Skip navigation

Dr Web Flashback Virus checker accurate?

16368 Views 100 Replies Latest reply: Apr 22, 2012 12:44 AM by Ramón Tech RSS
1 2 3 ... 7 Previous Next
jo823 Level 1 Level 1 (0 points)
Currently Being Moderated
Apr 7, 2012 10:14 AM

Does anyone have any info about how accurate the Flashback checker from Dr Web is? http://public.dev.drweb.com/april

 

When I enter my Hardware UUID into the tool I get the following response:

 

probably infected by Backdoor.Flashback.39 !

 

Timestamp of the first access: 2012-04-03 21:27:19
Timestamp of the last access: 2012-04-06 17:48:52

 

However when I follow the instructions from the F-Secure website to locate and remove the virus (http://community.f-secure.com/t5/Protection/Flashback-Mac-OS-X-Remover/m-p/10887 #M2223) using Terminal, I get the files "do not exist" reponses. 

 

I haven't experienced any issues with my computer but figured I'd check to be certain, and now I'm not sure how to proceed.

MacBook Pro, Mac OS X (10.6.8)
  • rccharles Level 5 Level 5 (5,150 points)
    Currently Being Moderated
    Apr 7, 2012 12:00 PM (in response to jo823)

    General advice:

     

    Security overview by klaus1

    https://discussions.apple.com/docs/DOC-2472

     

    Security update.

    http://support.apple.com/kb/HT1222

     

    Here is a post about the flash malware.

    https://discussions.apple.com/thread/3857036?tstart=0

     

    Robert

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Apr 7, 2012 11:56 AM (in response to jo823)

    Dr. Web might be more up to date.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Apr 7, 2012 1:04 PM (in response to jo823)

    Copy and paste the required info into Dr. Web. and try again.

     

    There are checks one can perform to see

     

    1: If any of their machines have been seen on the Flashback botnet

     

    http://public.dev.drweb.com/april/

     

     

    2: Terminal commands to see if their machine is infected (use copy and paste, then press enter)

     

    https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

     

     

    3: Preventative methods to avoid becoming infected.

     

    Update Java via Software Update.

     

    Disable Java in all your web browsers preferences (notice Java is not Javascript)

     

     

    Check your status of all browser plug-ins

     

    https://www.mozilla.org/en-US/plugincheck/

     

     

    Firefox + NoScript add-on + Temp Allow All Button on Firefox's toolbar to turn on scripts only on sites you trust.

     

     

    Learn how to make bootable clones, this way a complete erase can occur and a reverse clone done.

     

    https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

     

     

    4: Resources if one is infected

     

    Data Recovery, wiping entire machine, reinstalling OS X, returning clean files, etc.

     

    https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Apr 7, 2012 2:33 PM (in response to jo823)

    Try running these commands courtesy of X423424X  The formatting here is breaking one of the lines. Be sure to copy/paste it in.

    Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans.  Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

     

    defaults read ~/.MacOSX/environment

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

     

    ls -la ~/Library/LaunchAgents

     

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

     

    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

     

    The third command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used in conjuntion with the last grep command.  If the grep shows any results then that too may indicate infection and again post its results.

    And these two as well.

     

    defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

  • rccharles Level 5 Level 5 (5,150 points)
    Currently Being Moderated
    Apr 7, 2012 3:32 PM (in response to WZZZ)

    You sure you do not want these commands in quotes?

     

    defaults read "/Applications/Safari.app/Contents/Info LSEnvironment"

     

     

    defaults read "/Applications/Firefox.app/Contents/Info LSEnvironment"

     

    defaults read "/Applications/Safari.app/Contents/Info LSEnvironment"

     

    looks like there is a space after the Info.

     

    Robert

  • etresoft Level 7 Level 7 (23,895 points)
    Currently Being Moderated
    Apr 7, 2012 3:37 PM (in response to jo823)

    jo823 wrote:

     

    Does anyone have any info about how accurate the Flashback checker from Dr Web is? http://public.dev.drweb.com/april

     

    When I enter my Hardware UUID into the tool I get the following response:

     

    probably infected by Backdoor.Flashback.39 !

     

    Timestamp of the first access: 2012-04-03 21:27:19
    Timestamp of the last access: 2012-04-06 17:48:52

     

    However when I follow the instructions from the F-Secure website to locate and remove the virus (http://community.f-secure.com/t5/Protection/Flashback-Mac-OS-X-Remover/m-p/10887 #M2223) using Terminal, I get the files "do not exist" reponses. 

     

    I haven't experienced any issues with my computer but figured I'd check to be certain, and now I'm not sure how to proceed.

    I have created a user tip and malware checker/removal tool:https://discussions.apple.com/docs/DOC-3271

     

    I would love to find out what the results are if you run this program. If it returns clean, perhaps there is something fishy in Russia.

  • etresoft Level 7 Level 7 (23,895 points)
    Currently Being Moderated
    Apr 7, 2012 4:01 PM (in response to jo823)

    jo823 wrote:

     

    Thanks etresoft, I was able to download your malware checker tool and it responded "You don't seem to have any malware problems".  Think I'm ok?

    I think you're fine, but my skepticism of the Dr. Web story has made me unpopular in certain circles.

     

    I have asked the hosts to remove your posts with your name in them. If you really have disproved the Dr. Web story, you might not be very popular either .

     

    I have saved a copy of this thread and can provided a santiized copy of the logs if anyone wants to see.

     

    Enjoy! And thanks for the update!

  • BDAqua Level 10 Level 10 (114,705 points)
    Currently Being Moderated
    Apr 7, 2012 5:12 PM (in response to etresoft)

    I'm wondering since Dr Web is using the UUID, that it's just not a case that there's a duplicate UUID out there that is infected... I seem to remember, (not very well), some duplicate UUID problem from a couple of years back?

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 7, 2012 9:04 PM (in response to ds store)

    ds store wrote:

     

    2: Terminal commands to see if their machine is infected (use copy and paste, then press enter)

     

    https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

    Latest is https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 7, 2012 10:31 PM (in response to jo823)

    jo823 wrote:

     

    When I enter my Hardware UUID into the tool I get the following response:

     

    probably infected by Backdoor.Flashback.39 !

     

    Timestamp of the first access: 2012-04-03 21:27:19
    Timestamp of the last access: 2012-04-06 17:48:52

    Sorry I'm late to the party, but I have way too much going on right now for this...

     

    My first observation is that this is very recent. As I recall everything we were watching last weekend was installed something like March 23 to March 28. Perhaps we are dealing with an as yet un-named variant.

     

    Next, from what I understand about this database, all it knows is that something with an identifier that includes an encrypted identifier that includes a UUID is trying to contact one of three Command & Control servers. It has no idea whether or not that Mac has any other files installed, just that one or more steps in the installation process has taken place. That's why they say "probably infected." We've been told that if the process finds certain software installed on that Mac it will abort the process and destroy itself, but I suppose something could go wrong with the destruction leaving the communications module active.

     

    Last weekend we were alerted to the situation by users who had Little Snitch installed and practically nobody that didn't have it complained. If this is new, I'm sure they have found a way to eliminate the Little Snitch canary again.

     

    Perhaps some details have been deleted, but there's a lot I don't know about your situation. Do you have Little Snitch installed? Do you recall seeing any dialogs requesting your admin password, certificate approval, anything unusual around around the date and time (although I'm not sure I know what time  zone Dr. Web is using) they first heard something purportedly form your Mac? If so, do you remember whether you approved or dismissed that dialog.

     

    I've scanned through all the test that were run and they all seemed to have focused on removing a full infection. You've told us that you have Office 2008 installed, so a Type 2 infection probably could not have happened. I think we can rule out a Type 1 infection from the "K" variant, so again it maybe a new one or it aborted and left something behind. I've tried to check all the commands and probably overlooked it, but did anybody check for a hidden executable in the home folder (I doubt that I remember them all from last week but we had .rserv, .mkeeper, .jupdate and I'm sure several others)? I know there were some checks for LaunchAgents, but can't be sure they would have revealed one installed around that date.

     

    And yes, I can't dismiss the possibility that Dr. Web is wrong or that duplicate UUID's exist. Just thought it might be worth looking a little harder at this since it's apparently our first effort at a Dr. Web positive and possibly something new that we won't read about until the bloggers get back to work after their Easter weekend.

1 2 3 ... 7 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.