Dr Web Flashback Virus checker accurate?

duderRama wrote:

ALWAYS RUN ANTI-VIRUS!!!!!!!!

If you don't run IE or Outlook, and stay behind a hardware NAT like a WiFi router, even Windows isn't going to get any viruses.

A malware attack such as this has even greater odds of success on Mac OS X than it does on a Windows system. ....

It has affected the LARGEST percentage of users of any virus in history. Obviously windows having 95% share would mean more pc's can be hit by a virus, but as far as percentage wise, no windows OS has ever been hit this hard.

That is all preposterous. Have you ever actually used a Windows PC? Recent versions of Windows/IE/Outlook are much better, but a few years ago it would not be unusual to see a single PC infected with dozens of different types of viruses. They would be so deeply embedded that if you removed them, the machine wouldn't work.

I guess we can start blaming Microsoft for this problem. Since Microsoft has improved the security of recent versions of Windows, people have obviously forgotten what it used to be like - with viruses, spyware, real botnets, and rootkits. I don't think there was ever a piece Windows malware that was as easy to find and remove as this one. The Flashback issue doesn't even seem to be as big as MacDefender.

I see your point, but I am inclined to believe the reports around what the malware is being used for e.g. Schouwenberg says that for now, the hijacked Macs are being used for click fraud, creating Web traffic from the infected machines to boost revenue from pay-per-click and pay-per-impression advertisements. He says there’s no evidence yet that they’re being used for credit card fraud. But like any Trojan, the malware functions as a backdoor on the user’s computer, and can allow new software updates to be downloaded. “They could easily update what they’re doing in the future,” Schouwenberg says.

from

http://www.forbes.com/sites/andygreenberg/2012/04/06/researchers-confirm-flashba ck-trojan-infects-600000-macs-being-used-for-clickfraud/

billynicol wrote:

I see your point, but I am inclined to believe the reports around what the malware is being used for

I tend to agree, although Intego has been quite convinced from their analysis that privacy information is being collected:

2/23/12

Flashback Mac Trojan Horse Infection Increasing with New Variant

> What this malware does

>

> This malware patches web browsers and network applications essentially to

> search for user names and passwords. It looks for a number of domains –

> websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many

> others. Presumably, the people behind this malware are looking for both user

> names and passwords that they can immediately exploit – such as for a bank

> website – as well as others that may be reused on different sites. (Hint:

> don’t use the same password for all websites!)

> ...

> This malware also has an automatic update module that checks a number of

> websites for new versions.

There are numerous examples here in the forum of users being redirected to ad sites and it's clear that has been going on for some time.

On the other hand, I have not heard from a single infected user in this forum that they were hacked or suffered any type of identity theft since being infected. The only report I've even heard of was during Shawn King's Interview with Rich Mogull discussing the Flashback Trojan during which Rich said that a user reported fraudulent credit card activity shortly after he was infected. I don't think we can conclude much from one such occurance. So, unless this thing can be tied to what's going on with the iTunes store, it's either very small scale, Intego is wrong or that's the next shoe to drop.

Does anyone know what the original file location for where the backdoor.flashback.39 is stored?

Ramón Tech wrote:

Does anyone know what the original file location for where the backdoor.flashback.39 is stored?

The original file is a Java applet that is rendered by your browser and exists only in RAM. There should be a copy of it in ~/Library/Caches/Java/cache/6.0/.

The first file is an updater component. It is dropped in the users home folder. The filename will always start with a ".".

A launch point is then created for the updater component in the ~/Library/LaunchAgents folder.

Locations for the rest of the components depend on whether the user provides an admin password or not.

So it is a hidden file?

Ramón Tech wrote:

So it is a hidden file?

Yes, with a variety of file names.

I did not see any file created or modified after February 23rd 2012 besides .bash_history in my home directory, bt in the launchagents folder; I only found one file that is a list to a program I don't know about, the file was "com.akamai.single-user-client.plist"

I am running Mac OS X Lion Server so I assume that is where that file came from, but it is not com.apple... so I don't know where that file came from just that it was created on January 21st 2012 and modified/last opened on March 21st 2012.

I guess the first question I have is why do you think you might be infected?

Ramón Tech wrote:

I did not see any file created or modified after February 23rd 2012 besides .bash_history in my home directory, bt in the launchagents folder; I only found one file that is a list to a program I don't know about, the file was "com.akamai.single-user-client.plist"

I am running Mac OS X Lion Server so I assume that is where that file came from, but it is not com.apple... so I don't know where that file came from just that it was created on January 21st 2012 and modified/last opened on March 21st 2012.

January is too early for this variant. Although Dr. Web claims they started seeing it in mid-March, about the earliest we saw was perhaps March 27 or 28.

I found this reference to "com.akamai.single-user-client.plist" Akamai NetSession Interface which sounds like it might be something an OS X Server might use. I know that Apple has used Akamai services for file distribution in the past, so chances are it's legit. Use QuickLook to take a look inside by highlighting the file and hitting the space bar. Here's an example of a partial malware LaunchAgent

<key>ProgramArguments</key>

<array>

<string>~/.skypeup</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>4212</integer>

<key>StandardErrorPath</key>

<string>/dev/null</string>

<key>StandardOutPath</key>

<string>/dev/null</string>

Note the reference to ".skypeup"

My computers runs apps fine except recelty some of my java apps have become unstable.