04-03-2012, 05:33 AM

Hey guys.

This relates to this apple forum thread. I thought I'd bring it here to see whether anyone at mac-forums had witnessed this happening on their machine yet.

Bit of background, had a Little Snitch alert telling me that : ".rserv wants to connect to cuojshtbohnt.com", after having a windows machine for most of my life I've become half-good at spotting any suspicious behaviour .

This was associated to a random process running, and it was not until I read through the above forum post that I realised I had entered my password into an erroneous Software Update dialog box that had come up on my screen a few days ago. mmm. Not as alert as I thought I was, although I did, to my annoyance now, question the quality of the Icon which was present in the erroneous dialog box.

So, I searched for this process and found the unix executable in my Home folder, called .rserv. Weird. I'm glad I had Little Snitch running as to me, this seems like a virus (please see the thread above). I have relatively little knowledge on viruses but I know there have been a few proof of concepts and I know that OS X isn't immune to viruses, is this the real deal?

I'd appreciate anyone who may know what this is, has seen this happen to them, etc.

Cheers,

Ryan

04-03-2012, 07:18 AM

By definition it is not a virus.

A virus can spread all by itself. This apparently required you to enter a password. Without that the threat cannot deploy a payload. Sounds like Malware, which is just as nasty.

04-03-2012, 08:16 AM

Quote:

Originally Posted by rez

So, I searched for this process and found the unix executable in my Home folder, called .rserv. Weird. I'm glad I had Little Snitch running as to me, this seems like a virus (please see the thread above). I have relatively little knowledge on viruses but I know there have been a few proof of concepts and I know that OS X isn't immune to viruses, is this the real deal?

I'd appreciate anyone who may know what this is, has seen this happen to them, etc.

Cheers,

Ryan

It sounds like you were baited into downloading and installing a trojan. Unfortunately, this attack vector seems to be becoming more common for the Mac.

These kinds of fake dialogs that closely mimic the real ones can be hard to discern from the real ones as the developers can make them look very similar, and in some cases identical. But in general, I would suggest that you be very skeptical any time you get a prompt for your admin password. Be sure you know exactly why you're getting it and what the source of the prompt is.

Having been infected, I would also encourage you to run a reactive scan with ClamXAV or MacScan (the free trial), just to make sure you're completely clean.

04-03-2012, 08:23 AM

Quote:

Originally Posted by MacsWork

By definition it is not a virus.

A virus can spread all by itself. This apparently required you to enter a password. Without that the threat cannot deploy a payload. Sounds like Malware, which is just as nasty.

"Malware" is the general term that defines a category or software designed with a malicious intent. So, regardless of whether we're talking about a virus, adware, spyware, trojans, etc, it's all classified as "malware".

04-03-2012, 08:29 AM

Thank you both for your replies.

Macsworth, that's a valid point! But I think Mac users (at least my circle of friends who own Mac laptops) are taken under by the myth they are invincible on the web because they are running OSX. I think this approach is making these trojans more dangerous.

Cwa - after reading that forum again I took the steps recommended; its not the easiest thread to follow hence why I wanted to see if anyone here had found it, to see if there were any consistencies. I have Clamxav running, scanning my System and Library folders and it didn't pick anything up. According to the thread, the threat is due to a Java exploitation through Safari (which I had started using again as Chrome couldn't handle netflix website). I hadn't downloaded anything since the 31st march through to yesterday.

I think Im clean. Clamxav didn't find anything at the time.

Not really sure what to do now. The payload is on my computer as I gave it my password, but I have no idea what or where it is, or even if it is still on here! Paranoid..

Regards,

Ryan

04-03-2012, 08:36 AM

Quote:

Originally Posted by rez

Macsworth, that's a valid point! But I think Mac users (at least my circle of friends who own Mac laptops) are taken under by the myth they are invincible on the web because they are running OSX. I think this approach is making these trojans more dangerous.

Absolutely - and part of it is the longtime Mac users who perpetuate the myth by getting caught up in semantics. We, as a community often respond to these kinds of concerns by saying "there are no viruses for Macs". And while this is technically true by the narrow definition of what a virus is, it doesn't do anyone any favors as it tiptoes around the fact that there are plenty of other kinds of malware that does impact the Mac.

I think we need to start focusing on solutions instead of semantics and just accept the fact that the term "virus" is used interchangeably with "malware" or "trojan" in common parlance.

Quote:

Cwa - after reading that forum again I took the steps recommended; its not the easiest thread to follow hence why I wanted to see if anyone here had found it, to see if there were any consistencies. I have Clamxav running, scanning my System and Library folders and it didn't pick anything up. According to the thread, the threat is due to a Java exploitation through Safari (which I had started using again as Chrome couldn't handle netflix website). I hadn't downloaded anything since the 31st march through to yesterday.

I think Im clean. Clamxav didn't find anything at the time.

Not really sure what to do now. The payload is on my computer as I gave it my password, but I have no idea what or where it is, or even if it is still on here! Paranoid..

Regards,

Ryan

I'm not sure I fully trust ClamXAV, only because it's a multi-platform anti-virus and I think its DATs aren't necessarily designed to scan for Mac-specific malware.

For this purpose, I recommend MacScan. I like it because it's reactive (i.e. it doesn't introduce any resident scanning engines) and they have a free trial - so you can just uninstall it when you're done.

04-03-2012, 08:41 AM

I will try MacScan now, I'll post the result.

For now, as a preventative measure I have disabled Java in Safari. Really want to get to the bottom of where this originated though, information at the moment is patchy.

Regards,

Ryan

04-03-2012, 08:57 AM

Just for my understanding ..... did you see any windows pop up lately suggesting to update your adobe flash player ?
I know this one is Java related, but looking for the source of the attack vector is not easy.

As a suggestion .... I use FireFox with NoScript to visit web sites I don't trust ... that gives me an indication of how " safe " they are..... it's not bulletproof, only an indication.

Cheers ... McBie

04-03-2012, 09:04 AM

Quote:

Originally Posted by McBie

Just for my understanding ..... did you see any windows pop up lately suggesting to update your adobe flash player ?

No, but I have seen but others who have mentioned the dubious Flash Player update. I'm sure I would have caught it as an update doesn't launch like that unless you download it. I think it must be related or at least the same thing along those lines. It's even been likened to the Flashback trojan, yet as others have pointed out, does not behave in the same way.

Having problems with MacScan as I have my OS on an SSD and the custom scan is unavailable in the Demo...

If anyone else wants to check, for peace of mind, after unhiding files, I found the executable just sat in my Home folder.

Regards,

Ryan

04-03-2012, 09:21 AM

Quote:

Originally Posted by rez

I will try MacScan now, I'll post the result.

For now, as a preventative measure I have disabled Java in Safari. Really want to get to the bottom of where this originated though, information at the moment is patchy.

Regards,

Ryan

Yeah - I'm actually still reading through the thread on the Apple forums. That thread is ugly.

04-03-2012, 09:44 AM

If you get to the last post on that Thread, it suggests that the trojan will delete itself, if it finds Little Snitch, Xcode or Clamxav applications, all of which I have. Yet it still tried to connect to the cuojshtbohnt.com address, making me think this is something else.

Interesting, when running the command: launchctl list com.adobe.reader

"Label" = "com.adobe.reader";
"LimitLoadToSessionType" = "Aqua";
"OnDemand" = true;
"LastExitStatus" = 256;
"TimeOut" = 30;
"StandardOutPath" = "/dev/null";
"StandardErrorPath" = "/dev/null";
"ProgramArguments" = (
"/Volumes/Macintosh HD/Users/ryanhall/.rserv";

Enough evidence to suggest its related to flash player update version? I'm pretty sure I didn't fall for that.

MacScan still in progress.

04-03-2012, 09:56 AM

The reason for asking if it could be related to a flash player update is that I am running the latest flash player for OS X and when googling and searching the web, I get asked to update flash several times a day.
I never update stuff when presented with a pop up, so I didn't bother to study the screen, but I will try to provoke another pop up and play with Firefox and Noscript a little.
Will also ask the guys at the office to do a bit of digging ( if they have time ) as I am not that technical.

Cheers ... McBie

04-03-2012, 12:58 PM

I get the Flash Player update alert occasionally. I always close it, go to Adobe's website and determine for myself if my version is out of date. Small nuisance but worth the precautionary methods. A lot easier than running some dumb AV software that slows my entire machine to a crawl.

04-04-2012, 03:06 AM

I've had this happening to me also. I found that Little Snitch was turned off when I checked after getting a request from Software Update to put my password in, which I rejected. Restarted and reset Little Snitch, and began to get requests for .rserv to connect to cuojshtbohnt.com.

Little Snitch gives you the IP address of the contact, which I did a search on here:

IP Address: 91.233.244.102

The location appears to be in the middle of nowhere in Siberia. The blacklist check has it listed on 70 blacklist sites.

04-04-2012, 03:20 AM

Quote:

Originally Posted by rochford

IP Address: 91.233.244.102[/url]

The location appears to be in the middle of nowhere in Siberia. The blacklist check has it listed on 70 blacklist sites.

So I'd be safe in assuming that this malware isn't something new then, just a variation of something that has been before, if it's been blacklisted?

I'm worried that it's still on my machine. It's the annoying thing with OS X, at least with windows you know where you stand ( if you know how to look for malware on a machine). Two scans have given me the all clear.

How is this going to be prevented?