Dr Web Flashback Virus checker accurate?

jsd2 wrote:

F-Secure just released a free Flashback detection and removal tool:

http://www.f-secure.com/weblog/archives/00002346.html

Yes, I've taken a really quick look at the script they supposedly use which can be accessed here. They clearly seem to know more about this than any of the other vendors we've read, so it's promissing. It is a pretty simple script which seems to check first for Library components involved with different variants and if found tells you "Possible infected file: ${ldpath} . If this is malware, please remove manually."

It checks for:

/Applications/Safari.app/Contents/Info/ for LSEnvironment

${HOME}/.MacOSX/environment for DYLD_INSERT_LIBRARIES

Deletes whatever it finds, unsets they dylib in launchctl and that's that.

etresoft wrote:

Apple has already removed Java from the default installation of the operating system and is taking additional steps to make it more secure in the future. I don't think there is anything to worry about.

I think I agree except for Intel Mac's still running 10.6.7 and below who are still at risk. Disabling Java in browsers seems to be "good-enough" for now, but then we'll all have to watch for the next Java exploit or some new path.

MadMacs0 wrote:

jsd2 wrote:

F-Secure just released a free Flashback detection and removal tool:

http://www.f-secure.com/weblog/archives/00002346.html

Yes, I've taken a really quick look at the script they supposedly use which can be accessed here. They clearly seem to know more about this than any of the other vendors we've read, so it's promissing. It is a pretty simple script which seems to check first for Library components involved with different variants and if found tells you "Possible infected file: ${ldpath} . If this is malware, please remove manually."

It checks for:

/Applications/Safari.app/Contents/Info/ for LSEnvironment

${HOME}/.MacOSX/environment for DYLD_INSERT_LIBRARIES

Deletes whatever it finds, unsets they dylib in launchctl and that's that.

I looked at this too and this is the first one I've seen that I can recommend (and will be pointing to in future posts). I want to add that in addition to the checks noted above it also checks the ~/Library/LaunchAgents.

X423424X wrote:

I want to add that in addition to the checks noted above it also checks the ~/Library/LaunchAgents.

Great! I don't see that in the shell script, but perhaps it was added in the app or it's in an AppleScript that I've just been told exists. That worried me too, as it's been the primary element overlooked by most all the tools initially.

The app bundle that can be downloaded contains two scripts, and the first is apparently a newer version of the one at the github site.

FlashbackRemoval.app/Contents/Resources/RemoveFlashback.sh

FlashbackRemoval.app/Contents/Resources/Scripts/main.scpt

Following up my own observation, yes, the shell script has been enhanced to include launchagents as well as Firefox. They also added an optional mode where they move probable infected files to quarantine, then zip them, suitable for uploading to sample sites.

jsd2 wrote:

The app bundle that can be downloaded contains two scripts, and the first is apparently a newer version of the one at the github site.

FlashbackRemoval.app/Contents/Resources/RemoveFlashback.sh

FlashbackRemoval.app/Contents/Resources/Scripts/main.scpt

Yes, I'm caught up now.

The AppleScript:

-- Step 1: Get acceptance of EULA

-- Step 2: Scan only run of the shell script

-- Step 3: Ask if user really wants to remove if something was found

Otherwise give the all clear.

If it is true what you said about not having the launchagent check when you first dowloaded the app then my only complaint about this is I which they would version the app (e.g., 1.0, 1.1, etc.) so we could immediatelay know they have a newer version. Silent updates are inconvenient to track.

I just checked the Flashback Removal Tool page again and notected there's button for comments. So I made a request for them to add a version number (it appears to be waiting for "moderator approvial").

X423424X wrote:

If it is true what you said about not having the launchagent check when you first dowloaded the app then my only complaint about this is I which they would version the app (e.g., 1.0, 1.1, etc.) so we could immediatelay know they have a newer version. Silent updates are inconvenient to track.

It wasn't F-Secure that had the incomplete shell script, it was the author's postings to github five days ago that were out of date. After I took the time to download and disassemble the app, I figured out that what I previously looked at was out-of-date. But I do concur about versioning. Weiss' has been doing that with his tool which just went from 1.0.2 to 2.0. Several other are not doing that.

Ahh, that explains the confusion. I was wondering why you were pointing at the github site. They are all marked as 5-days old there.

I'm posting this in this thread since it seems to be one where all the major players might see it.

I've been trying to help someone in the Leopard forum who says that he had clear signs of the presence of the Trojan and then it inexplicably disappeared. He's run the F-Secure test and X4's commands and he comes up clean. I've recommended he get Little Snitch to see if anything's trying to connect.

I don't quite know what to recommend now. He could do a laborious reinstall and that might be the safest way to go, but it might be unnecessary. Did this thing delete itself?

Anyway, here's the thread. Please have a look and see what you think.

https://discussions.apple.com/thread/3869018?tstart=0

WZZZ wrote:

I've been trying to help someone in the Leopard forum who says that he had clear signs of the presence of the Trojan and then it inexplicably disappeared.

Yes, I saw this last night and remembered the case as I believe there have only been two Leopard infections discussed in the forum. Even tracked down the previous discussion https://discussions.apple.com/thread/3846648 back on April 1 to see if I could spot anything. One guess is that he went to one of the links we gave him at the time and did something to delete the DYLD_INSERT_LIBRARIES evidence and perhaps more, but forgot what he had done way back then. The only other possibility I can come up with is that the backdoor attempted an update and terminated the infection for whatever reason. At the time we thought it was the "I" variant as we were just discovering "K" (F-Secure had not even published the "K" information) and we don't know the date of infection. As far as I can tell the F-Secure test would have picked up signs of either, including the LaunchAgent that triggers the bot transponder in "K". If it somehow missed that then Little Snitch should tell him. I didn't know what to tell him, either.

Thanks. I didn't realize he was the author of that earlier thread also. I guess it's a crap shoot.

There is nothing more I can add to what MadMacs0 said. I don't think I was tracking the Leopard forums at the time the OP posted.

etresoft wrote:

jo823 wrote:

I did download Little Snitch, but was wondering if anyone felt the need to run an Anti-Virus program on their Macs as well? I didn't get one initially because everyone at the Apple Store said it wasn't necessary, but this latest experience has me second-guessing myself. Any recommendations?

I don't even run anti virus on Windows 🙂

This is the first actual malware that I can remember on MacOS X in 12 years. All of the other ones required the user be tricked into installing them. The actual security hole was in Java from 5 years before MacOS X. The actual infection is pitifully easy to remove. Apple has already removed Java from the default installation of the operating system and is taking additional steps to make it more secure in the future. I don't think there is anything to worry about.

ALWAYS RUN ANTI-VIRUS!!!!!!!!

A malware attack such as this has even greater odds of success on Mac OS X than it does on a Windows system. The Mac OS X system itself is not less secure or prone to infection than Windows per se, but the Mac culture is conditioned to believe the OS is virtually invulnerable. Fewer users have any security software installed to protect their Mac OS X systems, and Mac OS X users are more likely to click links and open files without thinking twice.

It doesn’t help anything that Apple perpetuates the myth of invulnerability. It takes time to develop a patch, but as soon as Apple was aware that the threat existed, it should have proactively communicated to Mac OS X users to make them aware. In fact, it should have provided users with instructions to disable Java and mitigate the threat pending a patch to resolve the issue. The fact that it didn’t is probably a contributing factor to why the Flashback botnet is as large as it is.

It has affected the LARGEST percentage of users of any virus in history. Obviously windows having 95% share would mean more pc's can be hit by a virus, but as far as percentage wise, no windows OS has ever been hit this hard.

So I would say yes, be worried, don't allow etresoft to trick you into the exact mentallity in which allowed this virus to bread so heavily in the first place.