.rserv virus?

rez


Joined
Dec 13, 2011
Messages
25
Reaction score
0
Points
1
Location
Nottingham, U.K
Your Mac's Specs
Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
Hey guys.

This relates to this apple forum thread. I thought I'd bring it here to see whether anyone at mac-forums had witnessed this happening on their machine yet.

Bit of background, had a Little Snitch alert telling me that : ".rserv wants to connect to cuojshtbohnt.com", after having a windows machine for most of my life I've become half-good at spotting any suspicious behaviour :Confused:.

This was associated to a random process running, and it was not until I read through the above forum post that I realised I had entered my password into an erroneous Software Update dialog box that had come up on my screen a few days ago. mmm. Not as alert as I thought I was, although I did, to my annoyance now, question the quality of the Icon which was present in the erroneous dialog box.

So, I searched for this process and found the unix executable in my Home folder, called .rserv. Weird. I'm glad I had Little Snitch running as to me, this seems like a virus (please see the thread above). I have relatively little knowledge on viruses but I know there have been a few proof of concepts and I know that OS X isn't immune to viruses, is this the real deal?

I'd appreciate anyone who may know what this is, has seen this happen to them, etc.

Cheers,

Ryan
 
Joined
May 22, 2005
Messages
2,159
Reaction score
67
Points
48
Location
Closer than you think.
Your Mac's Specs
Performa 6116 2GBSCSI 8MB OS 7.5.3
By definition it is not a virus.

A virus can spread all by itself. This apparently required you to enter a password. Without that the threat cannot deploy a payload. Sounds like Malware, which is just as nasty.
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
So, I searched for this process and found the unix executable in my Home folder, called .rserv. Weird. I'm glad I had Little Snitch running as to me, this seems like a virus (please see the thread above). I have relatively little knowledge on viruses but I know there have been a few proof of concepts and I know that OS X isn't immune to viruses, is this the real deal?

I'd appreciate anyone who may know what this is, has seen this happen to them, etc.

Cheers,

Ryan

It sounds like you were baited into downloading and installing a trojan. Unfortunately, this attack vector seems to be becoming more common for the Mac.

These kinds of fake dialogs that closely mimic the real ones can be hard to discern from the real ones as the developers can make them look very similar, and in some cases identical. But in general, I would suggest that you be very skeptical any time you get a prompt for your admin password. Be sure you know exactly why you're getting it and what the source of the prompt is.

Having been infected, I would also encourage you to run a reactive scan with ClamXAV or MacScan (the free trial), just to make sure you're completely clean.
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
By definition it is not a virus.

A virus can spread all by itself. This apparently required you to enter a password. Without that the threat cannot deploy a payload. Sounds like Malware, which is just as nasty.

"Malware" is the general term that defines a category or software designed with a malicious intent. So, regardless of whether we're talking about a virus, adware, spyware, trojans, etc, it's all classified as "malware".
 
OP
R

rez


Joined
Dec 13, 2011
Messages
25
Reaction score
0
Points
1
Location
Nottingham, U.K
Your Mac's Specs
Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
Thank you both for your replies.

Macsworth, that's a valid point! But I think Mac users (at least my circle of friends who own Mac laptops) are taken under by the myth they are invincible on the web because they are running OSX. I think this approach is making these trojans more dangerous.

Cwa - after reading that forum again I took the steps recommended; its not the easiest thread to follow hence why I wanted to see if anyone here had found it, to see if there were any consistencies. I have Clamxav running, scanning my System and Library folders and it didn't pick anything up. According to the thread, the threat is due to a Java exploitation through Safari (which I had started using again as Chrome couldn't handle netflix website). I hadn't downloaded anything since the 31st march through to yesterday.

I think Im clean. Clamxav didn't find anything at the time.

Not really sure what to do now. The payload is on my computer as I gave it my password, but I have no idea what or where it is, or even if it is still on here! Paranoid..

Regards,

Ryan
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Macsworth, that's a valid point! But I think Mac users (at least my circle of friends who own Mac laptops) are taken under by the myth they are invincible on the web because they are running OSX. I think this approach is making these trojans more dangerous.

Absolutely - and part of it is the longtime Mac users who perpetuate the myth by getting caught up in semantics. We, as a community often respond to these kinds of concerns by saying "there are no viruses for Macs". And while this is technically true by the narrow definition of what a virus is, it doesn't do anyone any favors as it tiptoes around the fact that there are plenty of other kinds of malware that does impact the Mac.

I think we need to start focusing on solutions instead of semantics and just accept the fact that the term "virus" is used interchangeably with "malware" or "trojan" in common parlance.


Cwa - after reading that forum again I took the steps recommended; its not the easiest thread to follow hence why I wanted to see if anyone here had found it, to see if there were any consistencies. I have Clamxav running, scanning my System and Library folders and it didn't pick anything up. According to the thread, the threat is due to a Java exploitation through Safari (which I had started using again as Chrome couldn't handle netflix website). I hadn't downloaded anything since the 31st march through to yesterday.

I think Im clean. Clamxav didn't find anything at the time.

Not really sure what to do now. The payload is on my computer as I gave it my password, but I have no idea what or where it is, or even if it is still on here! Paranoid..

Regards,

Ryan

I'm not sure I fully trust ClamXAV, only because it's a multi-platform anti-virus and I think its DATs aren't necessarily designed to scan for Mac-specific malware.

For this purpose, I recommend MacScan. I like it because it's reactive (i.e. it doesn't introduce any resident scanning engines) and they have a free trial - so you can just uninstall it when you're done.
 
OP
R

rez


Joined
Dec 13, 2011
Messages
25
Reaction score
0
Points
1
Location
Nottingham, U.K
Your Mac's Specs
Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
I will try MacScan now, I'll post the result.

For now, as a preventative measure I have disabled Java in Safari. Really want to get to the bottom of where this originated though, information at the moment is patchy.

Regards,

Ryan
 
Joined
Apr 26, 2008
Messages
2,963
Reaction score
120
Points
63
Location
Belgium
Your Mac's Specs
iPad Pro 12.9 latest iOS
Just for my understanding ..... did you see any windows pop up lately suggesting to update your adobe flash player ?
I know this one is Java related, but looking for the source of the attack vector is not easy.

As a suggestion .... I use FireFox with NoScript to visit web sites I don't trust ... that gives me an indication of how " safe " they are..... it's not bulletproof, only an indication.

Cheers ... McBie
 
OP
R

rez


Joined
Dec 13, 2011
Messages
25
Reaction score
0
Points
1
Location
Nottingham, U.K
Your Mac's Specs
Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
Just for my understanding ..... did you see any windows pop up lately suggesting to update your adobe flash player ?

No, but I have seen but others who have mentioned the dubious Flash Player update. I'm sure I would have caught it as an update doesn't launch like that unless you download it. I think it must be related or at least the same thing along those lines. It's even been likened to the Flashback trojan, yet as others have pointed out, does not behave in the same way.

Having problems with MacScan as I have my OS on an SSD and the custom scan is unavailable in the Demo...

If anyone else wants to check, for peace of mind, after unhiding files, I found the executable just sat in my Home folder.

Regards,

Ryan
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
I will try MacScan now, I'll post the result.

For now, as a preventative measure I have disabled Java in Safari. Really want to get to the bottom of where this originated though, information at the moment is patchy.

Regards,

Ryan

Yeah - I'm actually still reading through the thread on the Apple forums. That thread is ugly.
 
OP
R

rez


Joined
Dec 13, 2011
Messages
25
Reaction score
0
Points
1
Location
Nottingham, U.K
Your Mac's Specs
Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
If you get to the last post on that Thread, it suggests that the trojan will delete itself, if it finds Little Snitch, Xcode or Clamxav applications, all of which I have. Yet it still tried to connect to the cuojshtbohnt.com address, making me think this is something else.

Interesting, when running the command: launchctl list com.adobe.reader

"Label" = "com.adobe.reader";
"LimitLoadToSessionType" = "Aqua";
"OnDemand" = true;
"LastExitStatus" = 256;
"TimeOut" = 30;
"StandardOutPath" = "/dev/null";
"StandardErrorPath" = "/dev/null";
"ProgramArguments" = (
"/Volumes/Macintosh HD/Users/ryanhall/.rserv";

Enough evidence to suggest its related to flash player update version? I'm pretty sure I didn't fall for that.

MacScan still in progress.
 
Joined
Apr 26, 2008
Messages
2,963
Reaction score
120
Points
63
Location
Belgium
Your Mac's Specs
iPad Pro 12.9 latest iOS
The reason for asking if it could be related to a flash player update is that I am running the latest flash player for OS X and when googling and searching the web, I get asked to update flash several times a day.
I never update stuff when presented with a pop up, so I didn't bother to study the screen, but I will try to provoke another pop up and play with Firefox and Noscript a little.
Will also ask the guys at the office to do a bit of digging ( if they have time ) as I am not that technical.

Cheers ... McBie
 
Joined
Mar 17, 2009
Messages
3,626
Reaction score
111
Points
63
Your Mac's Specs
2018 15" MBP, 2019 11" iPad Pro, iPhone 11 Pro
I get the Flash Player update alert occasionally. I always close it, go to Adobe's website and determine for myself if my version is out of date. Small nuisance but worth the precautionary methods. A lot easier than running some dumb AV software that slows my entire machine to a crawl.
 
Joined
Apr 4, 2012
Messages
2
Reaction score
0
Points
1
Little Snitch gives IP address of .rserv request

I've had this happening to me also. I found that Little Snitch was turned off when I checked after getting a request from Software Update to put my password in, which I rejected. Restarted and reset Little Snitch, and began to get requests for .rserv to connect to cuojshtbohnt.com.

Little Snitch gives you the IP address of the contact, which I did a search on here:

IP Address: 91.233.244.102

The location appears to be in the middle of nowhere in Siberia. The blacklist check has it listed on 70 blacklist sites.
 
OP
R

rez


Joined
Dec 13, 2011
Messages
25
Reaction score
0
Points
1
Location
Nottingham, U.K
Your Mac's Specs
Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
IP Address: 91.233.244.102[/url]

The location appears to be in the middle of nowhere in Siberia. The blacklist check has it listed on 70 blacklist sites.

So I'd be safe in assuming that this malware isn't something new then, just a variation of something that has been before, if it's been blacklisted?

I'm worried that it's still on my machine. It's the annoying thing with OS X, at least with windows you know where you stand ( if you know how to look for malware on a machine). Two scans have given me the all clear.

How is this going to be prevented?
 
Joined
Apr 4, 2012
Messages
2
Reaction score
0
Points
1
Activity Monitor located .rserv in the top level of my user folder, but a search for invisible files including system files came up with 0.
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
OP
R

rez


Joined
Dec 13, 2011
Messages
25
Reaction score
0
Points
1
Location
Nottingham, U.K
Your Mac's Specs
Late 2009 Macbook 2.26GHZ 4GB RAM 250GB HDD 64GB SSD
Thanks for that cwa, luckily i was able to run through those instructions the day I noticed the infection.

Looks like I was lucky to have little snitch running to notice the attempt! Would recommend to others to use those instructions just to make sure their machines are all clear.

Looks like the myth has officially been busted! At least to those who believed they were invincible behind OS X!

I've heard mountain lion will be impenetrable to everything once again though..ha.

Cheers,

Ryan
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top