I just did a software update (was overdue) that included the java security fix, and was immediately informed that the "OSX.FlashBack.iv" malware was found and removed.
Does anyone happen to know how serious a threat the malware presents, how to assess any potential damage it may have done, and what I might do to minimize any after-the-fact damage?
iMac, Mac OS X (10.6.8), 27", 3.2GHz Core i3-4GB RAM-1TB HDD
Hi...
As long as the malware was removed, your Mac should be fine.
Good article to read regading malware > Thomas' Corner : Mac Virus Guide
Apparently, Software Update removed it when it did the update. I'm just concerned about what my exposure has been these past few weeks while the trojan was on my machine, and what I might do at this point to minimize any potential damage I might now be facing.
There hasn't been too much information about exactly what these trojans are trying to do.
Here's one article on the subject:
Maxwell’s Demon wrote:
I'm just concerned about what my exposure has been these past few weeks while the trojan was on my machine, and what I might do at this point to minimize any potential damage I might now be facing.
Intego once seemed to be convinced that it was capturing username/password pairs and passing them on via Twitter, but I'm only aware of two people who claim to have experienced fraudulent credit card activity around the time of infection. With over 600,000 infected you would think there would be more people complaining of such issues.
But, we also know the Trojan is capable of being updated for bigger and better things in the future.
OK. So the threat appears to be unknown (or at least no one knows for sure). The question I have boils down to this: What would you (or Carolyn, or X423424X, or MadMacs0) do — your "next steps" — if you had discovered, and then removed, OSX.FlashBack.iv from your Mac, knowing that it had been on your machine for several weeks prior to your finding it?
Maxwell’s Demon wrote:
OK. So the threat appears to be unknown (or at least no one knows for sure). The question I have boils down to this: What would you (or Carolyn, or X423424X, or MadMacs0) do — your "next steps" — if you had discovered, and then removed, OSX.FlashBack.iv from your Mac, knowing that it had been on your machine for several weeks prior to your finding it?
Personnally I would keep an eye out for any suspicious activity in regards to my credit card transactions.But I would be pretty sure you will be safe but if you are worried about any other form of malware, then hurn off Enable Jave in Safari> Preferences>Security (don't turn off JavaScript though) and perhaps install ClamXav or Sophos for future protection, although hackers are usually a day in front of definition updates anyway.
Also maybe install a program such a s Little Snitch which catch any strange ingoing or outgoing connections. Mind you, this is what I MIGHT consider if I had found found it on my system.
Good Luck
Pete
Maxwell’s Demon wrote:
What would you do — your "next steps" — if you had discovered, and then removed, OSX.FlashBack.iv from your Mac, knowing that it had been on your machine for several weeks prior to your finding it?
I'm pretty sure I would go to all the sites I could remember signing into that had significant financial data of mine on them and change my passwords. If I used the same password on multiple sites (I don't) I would change all those, as well. I already check all my transactions on a daily basis due to a mysterious Credit Card compromise a few months back, but if I wasn't, I would do that. A site called mint.com (run by Intuit) makes it easy to see everything at once, but the in order to do that I have to provide significant information to them.
I would certainly endorse the use of Little Snitch as being worth the time, money and effort to install, setup and maintain. It's not for everyone, but I've used it for years to keep track of what information leaves my computer. During the period when it first alerted users to the existence of the Flashback "N" variant I gained new respect for it's capability.
petermac87 wrote:
Personnally I would keep an eye out for any suspicious activity in regards to my credit card transactions.But I would be pretty sure you will be safe but if you are worried about any other form of malware, then hurn off Enable Jave in Safari> Preferences>Security (don't turn off JavaScript though)
OK...I turned off "Enable Java." I've never thought about it, so I'll be curious what effect operating with Java disabled will have
and perhaps install ClamXav or Sophos for future protection, although hackers are usually a day in front of definition updates anyway.
I have ClamXav, but haven't bothered using it for quite some time — very slow, and seemed like it was kind of unnecessary (at least, until now).
Also maybe install a program such a s Little Snitch which catch any strange ingoing or outgoing connections. Mind you, this is what I MIGHT consider if I had found found it on my system.
Good Luck
Pete
I do indeed have Little Snitch installed and running. It pops up repeatedly when I retrieve eMail, and I almost reflexively tell it to "allow," inasmuch I've never noticed anything suspicious. I guess now I'll have to be a little less "reflexive."
MadMacs0 wrote:
I'm pretty sure I would go to all the sites I could remember signing into that had significant financial data of mine on them and change my passwords. If I used the same password on multiple sites (I don't) I would change all those, as well. I already check all my transactions on a daily basis due to a mysterious Credit Card compromise a few months back, but if I wasn't, I would do that. A site called mint.com (run by Intuit) makes it easy to see everything at once, but the in order to do that I have to provide significant information to them.
I did go to all of my credit card/bank account sites and changed my user names and passwords. And this time, I'll print the info out, but won't do what I've done before (which was to store that info in a spreadsheet that I had saved to my drive).
As far as mint.com or any other third party is concerned (including the online backup-service companies), I simply don't trust them and/or don't have high enough confidence in the security measures they have in place to hand over my personal info.
I would certainly endorse the use of Little Snitch as being worth the time, money and effort to install, setup and maintain. It's not for everyone, but I've used it for years to keep track of what information leaves my computer. During the period when it first alerted users to the existence of the Flashback "N" variant I gained new respect for it's capability.
Thinking about Little Snitch again...I think I read somewhere that FlashBack checks out the system it has targeted and doesn't install itself if it detects the presence of Little Snitch. (If true, I don't know how FlashBack got into my system.)
Maxwell’s Demon wrote:
Thinking about Little Snitch again...I think I read somewhere that FlashBack checks out the system it has targeted and doesn't install itself if it detects the presence of Little Snitch. (If true, I don't know how FlashBack got into my system.)
There are at least two dozen variants of Flashback according to Intego. Early versions disabled Little Snitch (LS) and several more recent ones eventually do check for it, but the "K" variant did not check soon enough. As a result, users that had LS active were warned early in the installation process which was covered by this 16 page thread .rserv wants to connect to cuojshtbohnt.com. I can't say for certain that F-Secure's "K" variant is Apple's Flashback.iv, but I believe it is. In that case, it would have installed the first two components after which LS should have told you of the requested connection. Only if you approved that would it have continued on to install the remaining components to accomplish whatever it strives to do. Unfortunately, Apple's MRT doesn't reveal exactly what it did or even what it is capable of doing, so unless there is a log entry we haven't discovered yet, you'll never know to what extent you were infected.
MadMacs0 wrote:
...
...
accomplish whatever it strives to do. Unfortunately, Apple's MRT doesn't reveal exactly what it did or even what it is capable of doing, so unless there is a log entry we haven't discovered yet, you'll never know to what extent you were infected.
Ummm...I just noticed your reference to "MRT." It took me a little while to realize that it's an abbreviation for "Malware Removal Tool." Is "MRT" a standard acronym?
Also, since Java is not, by default, installed in Lion, that suggests that Apple feels that it's both an unnecessary and perhaps undesirable piece of software. If so, why doesn't Apple simply say so, and recommend that SL users (such as myself) uninstall it from their systems? (And if so, where is it located—I can't find it in my apps and utilities folders—and how does one uninstall it?)
Uninstalling is too tricky; you can turn it off completely by going to Java Preferences in the Utilities folder, and under the General tab uncheck the boxes for all versions shown.
noondaywitch wrote:
Uninstalling is too tricky; you can turn it off completely by going to Java Preferences in the Utilities folder, and under the General tab uncheck the boxes for all versions shown.
I've disabled it in Safari. What other apps do I have to be concerned about (which would make "turning it off completely" more advisable)?
It doesn't need other applications; Java applets can be run directly on the Mac (or PC) if so selected in the preference pane.
Disabling completely avoids anything slipping through unannounced.
There are few websites actually using Java content these days. Unfortunately of the ones that do, it's usually banking sites! (at least in the US. I'm not aware of any European banks which do this).
Maxwell’s Demon wrote:
I've disabled it in Safari. What other apps do I have to be concerned about (which would make "turning it off completely" more advisable)?
If you use any other browser apps, you should disable those, as well. If you turn it off completely any app that requires it will undoubtedly let you know you need to turn it back on.
"What to do now if I had the Flashback Trojan?"
