulling them altogether.

     

    Which was my whole point of making you aware of this variant.

     

    More and more, it's looking like anti-virus software is the best way to detect an infection.

     

    To each his own.  Let's agree to disagree.

     

    As for removal, that's similarly difficult for novice users.  I would have to say that if you can't find and remove the pieces on your own, without needing to rely on instructions, you shouldn't be trying.  Either erase the hard drive and reinstall everything from scratch, or get a tech guru who really knows what he/she is doing to take care of the removal for you.  Any other recommendation, at this point, is starting to look irresponsible.

     

    There's a longish applescript floating around curently that attempts full detection and removal.  I just don't have the link handy at the moment.

Previous 1 2 Next