7 Replies Latest reply: Apr 6, 2012 1:38 PM by X423424X
William Buckingham Level 1 Level 1

Little Snitch blocked the connection attempt above this morning.

 

I checked my home folder and sure enough, there is a .null executable that was evidently installed there on March 27. There is also a a corresponding .plist for .null.

 

It would appear that because I did not allow the connection that the actual malware payload was never delivered as none of the command line checks recommended by users on these boards shows any sign of infection.

 

I have copied, zipped and quarantined the executable and .plist file if anyone can point me in the direction of someone who would be interested in checking out this variant.


MacBook Pro, Mac OS X (10.6.8)
  • igosha Level 1 Level 1

    Dear William, This domain is not a real C&C but a sinkhole. The name is generated by the current Flashback variant.

  • noondaywitch Level 6 Level 6

    It's a long read now, but follow the links for more info and I think a couple of contributors give links to AV evalution sites you can send the quarantined files to.

  • igosha Level 1 Level 1

    William, can you please send the quarantined files to igosha@kaspersky.com in a password-protected ZIP archive? Thank you!

  • gllorin Level 1 Level 1

    I've received the same notification as well.  Can you tell me where to go to find the executable and .plist files?  I'm new to all this, and don't know where to start to locate these files.

  • William Buckingham Level 1 Level 1

    The executable file was named .null and was at the root level of my home folder.

     

    Open Terminal and type the following after the prompt:

     

    cd ~ (that's a tilde, and then type Return)

     

    Then type:

     

    ls -a (and then type Return)

     

    To view the contents of your home folder. You should see a file called .null in the file list there.

     

    To remove the .null executable file type the following:

     

    rm .null

     

    To remove the .plist file, type the following:

     

    cd ~/Library/LaunchAgents

     

    Then type ls (and then type return)

     

    You should see of list of your own LaunchAgent preference (.plist) files

     

    There should be one there called null.plist

     

    Type the following to first unload and then remove the null.plist file:

     

    launchctl unload null.plist (and then type return)

     

    Then type:

     

    rm null.plist (and then type return)

     

    This should remove the offending files from your system.

  • Ed204 Level 1 Level 1

    This is not a new variant.

     

    Your Mac connected to a server run by Kaspersky Labs, which was set up specifically to detect connections from infected hosts.

     

    See this post for details and note the domain name:

     

    http://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

  • X423424X Level 6 Level 6

    You did the correct thing deleting the launchagent and code file.  This is a variant of a new trojan that apparently started to appear around last week.  The name various; .null and .resrv are just two.

     

    While deleting the launchagent (don't forget to logout and back in) and code file is the main part of this what is unknown is what that code file is doing.  Obviously it is trying to connect to a server somewhere.  But what else is specifically unknown.  So there is still the potential for other crap to be floating around your system.