Jump to content


Photo

New Mac malware epidemic


  • This topic is locked This topic is locked
26 replies to this topic

#1 RV

RV

    Major Contributor

  • Validated Members
  • 8272 posts
  • SKP#:50964

Posted 06 April 2012 - 02:36 PM

Important information for those who would use it. Please don't shoot the messenger if you use Apple, or gloat here if you use another system. Ed Bott is one of my respected tech writers and he lays it out objectively. Much good info in the article.

Excerpts:
"The nightmare scenario for Mac owners is here. At least 600,000 Macs worldwide have been infected, silently, by the Flashback Trojan, with no user interaction required. Hereís why this is just the beginning of a long-term problem.
If you think 600,000 users isnít a lot, letís put it in perspective. According to the latest statistics from
Net Market Share, there are roughly 13 Windows PCs for every Mac in the world. So an equivalent infection rate in the Windows population would translate to 7.8 million Windows PCs.
Older Macs are especially vulnerable. According to the latest Net Market Share data, 17% of Macs worldwide are running Leopard (OS X 10.5) and Tiger (OS X 10.4), older versions of OS X that are no longer officially supported. The Java update that blocks this exploit is
available for Leopard, but at least one Leopard user I spoke with says it hasnít been offered to his Mac via Apple Software Update."

Much more information in the article here: http://www.zdnet.com...726?tag=nl.e539

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998

When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius


#2 Barbaraok

Barbaraok

    Major Contributor

  • Validated Members
  • 7251 posts
  • SKP#:90761

Posted 06 April 2012 - 02:58 PM

Derek,
This is still about the same problem that has been discussed in at least two different threads, not anything new.
Barb

Barb & Dave O'Keeffe
Full-timimg with our cat Shadow (16 yrs old)
2002 Alpine 36 MDDS (Figment II), 2004 Subaru Forester toad (Mischief)
Blog: http://www.barbanddave.net
SPK# 90761 FMCA #F337834


#3 RV

RV

    Major Contributor

  • Validated Members
  • 8272 posts
  • SKP#:50964

Posted 06 April 2012 - 03:51 PM

The new is the perspective and the scope, and the most vulnerable systems. This one has been developing quietly as opposed to the bang that the Mac defender attacks made back then. So those infected won't know without reading about it and checking. As long as all do the checks and update their Java if available on this one that is about all that can be done for now. This is a developing story however on the prevention and other issues and I will post any new developments as they come to light. This is not about the OS choice, or keeping quiet about it, nor about the people out there that got infected. It is about the criminals and always has been. ;)

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998

When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius


#4 Roll Me Away

Roll Me Away

    Full Member

  • Validated Members
  • 51 posts
  • SKP#:106230

Posted 06 April 2012 - 04:35 PM

The new is the perspective and the scope, and the most vulnerable systems. This one has been developing quietly as opposed to the bang that the Mac defender attacks made back then. So those infected won't know without reading about it and checking. As long as all do the checks and update their Java if available on this one that is about all that can be done for now. This is a developing story however on the prevention and other issues and I will post any new developments as they come to light. This is not about the OS choice, or keeping quiet about it, nor about the people out there that got infected. It is about the criminals and always has been. ;)


Derek, thank you for alerting us to the Mac attack. I use PCs for my business but have a Macbook Pro w/SnowLeopard for my writing. It isn't used much lately but I took it out and updated from the Apple site. Don't know how to get the Java updated, but clicked on what they offered. ZD net is helpful, but most helpful is finding your expertise on this forum. I guess we will have to get Eset antivirus software for the Mac now! I think the criminals are outrunning us.
Question: is it possible to have Internet service that they can't crack into? Keep alerting and sharing your knowledge, as it is most appreciated.
Roll Me Away

#5 RV

RV

    Major Contributor

  • Validated Members
  • 8272 posts
  • SKP#:50964

Posted 06 April 2012 - 04:47 PM

YW bud. I just like to write about what I see or pass it along. There are some real heavyweights here that are way above my pay-grade in expertise. They keep an eye peeled on my posts, and will sometimes keep me from making a correlational error.

It isn't the Internet service per se that they attack, it is vulnerabilities in the software that they find, and since the OS' are more hardened than before they attack via the programs all have on their systems, in this case Java. The criminals have only one thing in mind and that is employing the newest techniques to be first to take out the low hanging fruit. That being folks who don't update their Windows machines, an estimated 60% worldwide by MS and security analysts. And folks in denial about their OS be that Windows, Linux or Macs. If you read the article closely he says the same thing I do to Windows users. That the user is defense number one. Keeping updated and taking advantage of security tools as available helps as well. Then we worry about an active scanning anti malware program.

Unfortunately there is no way to be on the Internet and be free from risk. The criminals are out to get us all. All of us have that in common. In denial or not every OS has been cracked and hacked. What makes it worse is that there is a tremendous amount of government sponsorship of hacking by foreign govts. We would not do that right? ;) ;) ;)

The only thing we CAN do is to not be the low hanging fruit for now. That means updates, secondary antimalware programs, and being aware of what we open and approve when we have that option, we don't always have it.

But thanks for reading and please jump in if you hear of anything that can help.

Edited by RV, 06 April 2012 - 04:52 PM.

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998

When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius


#6 Barbaraok

Barbaraok

    Major Contributor

  • Validated Members
  • 7251 posts
  • SKP#:90761

Posted 06 April 2012 - 07:51 PM

Derek,

My point, which I obviously didn't make correctly, was that this wasn't a new problem for Macs, but one that has been discussed in a couple of threads before. Problem is that, as you have said, people aren't running their system update software on a regular basis as Apple has the upgrade out (in fact they've refined the patch) as well as giving the strings to put into Terminal window to verify that everything is ok with your system - as shown below:

From a terminal app, run these commands. They do not do anything they just read the values.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

they should return "does not exist"

For example:

Last login: Fri Apr 6 18:21:42 on ttys000

Macintosh-3:~ barbara$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2012-04-06 18:50:35.420 defaults[485:903]

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

Macintosh-3:~ barbara$


Barb



Edited by Barbaraok, 06 April 2012 - 07:52 PM.

Barb & Dave O'Keeffe
Full-timimg with our cat Shadow (16 yrs old)
2002 Alpine 36 MDDS (Figment II), 2004 Subaru Forester toad (Mischief)
Blog: http://www.barbanddave.net
SPK# 90761 FMCA #F337834


#7 RV

RV

    Major Contributor

  • Validated Members
  • 8272 posts
  • SKP#:50964

Posted 06 April 2012 - 08:40 PM

Barb thanks for the clarification. Now that is helpful for the Mac folks and even us windows folks. Wow thanks for posting that. Mac buddies update your 'pooters! :) It matters now. I am about to switch OS' and post about the big hole about to be patched in Windows next Tuesday and that Adobe has some super important patches coming out for their software as well.

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998

When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius


#8 Ron and Elena

Ron and Elena

    Senior Member

  • Validated Members
  • 244 posts

Posted 07 April 2012 - 10:24 PM

Below is a link to a website with a little more information about this malware and how to test if your computer is infected. The owner of this blog is a very good friend of someone I know and used to work with. The person I know has vouched for this person and the integrity of the script he has made available for free download. For those folks that are not comfortable using terminal mode on their computer the script is a quick way to test if you have an infected machine. I ran the test in terminal mode a couple days ago and verified that my computer is not infected. Tonight I ran the script from this website and it reconfirmed my computer is not infected.

http://www.bartbussc...ie/blog/?p=2236
Ron Engelsman
http://www.mytripjou...com/our_odyssey
Full-Timing since mid 2007
23' Komfort TT
2004 Chevy Avalanche 4x4 8.1L

#9 Barbaraok

Barbaraok

    Major Contributor

  • Validated Members
  • 7251 posts
  • SKP#:90761

Posted 07 April 2012 - 10:53 PM

Ron,
That's essentially the three strings I listed above from the Apple Support discussions area. Just copy and past into Terminal. Notice you really need to run all three for good measure.
Barb

Barb & Dave O'Keeffe
Full-timimg with our cat Shadow (16 yrs old)
2002 Alpine 36 MDDS (Figment II), 2004 Subaru Forester toad (Mischief)
Blog: http://www.barbanddave.net
SPK# 90761 FMCA #F337834


#10 Ron and Elena

Ron and Elena

    Senior Member

  • Validated Members
  • 244 posts

Posted 07 April 2012 - 11:27 PM

Ron,
That's essentially the three strings I listed above from the Apple Support discussions area. Just copy and past into Terminal. Notice you really need to run all three for good measure.
Barb


The commands from F-Secure run by the script test OSX and Safari. Your third command is testing Firefox in addition to Safari and OSX. Folks running any of the several browsers other than Safari need to test them also.
---Ron
Ron Engelsman
http://www.mytripjou...com/our_odyssey
Full-Timing since mid 2007
23' Komfort TT
2004 Chevy Avalanche 4x4 8.1L

#11 hobopals

hobopals

    Major Contributor

  • Validated Members
  • 829 posts

Posted 08 April 2012 - 08:04 AM

Tonight I ran the script from this website and it reconfirmed my computer is not infected.

http://www.bartbussc...ie/blog/?p=2236


Thank you, Ron and Elena and Derek (and everyone) for keeping Mac users from being complacent. I'm running Lion, and ran the check. My computer is clean, too. I'm going to pass the test along to my kids. Thanks, again.



We have memories so that we might have roses in December.

http://travelswithmr...e.blogspot.com/

#12 RV

RV

    Major Contributor

  • Validated Members
  • 8272 posts
  • SKP#:50964

Posted 08 April 2012 - 09:54 AM

YW! I just pass along the news when I think it may impact my friends here in all three OS'. The devil is in the details, and it is there where your fellow users like Barb, Ron and Elena are Gold! Glad everybody here turned up clean.

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998

When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius


#13 Barbaraok

Barbaraok

    Major Contributor

  • Validated Members
  • 7251 posts
  • SKP#:90761

Posted 08 April 2012 - 11:02 AM

Just a word of caution. I would suggest that everyone who has a Mac get familiar with their terminal window and also with the Apple Support Discussions forums. For me, it makes more sense to copy the string from the Apple site (where I know it is ok) that just run a script from some site that someone recommends. I'm not saying it isn't a safe site, but why not go to Apple to get the correct information you need?

Ron, the reason that only the string for Safari and Firefox are there is that MOST Mac users use Safari and some will also use Firefox. Very few will use other browsers.

Barb

Barb & Dave O'Keeffe
Full-timimg with our cat Shadow (16 yrs old)
2002 Alpine 36 MDDS (Figment II), 2004 Subaru Forester toad (Mischief)
Blog: http://www.barbanddave.net
SPK# 90761 FMCA #F337834


#14 DonF

DonF

    Major Contributor

  • Validated Members
  • 1115 posts
  • SKP#:103279

Posted 09 April 2012 - 03:41 AM

From a terminal app, run these commands. They do not do anything they just read the values.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

they should return "does not exist"


FINALLY, someone has posted a method to confirm the absence of the Trojan -- this is EXCELLENT!

BIG THANKS, Barb!

I had actually asked the question on the older thread (re. how to respond, besides running Apple's Update), like getting Virus Barrier or some other such tool to verify all is a-okay... to no avail.

-Don

p.s. I ran the above commands, my system is okay!

p.p.s. I (and others) may use Chrome,,, another potential target for the issue described -- so, I just ran the same command against Chrome.app; will (now, also) read the Mac support site for more details.


Edited by DonF, 09 April 2012 - 03:45 AM.

Don & Fannie

2005 Volvo 670, 12sp FreedomLine, "Black Dude", 3.36 axle, Szmyt Wonder-Smart loader,
ET hitch, Jackalopee (original-prototype), BLUE-DOT air-over-hydraulic brake system,
2007 New Horizons F35RLSSS-C (Mor/Ryde-IS, Kodiak disc brakes, 17.5 H tires),
2005 smart fortwo passion

#15 Barbaraok

Barbaraok

    Major Contributor

  • Validated Members
  • 7251 posts
  • SKP#:90761

Posted 09 April 2012 - 10:23 AM

Don,

Do you like Chrome? We've had Safari for so long, I just never look at anything else.

Barb

Barb & Dave O'Keeffe
Full-timimg with our cat Shadow (16 yrs old)
2002 Alpine 36 MDDS (Figment II), 2004 Subaru Forester toad (Mischief)
Blog: http://www.barbanddave.net
SPK# 90761 FMCA #F337834


#16 hobopals

hobopals

    Major Contributor

  • Validated Members
  • 829 posts

Posted 09 April 2012 - 02:11 PM

Don,

Do you like Chrome? We've had Safari for so long, I just never look at anything else.

Barb


I ran Chrome through the test, as well, Barb. I use mostly Safari because I'm a creature of habit, but I think I actually like chrome better. My blog looks better in Chrome than it does in Safari. I just have to make a commitment to use it. I've started by making my blog pop up in Chrome as my start page. I notice that I'll have to make a couple of adjustments to the size of print. I can do that through the Blogger Dashboard by narrowing the "gadgets" or I can press "command +" to make the print larger as I'm reading. The pictures definitely look better in Chrome, in my opinion. When I want to see the side panel "I can press command -" and the whole blog is visible.

Thanks for the links to check my Mac. Much appreciated. I may have missed it, but what is the URL of the Mac site you refer to?

Edited by hobopals, 09 April 2012 - 02:21 PM.

We have memories so that we might have roses in December.

http://travelswithmr...e.blogspot.com/

#17 RV

RV

    Major Contributor

  • Validated Members
  • 8272 posts
  • SKP#:50964

Posted 09 April 2012 - 05:05 PM

Here is the latest info folks as well as some recommends for older Macs..

Excerpt:
Quick protection for older Macs from the Flashback trojan

"See also: Installing antivirus on your Mac? | New malware epidemic exploits weaknesses in Apple ecosystem | Macs infected (a dream, dashed) | Lion OS making gains in Mac installed baseLikely, your machines are not infected. Before I installed the Apple updates, I checked my machines using the Terminal checking routine offered by the F-Secure website. Itís the first part of the Manual Removal process.

For older machines running pre-Snow Leopard OSes that havenít been updated by Apple, there may or may not be a problem of infection. Still, to make sure, you can either disable Java in your web browser (in Safari itís a Security preference), or turn it off altogether using the Java Preferences application, which can be found in the Utilities folder in Applications. I understand that the Mac client for CrashPlan Pro requires Java.

In his excellent rundown on the Flashback trojan at Macworld, analyst Rich Mogull of TidBits and Securosis offered this analysis."
The whole article is here:
http://www.zdnet.com...712?tag=nl.e539



RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998

When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius


#18 Barbaraok

Barbaraok

    Major Contributor

  • Validated Members
  • 7251 posts
  • SKP#:90761

Posted 09 April 2012 - 08:07 PM

1334002263[/url]' post='536795']
I ran Chrome through the test, as well, Barb. I use mostly Safari because I'm a creature of habit, but I think I actually like chrome better. My blog looks better in Chrome than it does in Safari. I just have to make a commitment to use it. I've started by making my blog pop up in Chrome as my start page. I notice that I'll have to make a couple of adjustments to the size of print. I can do that through the Blogger Dashboard by narrowing the "gadgets" or I can press "command +" to make the print larger as I'm reading. The pictures definitely look better in Chrome, in my opinion. When I want to see the side panel "I can press command -" and the whole blog is visible.

Thanks for the links to check my Mac. Much appreciated. I may have missed it, but what is the URL of the Mac site you refer to?


URL is discussions.apple.com
Barb

Barb & Dave O'Keeffe
Full-timimg with our cat Shadow (16 yrs old)
2002 Alpine 36 MDDS (Figment II), 2004 Subaru Forester toad (Mischief)
Blog: http://www.barbanddave.net
SPK# 90761 FMCA #F337834


#19 DonF

DonF

    Major Contributor

  • Validated Members
  • 1115 posts
  • SKP#:103279

Posted 10 April 2012 - 10:33 PM

Barb -- I love Chrome; since I am a lazy, keyboard-shortcut kinda ex-sys.admin, I especially like that there is a single/common address-bar/search-bar --- it's what we normally thing of as the address entry area (where you type a URL -or- search terms. The other feature I like (alot) is when I click anywhere in that area, it auto-selects all existing URL-string, so I can easily over-type (or edit) the existing URL.

I use ALL three of Firefox, Chrome and Safari --- this allows me to have THREE client sessions open to three different web-based, Email clients: my legacy clients from AT&T, Yahoo, PacBell domains all use the Yahoo login portal, so only one Email-address can be open from a given browser. The obvious and fast, keyboard-shortcut for me is to Cmd-Tab from one app to another, just like Alt-Tab on Windoze. So, quickly switching from FF to Chrome to Safari (and other open apps) is a keyboard action -- Gmail still needs a "tab" under whatever browser I want to use -- but for that, I only have one Email (whereas I have several controlled by Yahoo).. so, Gmail access is thru Chrome (best interface, since they're both Google).

HTH!

-Don

p.s. I will warn you the menu-bar for Chrome under Windoze is NOT very handy; it's a "wrench" icon in the upper left corner (rather than across the top, like other apps. On Mac's, it's in the same place as all other Mac apps --- don't know why they decided to do it that way -- seems like a funky, technical-jab at MS, to me.
Don & Fannie

2005 Volvo 670, 12sp FreedomLine, "Black Dude", 3.36 axle, Szmyt Wonder-Smart loader,
ET hitch, Jackalopee (original-prototype), BLUE-DOT air-over-hydraulic brake system,
2007 New Horizons F35RLSSS-C (Mor/Ryde-IS, Kodiak disc brakes, 17.5 H tires),
2005 smart fortwo passion

#20 RV

RV

    Major Contributor

  • Validated Members
  • 8272 posts
  • SKP#:50964

Posted 12 April 2012 - 02:24 PM

Glad y'all posted some info for the rest that a user of another OS would not know other than reading. Here is more from another Mac user:

"Six tips to make your Mac safer"
http://howto.cnet.co...your-mac-safer/

They have both a written article and a video so whichever one prefers.

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998

When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius