-
All replies
-
Helpful answers
-
Feb 8, 2014 6:56 AM in response to Krirkfahby thomas_r.,Okay, things are definitely not looking good. You have a hidden folder in your home folder containing a suspicious app. It's the executable portion of that app that was identified as malicious. I wish I knew where it came from or how it got there!
Unfortunately, this malware is known to be able to download and install other components, such as a keylogger. Further, this is a newer variant than the one that I'm familiar with, so it very well may include some kind of backdoor that allows the hackers behind it to make custom modifications to your machine remotely. At this point, I truly wouldn't recommend anything less than erasing the hard drive completely and reinstalling everything from scratch:
How to reinstall Mac OS X from scratch
It is always possible that this is a false positive. I would think this is unlikely, since the app in question is inside an invisible folder named ".Install" - this is a very common malware trick. I personally would not take the risk.
-
Feb 10, 2014 3:42 AM in response to Krirkfahby lytic,hi, I am malware analyst at Dr.Web. Full disk is our innovation cure method "fill disk and malware stop work!". Just joking. Sorry, but problem with full disk probably is our fault. Anyway you should ask developers on forum http://forum.drweb.com/index.php?showforum=51
-
Feb 10, 2014 5:25 AM in response to lyticby thomas_r.,hi, I am malware analyst at Dr.Web.
Can you provide any additional comments regarding the malware? I'm not familiar with this variant of Wirenet, so I don't know how it got installed or whether it actually contains a backdoor that would allow for additional installs or system modifications.
-
Feb 11, 2014 9:41 AM in response to thomas_r.by lytic,There is similar file on torents "MS Office 2011 Volume license.rar" size about 107KB.
-
Feb 13, 2014 1:03 AM in response to thomas_r.by Krirkfah,Thank you for your comments. I fixed it by shutdown my Mac. After I had turned on again,"Other" space was recoverable. When I scaned malware by Dr.web, it didn't have any malware and my Mac is normal. Consequently, I think OS X Mavericks laged to read space.
-
-
-
-
Feb 15, 2014 1:25 AM in response to Linc Davisby nikdgr,I was recently reviewing your comments. I was told my MacBook Pro was compromised by a colleague, using brute force to enter a backdor allowing rootkit access and administraion rights. I believe if I use the time machine backup files I will end up having these rights reinstated when uploading the backup.
But First, I would like your opinion concerning the following information collected, and what course of action I should proceed with for removing and securing in the event there is substantial imformation from MacBook Pro LOG following my comments.
Thank you for any support
Boot Mode: Normal
USB
Hub (SMSC)
Hub (SMSC)
System diagnostics
Preview 2014-01-28-003447 hang
SecurityAgent 2014-01-30-141803 crash
SecurityAgent 2014-01-30-141811 crash
SecurityAgent 2014-01-30-141949 crash
SecurityAgent 2014-01-30-142226 crash
SecurityAgent 2014-01-30-142411 crash
SecurityAgent 2014-01-30-142519 crash
User diagnostics
cider 2014-01-26-234202 crash
Extrinsic system jobs
com.microsoft.office.licensing.helper
launchd items
/Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist
(com.microsoft.office.licensing.helper)
Library/LaunchAgents/com.apple.FolderActions.enabled.plist
(com.apple.FolderActions.enabled)
Library/LaunchAgents/com.apple.FolderActions.folders.plist
(com.apple.FolderActions.folders)
Extrinsic loadable bundles
/System/Library/Extensions/HuaweiDataCardDriver.kext
(com.huawei.driver.HuaweiDataCardDriver)
/Library/Internet Plug-Ins/Flash Player.plugin
(com.macromedia.Flash Player.plugin)
/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin
(com.microsoft.sharepoint.browserplugin)
/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin
(com.microsoft.sharepoint.webkitplugin)
/Library/PreferencePanes/Flash Player.prefPane
(com.adobe.flashplayerpreferences)
/Library/Spotlight/LogicPro.mdimporter
(No bundle ID)
Unsigned shared libraries
/usr/lib/bkLib.dylib
/usr/lib/lib6200Lib.dylib
/usr/lib/lib6246Lib.dylib
/usr/lib/lib6270Lib.dylib
/usr/lib/lib7225lib.dylib
/usr/lib/lib8200Alib.dylib
/usr/lib/lib8200lib.dylib
/usr/lib/lib8220lib.dylib
/usr/lib/libAgent.dylib
/usr/lib/libcurl.zte.dylib
/usr/lib/libIceraDownloadLib.dylib
/usr/lib/libmd5.dylib
/usr/lib/libTinyXml.dylib
Restricted user files: 317
Font problems: 40
Elapsed time (s): 213
-
Feb 15, 2014 2:47 AM in response to nikdgrby MadMacs0,nikdgr wrote:
I was told my MacBook Pro was compromised by a colleague, using brute force to enter a backdor allowing rootkit access and administraion rights.
Linc will probably be along shortly (although he doesn't always respond to "me too" requests), but I for one would like to know a lot more about how this was accomplished.
By brute force do you mean someone had physical access to your computer and installed this backdoor? That's normally the only way that sort of thing can happen unless your software is way out-of-date or something new is lurking about. And I'm assuming you meant "root" access, since rootkits are malware attacks. It would be helpful if your colleague could provide specific details on how this was accomplished and any malware found on your computer.
It also sounds like a law or two was broken here and you should be contacting appropriate authorities to both find the perpetrator and determine what information has been compromised, before you attempt anything such as restoration from backup.
-
Feb 15, 2014 4:09 AM in response to nikdgrby thomas_r.,I was told my MacBook Pro was compromised by a colleague
I would strongly recommend you start your own topic, since it's very unlikely that the Wirenet malware is involved in your case.
One thing I will say here, though, is that if a colleague has had physical access to your machine, and if you have good reason to believe that this colleague has done something malicious to your computer, there is only one reasonable solution: erase the hard drive and reinstall everything from scratch. There is no reliable method for detecting and removing whatever your colleague might have done, especially since it may not have involved any kind of malware at all, but just reconfiguration of built-in system components or already installed third-party software.
-
Mar 29, 2014 6:54 AM in response to Krirkfahby thomas_r.,I don't know how, or if, you resolved this situation, but I just thought you deserved to know that you should be protected from this malware in the future. Apple updated XProtect yesterday, and now it blocks the samples of Wirenet.2 that I submitted to them on Thursday.