I have a trojan on my mac. The trojan downloads illegal content until my hard drive is full. How do I remove the trojan?

"That's the PID file. All it would contain is a process number."

Yes, we've been discussing it off-line with a colleague, but it's the next logical step to try and identify the parent process that's using the script. Problem is that I sense that it's shut down due to the HD being full or user activity.

The only other approach I can think of at this point would be to check the date the "update" file was created and see if the installer log for that date would tell us what else was installed and the name of the installer package file.

the next logical step to try and identify the parent process that's using the script.

We know what the parent process is: cron. The role of the PID file is to serialize execution. The payload is in "bash," or in something called by it.

Linc Davis wrote:

We know what the parent process is: cron.

You knew and I guessed that's what "*/5 * * * * /Library/Updates/update" meant, so thanks for confirming it.

Topher Kessler wrote:

...but if you want to limit your uses to the Mac App Store, then go ahead and install iAntivirus from the store, which has a couple of decent drawbacks over Sophos and others, primarily because Apple's policies for apps in the store limit their abilies, not only in keeping updated in a timely manner but also in the scope of what they can do for the user.

Since Apple does strictly limit the capabilities of apps downloaded from the Mac App Store, users needing more powerful, full-featured apps are often advised to download them only from "well-known" or "trusted" developers.

That's fine, but in practice it often isn't easy to determine if a developer is very well-known or trustworthy, or even if the download has arrived intact & free of any malicious tampering.

To help with that, Apple developed GateKeeper, a new feature of 10.7.5 & Mountain Lion. That gives users several options, one of which is to allow applications downloaded from both MAS & "identified developers" to open & run. (This is the default setting in Mountain Lion.)

It isn't foolproof -- "identified developers" are basically just those that have obtained an Apple developer ID -- but supporting Gatekeeper is a pretty good indication that the developer is legitimate, & maybe just as importantly that the developer is actively maintaining the app to keep it compatible with the latest versions of OS X. Another benefit is that Gatekeeper detects tampering in developer ID-signed apps.

BTW, in case anyone is wondering, Sophos supports Gatekeeper. The company has also released an updated version of its Mac app specifically for Mountain Lion, so if you decide to install it, make sure you download the right version for the OS you are running.

'bash' has been known to be used as the name for an EnergyMech app.

BitDefender is giving me a malware warning on that page, so apparently the site is blacklisted.

Thanks, quite interesting read! 🙂

I haven't heard anything back from contacts at several anti-virus companies yet, though of course it was the weekend. So I'm no wiser as to whether this is actually malware or is just something weird being done by legit software.

According to Linc, the "payload" is in the file named "bash." If you could, go to the /Library/Updates folder and look for that file. Assuming you find it there, please upload it to VirusTotal. Then post a link to the analysis page that you are directed to.

Do you have any idea how it was installed?

Please post the output of this shell command:

{ ls -ARn /L*/Up*; echo; syslog -k Message CSeq Translation -o -k Sender bash; } | open -f -a TextEdit

It looks like the malware was installed on August 4, if that helps you. Time permitting, please post the output of this:

cd /L*/Up*; strings -8 .sy[as]tem bash l | open -f -a TextEdit

Also, is the Java web plugin installed, and if so, for which websites is it enabled in the Security tab of Safari's preference dialog?