jo823

Q: Dr Web Flashback Virus checker accurate?

Does anyone have any info about how accurate the Flashback checker from Dr Web is? http://public.dev.drweb.com/april

 

When I enter my Hardware UUID into the tool I get the following response:

 

probably infected by Backdoor.Flashback.39 !

 

Timestamp of the first access: 2012-04-03 21:27:19
Timestamp of the last access: 2012-04-06 17:48:52

 

However when I follow the instructions from the F-Secure website to locate and remove the virus (http://community.f-secure.com/t5/Protection/Flashback-Mac-OS-X-Remover/m-p/10887 #M2223) using Terminal, I get the files "do not exist" reponses. 

 

I haven't experienced any issues with my computer but figured I'd check to be certain, and now I'm not sure how to proceed.

MacBook Pro, Mac OS X (10.6.8)

Posted on Apr 7, 2012 10:14 AM

Close

Q: Dr Web Flashback Virus checker accurate?

  • All replies
  • Helpful answers

first Previous Page 6 of 7 last Next
  • by etresoft,

    etresoft etresoft Apr 11, 2012 6:47 PM in response to jo823
    Level 7 (29,380 points)
    Mac OS X
    Apr 11, 2012 6:47 PM in response to jo823

    jo823 wrote:

     

    I did download Little Snitch, but was wondering if anyone felt the need to run an Anti-Virus program on their Macs as well?  I didn't get one initially because everyone at the Apple Store said it wasn't necessary, but this latest experience has me second-guessing myself.  Any recommendations?

    I don't even run anti virus on Windows

     

    This is the first actual malware that I can remember on MacOS X in 12 years. All of the other ones required the user be tricked into installing them. The actual security hole was in Java from 5 years before MacOS X. The actual infection is pitifully easy to remove. Apple has already removed Java from the default installation of the operating system and is taking additional steps to make it more secure in the future. I don't think there is anything to worry about.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 11, 2012 6:52 PM in response to jsd2
    Level 5 (4,801 points)
    Apr 11, 2012 6:52 PM in response to jsd2

    jsd2 wrote:

     

    F-Secure just released a free Flashback detection and removal tool:

    http://www.f-secure.com/weblog/archives/00002346.html

    Yes, I've taken a really quick look at the script they supposedly use which can be accessed here. They clearly seem to know more about this than any of the other vendors we've read, so it's promissing. It is a pretty simple script which seems to check first for Library components involved with different variants and if found tells you "Possible infected file: ${ldpath} . If this is malware, please remove manually."

     

    It checks for:

    /Applications/Safari.app/Contents/Info/ for LSEnvironment

    ${HOME}/.MacOSX/environment for DYLD_INSERT_LIBRARIES

    Deletes whatever it finds, unsets they dylib in launchctl and that's that.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 11, 2012 6:56 PM in response to etresoft
    Level 5 (4,801 points)
    Apr 11, 2012 6:56 PM in response to etresoft

    etresoft wrote:

     

    Apple has already removed Java from the default installation of the operating system and is taking additional steps to make it more secure in the future. I don't think there is anything to worry about.

    I think I agree except for Intel Mac's still running 10.6.7 and below who are still at risk. Disabling Java in browsers seems to be "good-enough" for now, but then we'll all have to watch for the next Java exploit or some new path.

  • by X423424X,

    X423424X X423424X Apr 11, 2012 7:14 PM in response to MadMacs0
    Level 6 (14,237 points)
    Apr 11, 2012 7:14 PM in response to MadMacs0

    MadMacs0 wrote:

     

    jsd2 wrote:

     

    F-Secure just released a free Flashback detection and removal tool:

    http://www.f-secure.com/weblog/archives/00002346.html

    Yes, I've taken a really quick look at the script they supposedly use which can be accessed here. They clearly seem to know more about this than any of the other vendors we've read, so it's promissing. It is a pretty simple script which seems to check first for Library components involved with different variants and if found tells you "Possible infected file: ${ldpath} . If this is malware, please remove manually."

     

    It checks for:

    /Applications/Safari.app/Contents/Info/ for LSEnvironment

    ${HOME}/.MacOSX/environment for DYLD_INSERT_LIBRARIES

    Deletes whatever it finds, unsets they dylib in launchctl and that's that.

     

    I looked at this too and this is the first one I've seen that I can recommend (and will be pointing to in future posts).  I want to add that in addition to the checks noted above it also checks the ~/Library/LaunchAgents.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 11, 2012 7:35 PM in response to X423424X
    Level 5 (4,801 points)
    Apr 11, 2012 7:35 PM in response to X423424X

    X423424X wrote:

     

    I want to add that in addition to the checks noted above it also checks the ~/Library/LaunchAgents.

    Great! I don't see that in the shell script, but perhaps it was added in the app or it's in an AppleScript that I've just been told exists. That worried me too, as it's been the primary element overlooked by most all the tools initially.

  • by jsd2,

    jsd2 jsd2 Apr 11, 2012 7:46 PM in response to MadMacs0
    Level 5 (6,215 points)
    Apr 11, 2012 7:46 PM in response to MadMacs0

    The app bundle that can be downloaded contains two scripts, and the first is apparently a newer version of the one at the github site.

     

    FlashbackRemoval.app/Contents/Resources/RemoveFlashback.sh

    FlashbackRemoval.app/Contents/Resources/Scripts/main.scpt

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 11, 2012 7:51 PM in response to MadMacs0
    Level 5 (4,801 points)
    Apr 11, 2012 7:51 PM in response to MadMacs0

    Following up my own observation, yes, the shell script has been enhanced to include launchagents as well as Firefox. They also added an optional mode where they move probable infected files to quarantine, then zip them, suitable for uploading to sample sites.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 11, 2012 7:56 PM in response to jsd2
    Level 5 (4,801 points)
    Apr 11, 2012 7:56 PM in response to jsd2

    jsd2 wrote:

     

    The app bundle that can be downloaded contains two scripts, and the first is apparently a newer version of the one at the github site.

     

    FlashbackRemoval.app/Contents/Resources/RemoveFlashback.sh

    FlashbackRemoval.app/Contents/Resources/Scripts/main.scpt

    Yes, I'm caught up now.

     

    The AppleScript:

     

    -- Step 1: Get acceptance of EULA

    -- Step 2: Scan only run of the shell script

    -- Step 3: Ask if user really wants to remove if something was found

     

    Otherwise give the all clear.

  • by X423424X,

    X423424X X423424X Apr 11, 2012 8:20 PM in response to MadMacs0
    Level 6 (14,237 points)
    Apr 11, 2012 8:20 PM in response to MadMacs0

    If it is true what you said about not having the launchagent check when you first dowloaded the app then my only complaint about this is I which they would version the app (e.g., 1.0, 1.1, etc.) so we could immediatelay know they have a newer version.  Silent updates are inconvenient to track.

     

    I just checked the Flashback Removal Tool page again and notected there's button for comments.  So I made a request for them to add a version number (it appears to be waiting for "moderator approvial").

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 11, 2012 8:44 PM in response to X423424X
    Level 5 (4,801 points)
    Apr 11, 2012 8:44 PM in response to X423424X

    X423424X wrote:

     

    If it is true what you said about not having the launchagent check when you first dowloaded the app then my only complaint about this is I which they would version the app (e.g., 1.0, 1.1, etc.) so we could immediatelay know they have a newer version.  Silent updates are inconvenient to track.

    It wasn't F-Secure that had the incomplete shell script, it was the author's postings to github five days ago that were out of date. After I took the time to download and disassemble the app, I figured out that what I previously looked at was out-of-date. But I do concur about versioning. Weiss' has been doing that with his tool which just went from 1.0.2 to 2.0. Several other are not doing that.

  • by X423424X,

    X423424X X423424X Apr 11, 2012 8:53 PM in response to MadMacs0
    Level 6 (14,237 points)
    Apr 11, 2012 8:53 PM in response to MadMacs0

    Ahh, that explains the confusion.  I was wondering why you were pointing at the github site.  They are all marked as 5-days old there.

  • by WZZZ,

    WZZZ WZZZ Apr 12, 2012 6:01 AM in response to X423424X
    Level 6 (13,112 points)
    Mac OS X
    Apr 12, 2012 6:01 AM in response to X423424X

    I'm posting this in this thread since it seems to be one where all the major players might see it.

     

    I've been trying to help someone in the Leopard forum who says that he had clear signs of the presence of the Trojan and then it inexplicably disappeared. He's run the F-Secure test and X4's commands and he comes up clean. I've recommended he get Little Snitch to see if anything's trying to connect.

     

    I don't quite know what to recommend now. He could do a laborious reinstall and that might be the safest way to go, but it might be unnecessary. Did this thing delete itself?

     

    Anyway, here's the thread. Please have a look and see what you think.

     

    https://discussions.apple.com/thread/3869018?tstart=0

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 12, 2012 8:50 AM in response to WZZZ
    Level 5 (4,801 points)
    Apr 12, 2012 8:50 AM in response to WZZZ

    WZZZ wrote:

     

    I've been trying to help someone in the Leopard forum who says that he had clear signs of the presence of the Trojan and then it inexplicably disappeared.

    Yes, I saw this last night and remembered the case as I believe there have only been two Leopard infections discussed in the forum. Even tracked down the previous discussion https://discussions.apple.com/thread/3846648 back on April 1 to see if I could spot anything. One guess is that he went to one of the links we gave him at the time and did something to delete the DYLD_INSERT_LIBRARIES evidence and perhaps more, but forgot what he had done way back then. The only other possibility I can come up with is that the backdoor attempted an update and terminated the infection for whatever reason. At the time we thought it was the "I" variant as we were just discovering "K" (F-Secure had not even published the "K" information) and we don't know the date of infection. As far as I can tell the F-Secure test would have picked up signs of either, including the LaunchAgent that triggers the bot transponder in "K". If it somehow missed that then Little Snitch should tell him. I didn't know what to tell him, either.

  • by WZZZ,

    WZZZ WZZZ Apr 12, 2012 8:58 AM in response to MadMacs0
    Level 6 (13,112 points)
    Mac OS X
    Apr 12, 2012 8:58 AM in response to MadMacs0

    Thanks. I didn't realize he was the author of that earlier thread also. I guess it's a crap shoot.

  • by X423424X,

    X423424X X423424X Apr 12, 2012 11:46 AM in response to WZZZ
    Level 6 (14,237 points)
    Apr 12, 2012 11:46 AM in response to WZZZ

    There is nothing more I can add to what MadMacs0 said.  I don't think I was tracking the Leopard forums at the time the OP posted.

first Previous Page 6 of 7 last Next