.null want to connect to krymbrjasnof.com-another Flashback variant

Question

.null want to connect to krymbrjasnof.com-another Flashback variant

Little Snitch blocked the connection attempt above this morning.

I checked my home folder and sure enough, there is a .null executable that was evidently installed there on March 27. There is also a a corresponding .plist for .null.

It would appear that because I did not allow the connection that the actual malware payload was never delivered as none of the command line checks recommended by users on these boards shows any sign of infection.

I have copied, zipped and quarantined the executable and .plist file if anyone can point me in the direction of someone who would be interested in checking out this variant.

MacBook Pro, Mac OS X (10.6.8)

Posted on Apr 6, 2012 1:10 AM

Reply

Answer 1

igosha

Level 1

0 points

Apr 6, 2012 3:27 AM in response to William Buckingham

Dear William, This domain is not a real C&C but a sinkhole. The name is generated by the current Flashback variant.

Reply

Answer 2

Apr 6, 2012 3:52 AM in response to William Buckingham

It's a long read now, but follow the links for more info and I think a couple of contributors give links to AV evalution sites you can send the quarantined files to.

Reply

Answer 3

igosha

Level 1

0 points

Apr 6, 2012 5:55 AM in response to William Buckingham

William, can you please send the quarantined files to igosha@kaspersky.com in a password-protected ZIP archive? Thank you!

Reply

Answer 4

gllorin

Level 1

0 points

Apr 6, 2012 9:49 AM in response to William Buckingham

I've received the same notification as well. Can you tell me where to go to find the executable and .plist files? I'm new to all this, and don't know where to start to locate these files.

Reply

Answer 5

Apr 6, 2012 10:35 AM in response to William Buckingham

The executable file was named .null and was at the root level of my home folder.

Open Terminal and type the following after the prompt:

cd ~ (that's a tilde, and then type Return)

Then type:

ls -a (and then type Return)

To view the contents of your home folder. You should see a file called .null in the file list there.

To remove the .null executable file type the following:

rm .null

To remove the .plist file, type the following:

cd ~/Library/LaunchAgents

Then type ls (and then type return)

You should see of list of your own LaunchAgent preference (.plist) files

There should be one there called null.plist

Type the following to first unload and then remove the null.plist file:

launchctl unload null.plist (and then type return)

Then type:

rm null.plist (and then type return)

This should remove the offending files from your system.

Reply

Answer 6

Ed204

Level 1

0 points

Apr 6, 2012 11:11 AM in response to William Buckingham

This is not a new variant.

Your Mac connected to a server run by Kaspersky Labs, which was set up specifically to detect connections from infected hosts.

See this post for details and note the domain name:

http://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

Reply

Answer 7

X423424X

Level 6

14,265 points

Apr 6, 2012 1:38 PM in response to William Buckingham

You did the correct thing deleting the launchagent and code file. This is a variant of a new trojan that apparently started to appear around last week. The name various; .null and .resrv are just two.

While deleting the launchagent (don't forget to logout and back in) and code file is the main part of this what is unknown is what that code file is doing. Obviously it is trying to connect to a server somewhere. But what else is specifically unknown. So there is still the potential for other crap to be floating around your system.

Reply