New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
Apple Rumors and Reports Discuss what's going on with Apple in this forum

Flashback trojan reportedly controls half a million Macs and counting


Post Reply New Thread Subscribe

 
Thread Tools
RavingMac

 
RavingMac's Avatar
 
Member Since: Jan 07, 2008
Location: In Denial
Posts: 7,613
RavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond repute
Mac Specs: 4GB Mac Mini 2012, 13" MBA, 15" MacBook Pro OSX 10.7, 32 GB iPhone 3GS, iPad2 64gb 3G

RavingMac is offline
You were too quick for me (or I was too slow)

Was in the process of merging these when you beat me to it.

I've always wanted to be smart, handsome and modest. But, I guess I'll have to be satisfied with two out of three . . .
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 17,817
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
Quote:
Originally Posted by Razormac View Post
You were too quick for me (or I was too slow)

Was in the process of merging these when you beat me to it.
People don't usually say that I'm too quick before my coffee has managed to work its magic. Haha.

I noticed the following from the F-Secure article:
Quote:
In cases where the user did not input their administrator password, the malware checks if the following path exists in the system:
/Applications/Microsoft Word.app
/Applications/Microsoft Office 2008
/Applications/Microsoft Office 2011
/Applications/Skype.app


If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself, presumably to avoid infecting a system that has an incompatible application installed.
So, if the machine has Microsoft developed software, it deletes itself?

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
RavingMac

 
RavingMac's Avatar
 
Member Since: Jan 07, 2008
Location: In Denial
Posts: 7,613
RavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond reputeRavingMac has a reputation beyond repute
Mac Specs: 4GB Mac Mini 2012, 13" MBA, 15" MacBook Pro OSX 10.7, 32 GB iPhone 3GS, iPad2 64gb 3G

RavingMac is offline
Quote:
Originally Posted by vansmith View Post
People don't usually say that I'm too quick before my coffee has managed to work its magic. Haha.

I noticed the following from the F-Secure article:So, if the machine has Microsoft developed software, it deletes itself?
Interesting . . . what is the next step? If you don't have Microsoft products it uses your credit card info to purchase and install them?

That would REALLY be Malware!!!

I've always wanted to be smart, handsome and modest. But, I guess I'll have to be satisfied with two out of three . . .
QUOTE Thanks
Stretch

 
Stretch's Avatar
 
Member Since: Jan 13, 2007
Location: Central New York
Posts: 4,779
Stretch has much to be proud ofStretch has much to be proud ofStretch has much to be proud ofStretch has much to be proud ofStretch has much to be proud ofStretch has much to be proud ofStretch has much to be proud ofStretch has much to be proud ofStretch has much to be proud ofStretch has much to be proud of
Mac Specs: 15in i7 MacBook Pro, 8GB RAM, 120GB SSD, 500GB HD

Stretch is offline
I also read that if you use Little Snitch installed it will auto delete itself. Makes sense because it won't be able to run unnoticed if Little Snitch is monitoring.

Blog and Photo Gallery: http://philolin.me/

Currently running OS X 10.10
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 17,817
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
It would seem that having Office 2011 and Skype on my machine has kept it clean. Yet another benefit of using Office, haha.

The nerd in me is interested to know what it is about Office and Skype that prevents this thing from working. Xcode is also on the list of apps that work to stop it.

Quote:
Originally Posted by Stretch View Post
I also read that if you use Little Snitch installed it will auto delete itself. Makes sense because it won't be able to run unnoticed if Little Snitch is monitoring.
Yep, LS is certainly on that list (and logically so) as are other AV/malware products. Those make sense but the others (Office, Skype and Xcode)...not so much.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
OneMoreThing...

 
OneMoreThing...'s Avatar
 
Member Since: Mar 30, 2005
Posts: 2,560
OneMoreThing... is a splendid one to beholdOneMoreThing... is a splendid one to beholdOneMoreThing... is a splendid one to beholdOneMoreThing... is a splendid one to beholdOneMoreThing... is a splendid one to beholdOneMoreThing... is a splendid one to beholdOneMoreThing... is a splendid one to beholdOneMoreThing... is a splendid one to behold

OneMoreThing... is offline
'Flashback' trojan estimated to have infected 600K Macs worldwide

Quote:
A trojan horse virus named "Flashback" that surfaced last year is believed to have created a botnet including more than 600,000 infected Macs around the world, with more than half of them in the U.S. alone.


Read more

Mac-Forums: On Twitter | On Facebook | On Flickr
QUOTE Thanks
McBie

 
McBie's Avatar
 
Member Since: Apr 26, 2008
Location: Belgium
Posts: 2,290
McBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to all
Mac Specs: 2013 MBA 13" - 10.9.3 & iPad - iOS 5.1

McBie is offline
If you really want to find out if you have been hit is to monitor your outgoing connections to the internet.
Check if there are any processes that are " calling home " .

Use something like LittleSnitch and that will tell you what processes/apps are making an outbound connection. If you see outgoing connections to any of the following , you better be worried.
( I replaced the . by the word DOT )

vxvhwcixcxqxd DOT com
gangstasparadise DOT rr DOT nu.
cuojshtbohnt DOT com
rfffnahfiywyd DOT com

These might change depending on the level of infection and if you already allowed the malware to call home for instructions.

Most important thing is to get your Java up to date and don't just type in your password for no reason.
Only update software via the respective web sites and not via some fancy looking pop-up window.

Cheers ... McBie

A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.
The problem is not the problem. The problem is your attitude towards the problem. You understand ?
QUOTE Thanks
XJ-linux

 
XJ-linux's Avatar
 
Member Since: Jul 02, 2007
Location: Going Galt...
Posts: 3,353
XJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond reputeXJ-linux has a reputation beyond repute
Mac Specs: MacBookAir5,2:10.9.4-MacMini3,1:10.9.4-iPhone6,1:7.1.2

XJ-linux is offline
mkdir /Applications/ClamXav.app (or whatever)

All good.

"Those who don't understand Unix are condemned to reinvent it, poorly." Henry Spencer
QUOTE Thanks
aoifeee

 
Member Since: Aug 05, 2011
Posts: 118
aoifeee is on a distinguished road

aoifeee is offline
How long has this been around for? I got a virus last August, I wonder if it's the same one.
QUOTE Thanks
McBie

 
McBie's Avatar
 
Member Since: Apr 26, 2008
Location: Belgium
Posts: 2,290
McBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to all
Mac Specs: 2013 MBA 13" - 10.9.3 & iPad - iOS 5.1

McBie is offline
Malware has been around for nearly 9 months .... what we see now is a new variant.
The attack vector changed ... this version exploits a vulnerability in Java.
Vulnerability will be closed by applying the Java update released by Apple a couple of days ago.

Cheers ... McBie

A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.
The problem is not the problem. The problem is your attitude towards the problem. You understand ?
QUOTE Thanks
McBie

 
McBie's Avatar
 
Member Since: Apr 26, 2008
Location: Belgium
Posts: 2,290
McBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to all
Mac Specs: 2013 MBA 13" - 10.9.3 & iPad - iOS 5.1

McBie is offline
Quote:
Originally Posted by vansmith View Post
It would seem that having Office 2011 and Skype on my machine has kept it clean. Yet another benefit of using Office, haha.

The nerd in me is interested to know what it is about Office and Skype that prevents this thing from working. Xcode is also on the list of apps that work to stop it.

Yep, LS is certainly on that list (and logically so) as are other AV/malware products. Those make sense but the others (Office, Skype and Xcode)...not so much.
Often, the reason for that is that after the malware has installed itself, it would like to stay invisible as long as possible. The functionality of certain apps may get modified/corrupted and thus alerting the user that something is not right ( without knowing what it is ) .... that will eventually expose the presence of malware.

Cheers ... McBie

A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.
The problem is not the problem. The problem is your attitude towards the problem. You understand ?
QUOTE Thanks
nickyr

 
nickyr's Avatar
 
Member Since: Nov 01, 2007
Location: Swansea - South Wales
Posts: 449
nickyr is a jewel in the roughnickyr is a jewel in the rough
Mac Specs: late 2012 IMac 27", mid 2010 Macbook, OSX 10.9.4, iPhone 5, iPad 3, iOS 8, Apple TV 3, iPod Classic

nickyr is offline
Phew on 2 counts:

both machines are clean
after 5 years of mac ownership I finally used Terminal - yay

what have the Roman's ever done for us?

QUOTE Thanks
McBie

 
McBie's Avatar
 
Member Since: Apr 26, 2008
Location: Belgium
Posts: 2,290
McBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to all
Mac Specs: 2013 MBA 13" - 10.9.3 & iPad - iOS 5.1

McBie is offline
Quote:
Originally Posted by nickyr View Post

after 5 years of mac ownership I finally used Terminal - yay
Exactly mate .... I used terminal yesterday for the first time in 4 years .... never thought I would need it. Now I consider myself a pro with terminal so if anyone has questions ...

Cheers ... McBie

A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.
The problem is not the problem. The problem is your attitude towards the problem. You understand ?
QUOTE Thanks
Doug b

 
Doug b's Avatar
 
Member Since: Jun 22, 2008
Location: Forest Hills, NYC
Posts: 3,344
Doug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond repute
Mac Specs: 15-inch Early 2008; Processor 2.4 GHz Intel Core 2 Duo; Memory 4 GB 667 MHz DDR2 SDRAM; 10.7.5

Doug b is offline
So um, what exactly would be the outcome of being "infected" either by way of inputting the admin password and not? I've read through several articles, and that part is not mentioned. Is the end result one of physical remote take over or just snooping etc etc?

Doug
QUOTE Thanks
Doug b

 
Doug b's Avatar
 
Member Since: Jun 22, 2008
Location: Forest Hills, NYC
Posts: 3,344
Doug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond reputeDoug b has a reputation beyond repute
Mac Specs: 15-inch Early 2008; Processor 2.4 GHz Intel Core 2 Duo; Memory 4 GB 667 MHz DDR2 SDRAM; 10.7.5

Doug b is offline
Also, I only see a reference to Safari with this Trojan. Or does it also pertain to all other browsers?

Doug
QUOTE Thanks

Post Reply New Thread Subscribe


« Apple CEO Tim Cook spotted at video game designer Valve's headquarters | Reuters: Justice Department ready to sue Apple over ebook price fixing (Updated) »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

All times are GMT -4. The time now is 02:18 PM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?