Q: how to find if you are affected by a malware program?

etresoft wrote:

 

Marco g wrote:

 

I posted this in another threat, if anybody is interested:

 

Another threat? A little Freudian slip there, eh?

Seems to be a lot of that going around these days.  I just accused another user of the exact same thing.

stevejobsfan0123 wrote:

 

I actually heard that the trojan will check for programs like Little Snitch, and delete itself if any of these are found to prevent it from being detected (I think I read that on Cnet). True?

No.  This newer variant  installs a launchagent to launch a chunk of code (~/.filename, filename has various names) is not a sneaky as the other flashback trojans (probably a different group writing this one).  It doesn't check for Little Snitch and Little Snitch will jump all over that code when it attempts to call out.  If I recall that is how it called attention to itself in the first place.  Good 'ol LS!

Some variants will check for this, but do not rely on this as a means of protection. The latest variants will bypass such checks and continue installing, even though some others will delete themselves. Relying on such action is like trusting a serial thief who says he won't steal from your home because he claims your locks are too big.

stevejobsfan0123 wrote:

 

I actually heard that the trojan will check for programs like Little Snitch, and delete itself if any of these are found to prevent it from being detected (I think I read that on Cnet). True?

At first they tried to disable Little Snitch, but then they realized that made things too obvious, so now they check for it's presence (as well as several A-V softwares) and abort if found, deleting any evidence they were even there. What they seemed to have forgotten to do with the "K" version is check for Little Snitch before the downloader tried to obtain the malware components from the server, alerting the user that something was up. I suspect the next variant to correct that oversight.

My finding are as follows:

Nothing on three of the four test lines posted. But one of the four had positive results. I tried to install Clam X AV on this Mini running OS X10.6.8 but had difficulty (wouldn't download the updates). Could this be why??

Here is the result:

BubbaMacMini:~ bubba$ ls -la ~/Library/LaunchAgents

total 24

drwx------   5 bubba  staff   170 Sep  5  2011 .

drwx------+ 41 bubba  staff  1394 Apr  8 11:31 ..

-rw-r--r--   1 bubba  staff   589 Apr 14  2010 com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3.plist

-rw-r--r--   1 bubba  staff   581 Sep  5  2011 com.apple.MobileMeSyncClientAgent.plist

-rw-r-----   1 bubba  staff   812 Aug 23  2009 com.apple.SafariBookmarksSyncer.plist

There is nothing wrong with having files in that directory. Those look fine. You can always open them with TextWranger or similar and look for the program that actually gets launched. The trojan will start with a ".".

etresoft wrote:

 

There is nothing wrong with having files in that directory. Those look fine. You can always open them with TextWranger or similar and look for the program that actually gets launched. The trojan will start with a ".".

Although I agree with your conclusion that those look fine, the LaunchAgents we've found are not hidden and do not start with an ".".

Henry-In-FL wrote:

 

I tried to install Clam X AV on this Mini running OS X10.6.8 but had difficulty (wouldn't download the updates). Could this be why??

Go to the ClamXav Forum and somebody will help you troubleshoot that. They will need to know what it says in your Update Log.

One of my best friends is "Little Snitch" which does exactly what its name implies.

I use Little Snitch and a recently installed ClamXav (which I never thought I would need) and between them I am reasonably safe. I say "reasonably" because there are very few absolutes in life.

The best A/V tool is an informed and intelligent user.

And now we see why Apple has always recommended NEVER to run the computer as an Administrator, UNLESS you are actually administrating.

Everyone should create a standard user account and use that for 99% of the time.

Very rarely is the Administrator account needed.

Again, create and use a Standard User Account, right now.

Another option here is to create a second administrator account and then demote your current one to a standard account. This will save the trouble of having to set up mail accounts and other settings in the new account.

An excellent point, Topher.

I remember when we were laughed at for even suggesting that all users should be using a standard account, many moons ago.

Well, the rubber has finally hit the road. We were right, they were wrong.