Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: .rserv virus?

  1. #1
    .rserv virus?

    Member Since
    Dec 13, 2011
    Location
    Nottingham, U.K
    Posts
    25
    Specs:
    Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
    Exclamation .rserv virus?
    Hey guys.

    This relates to this apple forum thread. I thought I'd bring it here to see whether anyone at mac-forums had witnessed this happening on their machine yet.

    Bit of background, had a Little Snitch alert telling me that : ".rserv wants to connect to cuojshtbohnt.com", after having a windows machine for most of my life I've become half-good at spotting any suspicious behaviour .

    This was associated to a random process running, and it was not until I read through the above forum post that I realised I had entered my password into an erroneous Software Update dialog box that had come up on my screen a few days ago. mmm. Not as alert as I thought I was, although I did, to my annoyance now, question the quality of the Icon which was present in the erroneous dialog box.

    So, I searched for this process and found the unix executable in my Home folder, called .rserv. Weird. I'm glad I had Little Snitch running as to me, this seems like a virus (please see the thread above). I have relatively little knowledge on viruses but I know there have been a few proof of concepts and I know that OS X isn't immune to viruses, is this the real deal?

    I'd appreciate anyone who may know what this is, has seen this happen to them, etc.

    Cheers,

    Ryan

  2. #2
    .rserv virus?
    MacsWork's Avatar
    Member Since
    May 22, 2005
    Location
    Closer than you think.
    Posts
    2,159
    Specs:
    Performa 6116 2GBSCSI 8MB OS 7.5.3
    By definition it is not a virus.

    A virus can spread all by itself. This apparently required you to enter a password. Without that the threat cannot deploy a payload. Sounds like Malware, which is just as nasty.

  3. #3
    .rserv virus?
    cwa107's Avatar
    Member Since
    Dec 20, 2006
    Location
    Lake Mary, Florida
    Posts
    26,758
    Specs:
    15" MBP, Core i7/2GHz, 8GB RAM, 480GB Crucial M500 SSD
    Quote Originally Posted by rez View Post

    So, I searched for this process and found the unix executable in my Home folder, called .rserv. Weird. I'm glad I had Little Snitch running as to me, this seems like a virus (please see the thread above). I have relatively little knowledge on viruses but I know there have been a few proof of concepts and I know that OS X isn't immune to viruses, is this the real deal?

    I'd appreciate anyone who may know what this is, has seen this happen to them, etc.

    Cheers,

    Ryan
    It sounds like you were baited into downloading and installing a trojan. Unfortunately, this attack vector seems to be becoming more common for the Mac.

    These kinds of fake dialogs that closely mimic the real ones can be hard to discern from the real ones as the developers can make them look very similar, and in some cases identical. But in general, I would suggest that you be very skeptical any time you get a prompt for your admin password. Be sure you know exactly why you're getting it and what the source of the prompt is.

    Having been infected, I would also encourage you to run a reactive scan with ClamXAV or MacScan (the free trial), just to make sure you're completely clean.
    Liquid and computers don't mix. It might seem simple, but we see an incredible amount of people post here about spills. Keep drinks and other liquids away from your expensive electronics!

    https://youtu.be/KHZ8ek-6ccc

  4. #4
    .rserv virus?
    cwa107's Avatar
    Member Since
    Dec 20, 2006
    Location
    Lake Mary, Florida
    Posts
    26,758
    Specs:
    15" MBP, Core i7/2GHz, 8GB RAM, 480GB Crucial M500 SSD
    Quote Originally Posted by MacsWork View Post
    By definition it is not a virus.

    A virus can spread all by itself. This apparently required you to enter a password. Without that the threat cannot deploy a payload. Sounds like Malware, which is just as nasty.
    "Malware" is the general term that defines a category or software designed with a malicious intent. So, regardless of whether we're talking about a virus, adware, spyware, trojans, etc, it's all classified as "malware".
    Liquid and computers don't mix. It might seem simple, but we see an incredible amount of people post here about spills. Keep drinks and other liquids away from your expensive electronics!

    https://youtu.be/KHZ8ek-6ccc

  5. #5
    .rserv virus?

    Member Since
    Dec 13, 2011
    Location
    Nottingham, U.K
    Posts
    25
    Specs:
    Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
    Thank you both for your replies.

    Macsworth, that's a valid point! But I think Mac users (at least my circle of friends who own Mac laptops) are taken under by the myth they are invincible on the web because they are running OSX. I think this approach is making these trojans more dangerous.

    Cwa - after reading that forum again I took the steps recommended; its not the easiest thread to follow hence why I wanted to see if anyone here had found it, to see if there were any consistencies. I have Clamxav running, scanning my System and Library folders and it didn't pick anything up. According to the thread, the threat is due to a Java exploitation through Safari (which I had started using again as Chrome couldn't handle netflix website). I hadn't downloaded anything since the 31st march through to yesterday.

    I think Im clean. Clamxav didn't find anything at the time.

    Not really sure what to do now. The payload is on my computer as I gave it my password, but I have no idea what or where it is, or even if it is still on here! Paranoid..

    Regards,

    Ryan

  6. #6
    .rserv virus?
    cwa107's Avatar
    Member Since
    Dec 20, 2006
    Location
    Lake Mary, Florida
    Posts
    26,758
    Specs:
    15" MBP, Core i7/2GHz, 8GB RAM, 480GB Crucial M500 SSD
    Quote Originally Posted by rez View Post
    Macsworth, that's a valid point! But I think Mac users (at least my circle of friends who own Mac laptops) are taken under by the myth they are invincible on the web because they are running OSX. I think this approach is making these trojans more dangerous.
    Absolutely - and part of it is the longtime Mac users who perpetuate the myth by getting caught up in semantics. We, as a community often respond to these kinds of concerns by saying "there are no viruses for Macs". And while this is technically true by the narrow definition of what a virus is, it doesn't do anyone any favors as it tiptoes around the fact that there are plenty of other kinds of malware that does impact the Mac.

    I think we need to start focusing on solutions instead of semantics and just accept the fact that the term "virus" is used interchangeably with "malware" or "trojan" in common parlance.


    Cwa - after reading that forum again I took the steps recommended; its not the easiest thread to follow hence why I wanted to see if anyone here had found it, to see if there were any consistencies. I have Clamxav running, scanning my System and Library folders and it didn't pick anything up. According to the thread, the threat is due to a Java exploitation through Safari (which I had started using again as Chrome couldn't handle netflix website). I hadn't downloaded anything since the 31st march through to yesterday.

    I think Im clean. Clamxav didn't find anything at the time.

    Not really sure what to do now. The payload is on my computer as I gave it my password, but I have no idea what or where it is, or even if it is still on here! Paranoid..

    Regards,

    Ryan
    I'm not sure I fully trust ClamXAV, only because it's a multi-platform anti-virus and I think its DATs aren't necessarily designed to scan for Mac-specific malware.

    For this purpose, I recommend MacScan. I like it because it's reactive (i.e. it doesn't introduce any resident scanning engines) and they have a free trial - so you can just uninstall it when you're done.
    Liquid and computers don't mix. It might seem simple, but we see an incredible amount of people post here about spills. Keep drinks and other liquids away from your expensive electronics!

    https://youtu.be/KHZ8ek-6ccc

  7. #7
    .rserv virus?

    Member Since
    Dec 13, 2011
    Location
    Nottingham, U.K
    Posts
    25
    Specs:
    Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
    I will try MacScan now, I'll post the result.

    For now, as a preventative measure I have disabled Java in Safari. Really want to get to the bottom of where this originated though, information at the moment is patchy.

    Regards,

    Ryan

  8. #8
    .rserv virus?
    McBie's Avatar
    Member Since
    Apr 26, 2008
    Location
    Belgium
    Posts
    2,675
    Specs:
    2013 MBA 13" - OS X 10.10.5
    Just for my understanding ..... did you see any windows pop up lately suggesting to update your adobe flash player ?
    I know this one is Java related, but looking for the source of the attack vector is not easy.

    As a suggestion .... I use FireFox with NoScript to visit web sites I don't trust ... that gives me an indication of how " safe " they are..... it's not bulletproof, only an indication.

    Cheers ... McBie
    A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.
    The bitterness of poor quality remains long after the sweetness of low price is forgotten.

  9. #9
    .rserv virus?

    Member Since
    Dec 13, 2011
    Location
    Nottingham, U.K
    Posts
    25
    Specs:
    Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
    Quote Originally Posted by McBie View Post
    Just for my understanding ..... did you see any windows pop up lately suggesting to update your adobe flash player ?
    No, but I have seen but others who have mentioned the dubious Flash Player update. I'm sure I would have caught it as an update doesn't launch like that unless you download it. I think it must be related or at least the same thing along those lines. It's even been likened to the Flashback trojan, yet as others have pointed out, does not behave in the same way.

    Having problems with MacScan as I have my OS on an SSD and the custom scan is unavailable in the Demo...

    If anyone else wants to check, for peace of mind, after unhiding files, I found the executable just sat in my Home folder.

    Regards,

    Ryan

  10. #10
    .rserv virus?
    cwa107's Avatar
    Member Since
    Dec 20, 2006
    Location
    Lake Mary, Florida
    Posts
    26,758
    Specs:
    15" MBP, Core i7/2GHz, 8GB RAM, 480GB Crucial M500 SSD
    Quote Originally Posted by rez View Post
    I will try MacScan now, I'll post the result.

    For now, as a preventative measure I have disabled Java in Safari. Really want to get to the bottom of where this originated though, information at the moment is patchy.

    Regards,

    Ryan
    Yeah - I'm actually still reading through the thread on the Apple forums. That thread is ugly.
    Liquid and computers don't mix. It might seem simple, but we see an incredible amount of people post here about spills. Keep drinks and other liquids away from your expensive electronics!

    https://youtu.be/KHZ8ek-6ccc

  11. #11
    .rserv virus?

    Member Since
    Dec 13, 2011
    Location
    Nottingham, U.K
    Posts
    25
    Specs:
    Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
    If you get to the last post on that Thread, it suggests that the trojan will delete itself, if it finds Little Snitch, Xcode or Clamxav applications, all of which I have. Yet it still tried to connect to the cuojshtbohnt.com address, making me think this is something else.

    Interesting, when running the command: launchctl list com.adobe.reader

    "Label" = "com.adobe.reader";
    "LimitLoadToSessionType" = "Aqua";
    "OnDemand" = true;
    "LastExitStatus" = 256;
    "TimeOut" = 30;
    "StandardOutPath" = "/dev/null";
    "StandardErrorPath" = "/dev/null";
    "ProgramArguments" = (
    "/Volumes/Macintosh HD/Users/ryanhall/.rserv";

    Enough evidence to suggest its related to flash player update version? I'm pretty sure I didn't fall for that.

    MacScan still in progress.

  12. #12
    .rserv virus?
    McBie's Avatar
    Member Since
    Apr 26, 2008
    Location
    Belgium
    Posts
    2,675
    Specs:
    2013 MBA 13" - OS X 10.10.5
    The reason for asking if it could be related to a flash player update is that I am running the latest flash player for OS X and when googling and searching the web, I get asked to update flash several times a day.
    I never update stuff when presented with a pop up, so I didn't bother to study the screen, but I will try to provoke another pop up and play with Firefox and Noscript a little.
    Will also ask the guys at the office to do a bit of digging ( if they have time ) as I am not that technical.

    Cheers ... McBie
    A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.
    The bitterness of poor quality remains long after the sweetness of low price is forgotten.

  13. #13
    .rserv virus?
    MYmacROX's Avatar
    Member Since
    Mar 17, 2009
    Posts
    3,626
    Specs:
    2008 15" MBP Yosemite, 2012 21.5" iMac Yosemite
    I get the Flash Player update alert occasionally. I always close it, go to Adobe's website and determine for myself if my version is out of date. Small nuisance but worth the precautionary methods. A lot easier than running some dumb AV software that slows my entire machine to a crawl.
    64GB iPhone 6, 64GB iPad Air 2.

    Reminder: Please include your Mac's specs. This will make it much easier for the other members to assist you.

  14. #14
    .rserv virus?

    Member Since
    Apr 04, 2012
    Posts
    2
    Little Snitch gives IP address of .rserv request
    I've had this happening to me also. I found that Little Snitch was turned off when I checked after getting a request from Software Update to put my password in, which I rejected. Restarted and reset Little Snitch, and began to get requests for .rserv to connect to cuojshtbohnt.com.

    Little Snitch gives you the IP address of the contact, which I did a search on here:

    IP Address: 91.233.244.102

    The location appears to be in the middle of nowhere in Siberia. The blacklist check has it listed on 70 blacklist sites.

  15. #15
    .rserv virus?

    Member Since
    Dec 13, 2011
    Location
    Nottingham, U.K
    Posts
    25
    Specs:
    Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
    Quote Originally Posted by rochford View Post
    IP Address: 91.233.244.102[/url]

    The location appears to be in the middle of nowhere in Siberia. The blacklist check has it listed on 70 blacklist sites.
    So I'd be safe in assuming that this malware isn't something new then, just a variation of something that has been before, if it's been blacklisted?

    I'm worried that it's still on my machine. It's the annoying thing with OS X, at least with windows you know where you stand ( if you know how to look for malware on a machine). Two scans have given me the all clear.

    How is this going to be prevented?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. virus help please!
    By schroederbear in forum Switcher Hangout
    Replies: 24
    Last Post: 03-26-2011, 02:15 PM
  2. Virus
    By Jenifur in forum Switcher Hangout
    Replies: 7
    Last Post: 03-31-2009, 11:43 PM
  3. Virus scanner found virus...but I can't
    By JamesLJ in forum OS X - Operating System
    Replies: 4
    Last Post: 03-14-2009, 04:47 PM
  4. Replies: 26
    Last Post: 03-08-2009, 08:44 AM
  5. virus but not on the virus scanner...?
    By James- in forum Running Windows (or anything else) on your Mac
    Replies: 11
    Last Post: 01-22-2008, 12:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •