William Buckingham
Level 1 (0 points)

Q: .null want to connect to krymbrjasnof.com-another Flashback variant

Little Snitch blocked the connection attempt above this morning.

 

I checked my home folder and sure enough, there is a .null executable that was evidently installed there on March 27. There is also a a corresponding .plist for .null.

 

It would appear that because I did not allow the connection that the actual malware payload was never delivered as none of the command line checks recommended by users on these boards shows any sign of infection.

 

I have copied, zipped and quarantined the executable and .plist file if anyone can point me in the direction of someone who would be interested in checking out this variant.

MacBook Pro, Mac OS X (10.6.8)

Posted on Apr 6, 2012 1:10 AM

Close
William Buckingham

Q: .null want to connect to krymbrjasnof.com-another Flashback variant

  • All replies
  • Helpful answers

  • by igosha,

    igosha igosha Apr 6, 2012 3:27 AM in response to William Buckingham
    Level 1 (0 points)
    Apr 6, 2012 3:27 AM in response to William Buckingham

    Dear William, This domain is not a real C&C but a sinkhole. The name is generated by the current Flashback variant.

  • by noondaywitch,

    noondaywitch noondaywitch Apr 6, 2012 3:52 AM in response to William Buckingham
    Level 6 (8,147 points)
    Apr 6, 2012 3:52 AM in response to William Buckingham

    It's a long read now, but follow the links for more info and I think a couple of contributors give links to AV evalution sites you can send the quarantined files to.

  • by igosha,

    igosha igosha Apr 6, 2012 5:55 AM in response to William Buckingham
    Level 1 (0 points)
    Apr 6, 2012 5:55 AM in response to William Buckingham

    William, can you please send the quarantined files to igosha@kaspersky.com in a password-protected ZIP archive? Thank you!

  • by gllorin,

    gllorin gllorin Apr 6, 2012 9:49 AM in response to William Buckingham
    Level 1 (0 points)
    Apr 6, 2012 9:49 AM in response to William Buckingham

    I've received the same notification as well.  Can you tell me where to go to find the executable and .plist files?  I'm new to all this, and don't know where to start to locate these files.

  • by William Buckingham,

    William Buckingham William Buckingham Apr 6, 2012 10:35 AM in response to William Buckingham
    Level 1 (0 points)
    Apr 6, 2012 10:35 AM in response to William Buckingham

    The executable file was named .null and was at the root level of my home folder.

     

    Open Terminal and type the following after the prompt:

     

    cd ~ (that's a tilde, and then type Return)

     

    Then type:

     

    ls -a (and then type Return)

     

    To view the contents of your home folder. You should see a file called .null in the file list there.

     

    To remove the .null executable file type the following:

     

    rm .null

     

    To remove the .plist file, type the following:

     

    cd ~/Library/LaunchAgents

     

    Then type ls (and then type return)

     

    You should see of list of your own LaunchAgent preference (.plist) files

     

    There should be one there called null.plist

     

    Type the following to first unload and then remove the null.plist file:

     

    launchctl unload null.plist (and then type return)

     

    Then type:

     

    rm null.plist (and then type return)

     

    This should remove the offending files from your system.

  • by Ed204,

    Ed204 Ed204 Apr 6, 2012 11:11 AM in response to William Buckingham
    Level 1 (0 points)
    Apr 6, 2012 11:11 AM in response to William Buckingham

    This is not a new variant.

     

    Your Mac connected to a server run by Kaspersky Labs, which was set up specifically to detect connections from infected hosts.

     

    See this post for details and note the domain name:

     

    http://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

  • by X423424X,

    X423424X X423424X Apr 6, 2012 1:38 PM in response to William Buckingham
    Level 6 (14,237 points)
    Apr 6, 2012 1:38 PM in response to William Buckingham

    You did the correct thing deleting the launchagent and code file.  This is a variant of a new trojan that apparently started to appear around last week.  The name various; .null and .resrv are just two.

     

    While deleting the launchagent (don't forget to logout and back in) and code file is the main part of this what is unknown is what that code file is doing.  Obviously it is trying to connect to a server somewhere.  But what else is specifically unknown.  So there is still the potential for other crap to be floating around your system.