New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
OS X - Operating System General OS operation information and support

.rserv virus?


Post Reply New Thread Subscribe

 
Thread Tools
rez

 
Member Since: Dec 13, 2011
Location: Nottingham, U.K
Posts: 25
rez is on a distinguished road
Mac Specs: Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD

rez is offline
Hey guys.

This relates to this apple forum thread. I thought I'd bring it here to see whether anyone at mac-forums had witnessed this happening on their machine yet.

Bit of background, had a Little Snitch alert telling me that : ".rserv wants to connect to cuojshtbohnt.com", after having a windows machine for most of my life I've become half-good at spotting any suspicious behaviour .

This was associated to a random process running, and it was not until I read through the above forum post that I realised I had entered my password into an erroneous Software Update dialog box that had come up on my screen a few days ago. mmm. Not as alert as I thought I was, although I did, to my annoyance now, question the quality of the Icon which was present in the erroneous dialog box.

So, I searched for this process and found the unix executable in my Home folder, called .rserv. Weird. I'm glad I had Little Snitch running as to me, this seems like a virus (please see the thread above). I have relatively little knowledge on viruses but I know there have been a few proof of concepts and I know that OS X isn't immune to viruses, is this the real deal?

I'd appreciate anyone who may know what this is, has seen this happen to them, etc.

Cheers,

Ryan
QUOTE Thanks
MacsWork

 
MacsWork's Avatar
 
Member Since: May 22, 2005
Location: Closer than you think.
Posts: 2,150
MacsWork is just really niceMacsWork is just really niceMacsWork is just really niceMacsWork is just really niceMacsWork is just really nice
Mac Specs: Performa 6116 2GBSCSI 8MB OS 7.5.3

MacsWork is offline
By definition it is not a virus.

A virus can spread all by itself. This apparently required you to enter a password. Without that the threat cannot deploy a payload. Sounds like Malware, which is just as nasty.
QUOTE Thanks
cwa107

 
cwa107's Avatar
 
Member Since: Dec 20, 2006
Location: Middletown, Pennsylvania
Posts: 26,632
cwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond repute
Mac Specs: 15" MBP, Core i7/2GHz, 8GB RAM, 480GB Crucial M500 SSD

cwa107 is offline
Quote:
Originally Posted by rez View Post

So, I searched for this process and found the unix executable in my Home folder, called .rserv. Weird. I'm glad I had Little Snitch running as to me, this seems like a virus (please see the thread above). I have relatively little knowledge on viruses but I know there have been a few proof of concepts and I know that OS X isn't immune to viruses, is this the real deal?

I'd appreciate anyone who may know what this is, has seen this happen to them, etc.

Cheers,

Ryan
It sounds like you were baited into downloading and installing a trojan. Unfortunately, this attack vector seems to be becoming more common for the Mac.

These kinds of fake dialogs that closely mimic the real ones can be hard to discern from the real ones as the developers can make them look very similar, and in some cases identical. But in general, I would suggest that you be very skeptical any time you get a prompt for your admin password. Be sure you know exactly why you're getting it and what the source of the prompt is.

Having been infected, I would also encourage you to run a reactive scan with ClamXAV or MacScan (the free trial), just to make sure you're completely clean.

Liquid and computers don't mix. It might seem simple, but we see an incredible amount of people post here about spills. Keep drinks and other liquids away from your expensive electronics!
QUOTE Thanks
cwa107

 
cwa107's Avatar
 
Member Since: Dec 20, 2006
Location: Middletown, Pennsylvania
Posts: 26,632
cwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond repute
Mac Specs: 15" MBP, Core i7/2GHz, 8GB RAM, 480GB Crucial M500 SSD

cwa107 is offline
Quote:
Originally Posted by MacsWork View Post
By definition it is not a virus.

A virus can spread all by itself. This apparently required you to enter a password. Without that the threat cannot deploy a payload. Sounds like Malware, which is just as nasty.
"Malware" is the general term that defines a category or software designed with a malicious intent. So, regardless of whether we're talking about a virus, adware, spyware, trojans, etc, it's all classified as "malware".

Liquid and computers don't mix. It might seem simple, but we see an incredible amount of people post here about spills. Keep drinks and other liquids away from your expensive electronics!
QUOTE Thanks
rez

 
Member Since: Dec 13, 2011
Location: Nottingham, U.K
Posts: 25
rez is on a distinguished road
Mac Specs: Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD

rez is offline
Thank you both for your replies.

Macsworth, that's a valid point! But I think Mac users (at least my circle of friends who own Mac laptops) are taken under by the myth they are invincible on the web because they are running OSX. I think this approach is making these trojans more dangerous.

Cwa - after reading that forum again I took the steps recommended; its not the easiest thread to follow hence why I wanted to see if anyone here had found it, to see if there were any consistencies. I have Clamxav running, scanning my System and Library folders and it didn't pick anything up. According to the thread, the threat is due to a Java exploitation through Safari (which I had started using again as Chrome couldn't handle netflix website). I hadn't downloaded anything since the 31st march through to yesterday.

I think Im clean. Clamxav didn't find anything at the time.

Not really sure what to do now. The payload is on my computer as I gave it my password, but I have no idea what or where it is, or even if it is still on here! Paranoid..

Regards,

Ryan
QUOTE Thanks
cwa107

 
cwa107's Avatar
 
Member Since: Dec 20, 2006
Location: Middletown, Pennsylvania
Posts: 26,632
cwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond repute
Mac Specs: 15" MBP, Core i7/2GHz, 8GB RAM, 480GB Crucial M500 SSD

cwa107 is offline
Quote:
Originally Posted by rez View Post
Macsworth, that's a valid point! But I think Mac users (at least my circle of friends who own Mac laptops) are taken under by the myth they are invincible on the web because they are running OSX. I think this approach is making these trojans more dangerous.
Absolutely - and part of it is the longtime Mac users who perpetuate the myth by getting caught up in semantics. We, as a community often respond to these kinds of concerns by saying "there are no viruses for Macs". And while this is technically true by the narrow definition of what a virus is, it doesn't do anyone any favors as it tiptoes around the fact that there are plenty of other kinds of malware that does impact the Mac.

I think we need to start focusing on solutions instead of semantics and just accept the fact that the term "virus" is used interchangeably with "malware" or "trojan" in common parlance.


Quote:
Cwa - after reading that forum again I took the steps recommended; its not the easiest thread to follow hence why I wanted to see if anyone here had found it, to see if there were any consistencies. I have Clamxav running, scanning my System and Library folders and it didn't pick anything up. According to the thread, the threat is due to a Java exploitation through Safari (which I had started using again as Chrome couldn't handle netflix website). I hadn't downloaded anything since the 31st march through to yesterday.

I think Im clean. Clamxav didn't find anything at the time.

Not really sure what to do now. The payload is on my computer as I gave it my password, but I have no idea what or where it is, or even if it is still on here! Paranoid..

Regards,

Ryan
I'm not sure I fully trust ClamXAV, only because it's a multi-platform anti-virus and I think its DATs aren't necessarily designed to scan for Mac-specific malware.

For this purpose, I recommend MacScan. I like it because it's reactive (i.e. it doesn't introduce any resident scanning engines) and they have a free trial - so you can just uninstall it when you're done.

Liquid and computers don't mix. It might seem simple, but we see an incredible amount of people post here about spills. Keep drinks and other liquids away from your expensive electronics!
QUOTE Thanks
rez

 
Member Since: Dec 13, 2011
Location: Nottingham, U.K
Posts: 25
rez is on a distinguished road
Mac Specs: Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD

rez is offline
I will try MacScan now, I'll post the result.

For now, as a preventative measure I have disabled Java in Safari. Really want to get to the bottom of where this originated though, information at the moment is patchy.

Regards,

Ryan
QUOTE Thanks
McBie

 
McBie's Avatar
 
Member Since: Apr 26, 2008
Location: Belgium
Posts: 2,541
McBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to behold
Mac Specs: 2013 MBA 13" - OS X 10.10.1

McBie is offline
Just for my understanding ..... did you see any windows pop up lately suggesting to update your adobe flash player ?
I know this one is Java related, but looking for the source of the attack vector is not easy.

As a suggestion .... I use FireFox with NoScript to visit web sites I don't trust ... that gives me an indication of how " safe " they are..... it's not bulletproof, only an indication.

Cheers ... McBie

A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.
The problem is not the problem. The problem is your attitude towards the problem. You understand ?
QUOTE Thanks
rez

 
Member Since: Dec 13, 2011
Location: Nottingham, U.K
Posts: 25
rez is on a distinguished road
Mac Specs: Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD

rez is offline
Quote:
Originally Posted by McBie View Post
Just for my understanding ..... did you see any windows pop up lately suggesting to update your adobe flash player ?
No, but I have seen but others who have mentioned the dubious Flash Player update. I'm sure I would have caught it as an update doesn't launch like that unless you download it. I think it must be related or at least the same thing along those lines. It's even been likened to the Flashback trojan, yet as others have pointed out, does not behave in the same way.

Having problems with MacScan as I have my OS on an SSD and the custom scan is unavailable in the Demo...

If anyone else wants to check, for peace of mind, after unhiding files, I found the executable just sat in my Home folder.

Regards,

Ryan
QUOTE Thanks
cwa107

 
cwa107's Avatar
 
Member Since: Dec 20, 2006
Location: Middletown, Pennsylvania
Posts: 26,632
cwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond repute
Mac Specs: 15" MBP, Core i7/2GHz, 8GB RAM, 480GB Crucial M500 SSD

cwa107 is offline
Quote:
Originally Posted by rez View Post
I will try MacScan now, I'll post the result.

For now, as a preventative measure I have disabled Java in Safari. Really want to get to the bottom of where this originated though, information at the moment is patchy.

Regards,

Ryan
Yeah - I'm actually still reading through the thread on the Apple forums. That thread is ugly.

Liquid and computers don't mix. It might seem simple, but we see an incredible amount of people post here about spills. Keep drinks and other liquids away from your expensive electronics!
QUOTE Thanks
rez

 
Member Since: Dec 13, 2011
Location: Nottingham, U.K
Posts: 25
rez is on a distinguished road
Mac Specs: Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD

rez is offline
If you get to the last post on that Thread, it suggests that the trojan will delete itself, if it finds Little Snitch, Xcode or Clamxav applications, all of which I have. Yet it still tried to connect to the cuojshtbohnt.com address, making me think this is something else.

Interesting, when running the command: launchctl list com.adobe.reader

"Label" = "com.adobe.reader";
"LimitLoadToSessionType" = "Aqua";
"OnDemand" = true;
"LastExitStatus" = 256;
"TimeOut" = 30;
"StandardOutPath" = "/dev/null";
"StandardErrorPath" = "/dev/null";
"ProgramArguments" = (
"/Volumes/Macintosh HD/Users/ryanhall/.rserv";

Enough evidence to suggest its related to flash player update version? I'm pretty sure I didn't fall for that.

MacScan still in progress.
QUOTE Thanks
McBie

 
McBie's Avatar
 
Member Since: Apr 26, 2008
Location: Belgium
Posts: 2,541
McBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to beholdMcBie is a splendid one to behold
Mac Specs: 2013 MBA 13" - OS X 10.10.1

McBie is offline
The reason for asking if it could be related to a flash player update is that I am running the latest flash player for OS X and when googling and searching the web, I get asked to update flash several times a day.
I never update stuff when presented with a pop up, so I didn't bother to study the screen, but I will try to provoke another pop up and play with Firefox and Noscript a little.
Will also ask the guys at the office to do a bit of digging ( if they have time ) as I am not that technical.

Cheers ... McBie

A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.
The problem is not the problem. The problem is your attitude towards the problem. You understand ?
QUOTE Thanks
MYmacROX

 
MYmacROX's Avatar
 
Member Since: Mar 17, 2009
Posts: 3,635
MYmacROX is a name known to allMYmacROX is a name known to allMYmacROX is a name known to allMYmacROX is a name known to allMYmacROX is a name known to allMYmacROX is a name known to allMYmacROX is a name known to all
Mac Specs: 2008 15" MBP ML, 2012 21.5" iMac ML

MYmacROX is offline
I get the Flash Player update alert occasionally. I always close it, go to Adobe's website and determine for myself if my version is out of date. Small nuisance but worth the precautionary methods. A lot easier than running some dumb AV software that slows my entire machine to a crawl.

16GB iPhone 5, 64GB Wi-Fi only iPad 1st Gen.

Reminder: Please include your Mac's specs. This will make it much easier for the other members to assist you.
QUOTE Thanks
rochford

 
Member Since: Apr 04, 2012
Posts: 2
rochford is on a distinguished road

rochford is offline
I've had this happening to me also. I found that Little Snitch was turned off when I checked after getting a request from Software Update to put my password in, which I rejected. Restarted and reset Little Snitch, and began to get requests for .rserv to connect to cuojshtbohnt.com.

Little Snitch gives you the IP address of the contact, which I did a search on here:

IP Address: 91.233.244.102

The location appears to be in the middle of nowhere in Siberia. The blacklist check has it listed on 70 blacklist sites.
QUOTE Thanks
rez

 
Member Since: Dec 13, 2011
Location: Nottingham, U.K
Posts: 25
rez is on a distinguished road
Mac Specs: Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD

rez is offline
Quote:
Originally Posted by rochford View Post
IP Address: 91.233.244.102[/url]

The location appears to be in the middle of nowhere in Siberia. The blacklist check has it listed on 70 blacklist sites.
So I'd be safe in assuming that this malware isn't something new then, just a variation of something that has been before, if it's been blacklisted?

I'm worried that it's still on my machine. It's the annoying thing with OS X, at least with windows you know where you stand ( if you know how to look for malware on a machine). Two scans have given me the all clear.

How is this going to be prevented?
QUOTE Thanks

Post Reply New Thread Subscribe


« External Dual-Layer Burner Drive | What is this weird icon (on the system menu bar) for? »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
Virus Myths appleXcore OS X - Operating System 9 10-21-2009 10:12 PM
the big virus question... jpfritz OS X - Operating System 10 09-23-2009 11:02 AM
Mac 10.x hosting Windows Virus' mtyoung400 OS X - Apps and Games 2 05-26-2009 12:27 AM
"The virus that kills your computer!" Rumored Virus at my School. Dylanyouto Schweb's Lounge 26 03-08-2009 09:44 AM
Stupid Windows Virus Matt Schweb's Lounge 15 08-02-2004 05:05 AM

All times are GMT -4. The time now is 08:26 PM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?