Trojan in Java
Is it true that there was a Trojan detected and that the Java update yesterday was to patch the hole?
So it begins.....
No.
29 replies
yes
Apple does not say anything about any Trojan.
This is just a java security update from Apple.
For more info:
http://www.macworld.com/article/1166195/apple_releases_java_security_updates.htm l
Anything about Trojan could be speculation
Best.
There is malware (called Flashback) that has been actively taking advantage of Java vulnerabilities on Macs, installing as a drive-by download with no user interaction required when visiting a malicious web site. Apple's latest Java update patches these vulnerabilities, though it's still possible for that malware to use social exploits to trick you into installing it. You would do best to turn off Java in your web browser... you probably won't miss it at all.
See:
http://www.reedcorner.net/news.php?tag=flashback
(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)
Your kidding right ?
Are you serious?
I am running the latest software the link you gave is old!
Are you serious?
Absolutely.
BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.
(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)
The link is very old!!!!
Thomas A Reed wrote:
Are you serious?
Absolutely.
BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.
(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)
Thomas A Reed wrote:
Are you serious?
Absolutely.
BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.
(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)
Thomas A Reed wrote:
BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.
Maybe you can answer a question for me. Why is it every one of the public flashback checkers and articles, including yours, seem to be ignoring one of the more recent strains of (flashback?) trojan that was found in these forums a few weeks ago? Specially I am referring to the the variant that installs a user launchagent that launches a dot file in the users directory (~/.filename, where filename is any number of names).
The only place I see this even addressed outside of these forums is F-Secure's Trojan-Downloader:OSX/Flashback.K article (steps 16, 17, 18). I always include it my set of basic trojan checking commands which I have been posting in these forums (for example, see this post).
Thomas A Reed wrote:
BTW, I have consolidated all my Flashback coverage into a summary: About the Flashback malware.
(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)
Thomas, thanks for a very condensed yet in-depth look at this Trojan. This is the all-in-one info I have been looking for. Seem to be all clear here, and Java now off.
Thank You
Pete
The link is very old!!!!
What link is very old? The page at the link in the post you just replied to is dated April 7, 2012.
Why is it every one of the public flashback checkers and articles, including yours, seem to be ignoring one of the more recent strains of (flashback?) trojan that was found in these forums a few weeks ago? Specially I am referring to the the variant that installs a user launchagent that launches a dot file in the users directory (~/.filename, where filename is any number of names).
I haven't actually seen any documentation of such a variant beyond the fairly vague information on F-Secure's page, which does not describe exactly what the contents of the file placed in LaunchAgents are. However, it is obvious from reading posts from infected folks on forums like these that the instructions - no matter what they may be - are inadequate. As are the numerous detection and removal tools based on those instructions. As that has become more clear, I have significantly modified my instructions, and have been considering pulling them altogether.
More and more, it's looking like anti-virus software is the best way to detect an infection. As for removal, that's similarly difficult for novice users. I would have to say that if you can't find and remove the pieces on your own, without needing to rely on instructions, you shouldn't be trying. Either erase the hard drive and reinstall everything from scratch, or get a tech guru who really knows what he/she is doing to take care of the removal for you. Any other recommendation, at this point, is starting to look irresponsible.
I haven't actually seen any documentation of such a variant beyond the fairly vague information on F-Secure's page, which does not describe exactly what the contents of the file placed in LaunchAgents are.
I think the following is the primary thread where this variant first appeard in these forums:
.rserv wants to connect to cuojshtbohnt.com
And if you look at page 3 of that (still growing) thread you will see a typical example of the launchagent.
However, it is obvious from reading posts from infected folks on forums like these that the instructions - no matter what they may be - are inadequate.
I think they are adequate to find the top-level insertions of the current trojans. Not find every piece of code that may have been injected.
If there's a variant out ther that adds some control, injects its payload, and removes the control code, other than, for example, injecting code into browsers, then I haven't heard about it yet.
As are the numerous detection and removal tools based on those instructions.
I agree with that.
As that has become more clear, I have significantly modified my instructions, and have been considering pulling them altogether.
Which was my whole point of making you aware of this variant.
More and more, it's looking like anti-virus software is the best way to detect an infection.
To each his own. Let's agree to disagree.
As for removal, that's similarly difficult for novice users. I would have to say that if you can't find and remove the pieces on your own, without needing to rely on instructions, you shouldn't be trying. Either erase the hard drive and reinstall everything from scratch, or get a tech guru who really knows what he/she is doing to take care of the removal for you. Any other recommendation, at this point, is starting to look irresponsible.
There's a longish applescript floating around curently that attempts full detection and removal. I just don't have the link handy at the moment.
Look to the pros like Sophos and Fsecure for up to date information and patches to remove this evolving malware. NOT fixes posted on a forum. Thanks for pointing this out. Of course, to other posters, its your data do as you like...
Trojan in Java