Do I have a virus? What is platform twitter.com I keep getting prompts from..?

Well, check these out...

ClamXAV, free Virus scanner...

http://www.clamxav.com/

Free Sophos...

http://www.sophos.com/products/enterprise/endpoint/security-and-control/mac/

Little Snitch, stops/alerts outgoing stuff...

http://www.obdev.at/products/littlesnitch/index.html

Free Sophos...

http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-ed ition.aspx

See if you might have this malware redirecting DNS queries...

http://macmegasite.com/node/3924

http://www.ehow.com/how_2128387_remove-osxrspluga-trojan-horse-mac.html

How to fix...

http://www.macosxhints.com/article.php?story=20071031114140862

Known DNSChanger address ranges. Source: dcwg.org

http://krebsonsecurity.com/2012/03/court-4-more-months-for-dnschanger-infected-p cs/

Get MacScan...

http://www.apple.com/downloads/macosx/networking_security/macscan.html

Disable Java in your Browser settings, not JavaScript.

http://support.apple.com/kb/HT5241?viewlocale=en_US

http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064

http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets

Flashback - Detect and remove the uprising Mac OS X Trojan...

http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html

In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:

/Library/Little Snitch

/Developer/Applications/Xcode.app/Contents/MacOS/Xcode

/Applications/VirusBarrier X6.app

/Applications/iAntiVirus/iAntiVirus.app

/Applications/avast!.app

/Applications/ClamXav.app

/Applications/HTTPScoop.app

/Applications/Packet Peeper.app

If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.

http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/

http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660

The most current flashback removal instructions are F-Secure's Trojan-Downloader:OSX/Flashback.K.

https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site

More bad news...

https://www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Explo its_Targeted_Attacks_and_Possible_APT_link

Further analysis of Flashback by Russian security firm Dr Web, which sounded the alarm about the malware, has revealed how it was controlled.

Its creators seem to have used Twitter as the command-and-control system for the huge number of machines that it infected.

Compromised machines were programmed to regularly search Twitter for messages containing particular strings of letters. These would direct infected machines to visit particular websites to get updates or receive further instructions.

http://www.bbc.co.uk/news/technology-17906830

All social networking sites get hacked and distribute malware from time to time.

Great work Klaus1, thanks! 🙂

pooper wrote:

Keep getting prompt asking to verify the certificate for platform twitter.com, and my Mac has sloed-down considerably. Sound liks any virus's out there..?

Nope, just some sort of a glitch in the Certificate world. If it's the one I'm thinking of it's a JavaScript for a Twitter Button (perhaps on c|net's floating button bar). The Certificate is valid until mid-June and issued by VeriSign. Allowing it just gives you the button on that page. Trusting the certificate seems harmless to me since it's clearly coming from a Twitter domain. Why it's screwed up is a mystery to me in view of the fact that VeriSign invented the system.

Klaus1 wrote:

Further analysis of Flashback by Russian security firm Dr Web, which sounded the alarm about the malware, has revealed how it was controlled.

Its creators seem to have used Twitter as the command-and-control system for the huge number of machines that it infected.

Compromised machines were programmed to regularly search Twitter for messages containing particular strings of letters. These would direct infected machines to visit particular websites to get updates or receive further instructions.

http://www.bbc.co.uk/news/technology-17906830

All social networking sites get hacked and distribute malware from time to time.

My understanding of all this is that it is still being used and does not require the hacking of the Twitter site. They just use a normal Twitter message with a unique hash tag for each date to distribute this information.

Intego had a few articles with details:

Flashback Malware: New Variant Changes Twitter Hashtags

You very likely are far more on top of this than I am, but what if this is a new vector?

BDAqua wrote:

You very likely are far more on top of this than I am, but what if this is a new vector?

Obviously, anything is possible, but it's been over a week since I first heard about this. I spent some time this weekend digging into it and everything I see points to yet another screw-up in the Certification system. I also think we would have read something from the commercial A-V folks about it by now if it was new malware.

It's not at all unusual to run across a bad certificate. I probably see a lot more of them than the average user because I tightened up the settings in KeyChain Preferences->Certificates. It's just that what was routinely accepted by users before Flashback "G", I believe, are now being flagged as suspicious.

Again, if this is the one I think it is I am able to read the text of the Twitter Button JavaScript in my browser without rendering it, but to be on the safe side, issue this Terminal command to download the JavaScript text: curl platform.twitter.com/widgets.js. I'm not fluent in JavaScript so I can't be certain of what it does, but I don't see anything that jumps out at me. I believe this serves to do a couple of things. First, Ghostery considers it to be a tracking script and blocks it out for those who have installed their extension. According to them it appears on 300000 web sites. But it also inserts a button on the c|net toolbar that floats at the bottom of the page with the Twitter bird followed by "Follow @CNET". Presumably if you click the button and are signed up with twitter, you will be signed up to follow CNET.

The certificate popup I got was:

All that being said, I went to the c|net home page just now and no longer get the certificate pop-up, so perhaps it's been fixed.

If the OP could give us all the URL where he's getting this and if the pop-up looks anything like the above, then maybe we could do more, but right now we all seem to be doing a lot of speculation.

Great work, thanks, & yes it's a lot of speculation I do admit... like I said, I likely know nothing about this compared to you & others, & I'm bemused about the successoir need for Twitter in the very 1st place! 😉 🙂

pooper wrote:

I'm working on the assuption that it's NOT a virus or mallware then...

Has the problem gone away? If not, what is the URL of the web page where the popup occurs?

MadMacs0 wrote:

Has the problem gone away? If not, what is the URL of the web page where the popup occurs?

This has been showing up sporadically on various sites for a few days, though I haven't seen it in the past 12 hours or so, meaning maybe they got their certificate fixed or something like that. Other questionable certificates show up from time to time; usually I do not click "Continue" but click "Cancel" and things work just fine, since it's usually something to do with an ad.

old comm guy wrote:

Other questionable certificates show up from time to time; usually I do not click "Continue" but click "Cancel" and things work just fine, since it's usually something to do with an ad.

That's exactly my experience, except that I normally have ad and track blocking extensions installed for the majority of my browsing, so I don't see those items as much.