04-05-2012, 11:17 AM

You were too quick for me (or I was too slow)

Was in the process of merging these when you beat me to it.

04-05-2012, 11:20 AM

Quote:

Originally Posted by Razormac

You were too quick for me (or I was too slow)

Was in the process of merging these when you beat me to it.

People don't usually say that I'm too quick before my coffee has managed to work its magic. Haha.

I noticed the following from the F-Secure article:

Quote:

In cases where the user did not input their administrator password, the malware checks if the following path exists in the system:
/Applications/Microsoft Word.app
/Applications/Microsoft Office 2008
/Applications/Microsoft Office 2011
/Applications/Skype.app


If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself, presumably to avoid infecting a system that has an incompatible application installed.

So, if the machine has Microsoft developed software, it deletes itself?

04-05-2012, 11:27 AM

Quote:

Originally Posted by vansmith

People don't usually say that I'm too quick before my coffee has managed to work its magic. Haha.

I noticed the following from the F-Secure article:So, if the machine has Microsoft developed software, it deletes itself?

Interesting . . . what is the next step? If you don't have Microsoft products it uses your credit card info to purchase and install them?

That would REALLY be Malware!!!

04-05-2012, 11:34 AM

I also read that if you use Little Snitch installed it will auto delete itself. Makes sense because it won't be able to run unnoticed if Little Snitch is monitoring.

04-05-2012, 11:36 AM

It would seem that having Office 2011 and Skype on my machine has kept it clean. Yet another benefit of using Office, haha.

The nerd in me is interested to know what it is about Office and Skype that prevents this thing from working. Xcode is also on the list of apps that work to stop it.

Quote:

Originally Posted by Stretch

I also read that if you use Little Snitch installed it will auto delete itself. Makes sense because it won't be able to run unnoticed if Little Snitch is monitoring.

Yep, LS is certainly on that list (and logically so) as are other AV/malware products. Those make sense but the others (Office, Skype and Xcode)...not so much.

04-05-2012, 11:40 AM

'Flashback' trojan estimated to have infected 600K Macs worldwide

Quote:

A trojan horse virus named "Flashback" that surfaced last year is believed to have created a botnet including more than 600,000 infected Macs around the world, with more than half of them in the U.S. alone.

Read more

04-05-2012, 12:24 PM

If you really want to find out if you have been hit is to monitor your outgoing connections to the internet.
Check if there are any processes that are " calling home " .

Use something like LittleSnitch and that will tell you what processes/apps are making an outbound connection. If you see outgoing connections to any of the following , you better be worried.
( I replaced the . by the word DOT )

vxvhwcixcxqxd DOT com
gangstasparadise DOT rr DOT nu.
cuojshtbohnt DOT com
rfffnahfiywyd DOT com

These might change depending on the level of infection and if you already allowed the malware to call home for instructions.

Most important thing is to get your Java up to date and don't just type in your password for no reason.
Only update software via the respective web sites and not via some fancy looking pop-up window.

Cheers ... McBie

04-05-2012, 11:31 PM

mkdir /Applications/ClamXav.app (or whatever)

All good.

04-06-2012, 03:54 AM

How long has this been around for? I got a virus last August, I wonder if it's the same one.

04-06-2012, 04:11 AM

Malware has been around for nearly 9 months .... what we see now is a new variant.
The attack vector changed ... this version exploits a vulnerability in Java.
Vulnerability will be closed by applying the Java update released by Apple a couple of days ago.

Cheers ... McBie

04-06-2012, 04:21 AM

Quote:

Originally Posted by vansmith

It would seem that having Office 2011 and Skype on my machine has kept it clean. Yet another benefit of using Office, haha.

The nerd in me is interested to know what it is about Office and Skype that prevents this thing from working. Xcode is also on the list of apps that work to stop it.

Yep, LS is certainly on that list (and logically so) as are other AV/malware products. Those make sense but the others (Office, Skype and Xcode)...not so much.

Often, the reason for that is that after the malware has installed itself, it would like to stay invisible as long as possible. The functionality of certain apps may get modified/corrupted and thus alerting the user that something is not right ( without knowing what it is ) .... that will eventually expose the presence of malware.

Cheers ... McBie

04-06-2012, 06:26 AM

Phew on 2 counts:

both machines are clean
after 5 years of mac ownership I finally used Terminal - yay

04-06-2012, 07:05 AM

Quote:

Originally Posted by nickyr

after 5 years of mac ownership I finally used Terminal - yay

Exactly mate .... I used terminal yesterday for the first time in 4 years .... never thought I would need it. Now I consider myself a pro with terminal so if anyone has questions ...

Cheers ... McBie

04-06-2012, 09:35 AM

So um, what exactly would be the outcome of being "infected" either by way of inputting the admin password and not? I've read through several articles, and that part is not mentioned. Is the end result one of physical remote take over or just snooping etc etc?

Doug

04-06-2012, 09:38 AM

Also, I only see a reference to Safari with this Trojan. Or does it also pertain to all other browsers?

Doug