Question about OS X Flashback.K trojan

Spinland

On this instructional post:

 

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

 

The initial instructions are:

 

• 1. Run the following command in Terminal: 
  
  ls -lA ~/Library/LaunchAgents/ 
  
  
• 2. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.

 

I ran the indicated command and encountered this output:

 

Node00:~ mdyson$ ls -lA ~/Library/LaunchAgents/
total 64
-rw-r--r-- 1 mdyson staff 697 Nov 15 10:19 com.adobe.AAM.Updater-1.0.plist
-rw-r--r-- 1 mdyson staff 574 Dec 1 17:51 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
-rw-r--r-- 1 mdyson staff 618 Nov 14 17:54 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.1A4046BE-D44F-4F2D-B3C7-FD38ED0EF401.plist
-rw-r--r-- 1 mdyson staff 889 Nov 14 17:25 com.apple.CSConfigDotMacCert-mdyson@me.com-SharedServices.Agent.plist
-rw-r--r-- 1 mdyson staff 425 Dec 22 13:36 com.apple.FolderActions.enabled.plist
-rw-r--r-- 1 mdyson staff 517 Dec 22 13:36 com.apple.FolderActions.folders.plist
-rw-r--r--@ 1 mdyson staff 803 Jan 7 13:43 com.google.keystone.agent.plist
-rw-r--r--@ 1 mdyson staff 543 Jan 30 10:58 ws.agile.1PasswordAgent.plist

 

In item 2, based on multiple results, my apparent next step would be to contact "our customer care" but I am not an F-Secure customer and instructions as to exactly whom and how I am to contact them are lacking. For various reasons I did have Java installed and enabled in Safari.

 

Based on the above output should I even be worried?

 

Thanks in advance!

chris_altwegg

I also get similar results. Have contacted support, will post again if I get answers.

MichaelHeister

I got this when I ran step one of the disinfection protocol on Lion:

 

Last login: Wed Apr 4 11:13:58 on ttys001
[macbook-extreme-3:~] mheister% ls -lA ~/Library/LaunchAgents/
total 32
-rw-r--r-- 1 mheister staff 618 Oct 13 23:56 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.B79424B2-1668-442A-BD41-D4B3BDC74654.plist
-rw-r--r-- 1 mheister staff 425 Mar 24 10:42 com.apple.FolderActions.enabled.plist
-rw-r--r-- 1 mheister staff 517 Apr 3 20:35 com.apple.FolderActions.folders.plist
-rw-r--r-- 1 mheister staff 815 Jan 10 2009 com.apple.SafariBookmarksSyncer.plist
[macbook-extreme-3:~] mheister%

 

Instructions are to contact CS here if the response is more than one line. Suggestions???

 

TY.

Rusli

Hi,

 

F-Secure have a write up on Flashback.K...

 

see link:- http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

 

Always check for Apple Mac OS X Security Updates via this site:-

 

http://support.apple.com/kb/HT1222

 

What I really hate about Apple is that they release the security updates patches very late.

 

Please update your Java, Safari updates via Apple Software Updates. Remember always updates

your Adobe Flash for MAC OS X  from the main sites (www.adobe.com). If you need to check for 

Adobe Latest updates please go to this site to check if you got the latest version.

 

http://www.adobe.com/software/flash/about/

 

Remember to update the Xprotect plist from your Apple Mac OS X Security. Follow this steps below with

this link:-

 

http://community.f-secure.com/t5/Mac-Protection-Technology/Mac-OS-X-Snow-Leopard-Malware-Defender-updates-tricks/td-p/633

 

Please also read the following sites:-

 

http://reviews.cnet.com/8301-13727_7-57408874-263/java-update-for-os-x-patches-flashback-malware-exploit/?tag=txt;title

 

http://reviews.cnet.com/8301-13727_7-57408383-263/flashback-malware-evolves-to-exploit-unpatched-java-vulnerabilities/?tag=txt;title

 

Eset Threat Centre release this detections since 31032012

 

http://go.eset.com/us/threat-center/threatsense-updates/page/2?q=osx

 

If you go their main ESET threat Centre site (link above) , it seems they release new variants of Flashblack K ...

 

Detections dated 03 April 2012, 02 April 2012, 01 April 2012, and 31 March 2012.

 

Please take note of the new variant of Flashback R. Which Intego detected.

 

http://www.intego.com/mac-security-blog/new-flashback-variant-takes-advantage-of-unpatched-java-vulnerability/

 

On a look out for any new virus detections for Mac OS X via this sites:- (Please keep this handy as always!!!)

 

http://macscan.securemac.com/spyware-list/

 

(Kaspersky & Ikarus detection are same)

http://www.ikarus.at/en/private/info-center/virus-lexicon/index.html?action=search&term=osx&what=name

 

http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=osx&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&.submit=Submit+Query&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display

 

http://us.norton.com/security_response/threatexplorer/azlisting.jsp?azid=O

 

http://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=osx

 

http://www.sophos.com/en-us/search-results.aspx?refine=1a1e9ea6979a493dba64e1b2ced03044&search=osx

 

To send F-Secure for Support.

 

Please create the FSDIAG and attach the file via this link:-

 

http://www.f-secure.com/en/web/home_global/support/contact/request

 

The F-Secure Call Center is via:-

 

http://www.f-secure.com/en/web/home_global/support/contact/call-f-secure-support

 

Also do an online Chat from the Tech Support. (Closed on public holidays)

 

https://my.f-secure.com/en/chat

MichaelHeister

Thank you for the quick and thorough reply!

Rusli

Hi Michael,

 

You're welcome.

 

Also please take note of the steps below which Norton recommends.

 

http://us.norton.com/security_response/writeup.jsp?docid=2011-093016-1216-99&tabid=2

 

Follow the recommendations steps as layout by Norton.

 

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.

 

 

And those steps which I mentioned earlier. (Which is very very important)

 

Anyway does Safari have NoScript Addons???

 

The best is to turn off Java and Flash.

 

Only use it when you know it is a trusted website.

 

Use CCleaner for Mac.

 

http://www.piriform.com/mac/ccleaner

 

Download Macscan Trial. If you suspected that your computer have been infected.

 

http://macscan.securemac.com/buy/

 

And do a full scan.

 

On a lookout with latest security news or updates  via www.us-cert.gov (US Homeland Security)

 

Some of the Apps in the Apple Apps Store are malware. So be extra carefull.

 

Be wary of iTunes Credit Card Scam.

 

http://community.f-secure.com/t5/Protection/Apple-iTunes-Credit-Card-Fraud/td-p/9941

 

leelee

Macintosh-5:~ leanderpaulboucher$ ls -lA ~/Library/LaunchAgents/
total 16
-rw-r--r-- 1 leanderpaulboucher staff 574 Oct 13 09:35 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
-rw-r--r-- 1 leanderpaulboucher staff 815 Jun 28 2011 com.google.keystone.agent.plist

 

Listed above are the file names that resulted in running:

  ls -lA ~/Library/LaunchAgents/

 

I'm a noob at this. What does this mean? Am I infected or not and what do I do next?

Thanks

chris_altwegg

This should help:

 

http://news.cnet.com/8301-27076_3-57410050-248/mac-flashback-malware-what-it-is-and-how-to-get-rid-of-it-faq/

leelee

Thanks for your assistance!

Rusli

Hi

 

What Chris and me posted are the same.

 

You can read my posting via the same site.

 

http://community.f-secure.com/t5/Protection/Flashback-Mac-OS-X-Remover/td-p/10887

Rusli

Here is the remedy to Flashback I variant remover from F-Secure.

 

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

 

There is Flashback J which Eset is detecting.

 

http://go.eset.com/us/threat-center/threatsense-updates/search?q=osx

 

dated NOD32 - v.7032 (20120406)

leelee

Your assistance is greatly appreciated

leelee

Thanks a million to Chris and Rusli. I finally got rid of the trojan. All's well and back to normal.

[Deleted User]

Hi,

 

We have release a tool to remove the Flashback Mac OS X malware. You can refer to our Weblog below:

 

http://www.f-secure.com/weblog/archives/00002346.html

 

Br,

 

Nesak

mydearcosmo

I agree. This removal tool has helped me earlier with such problem. Thanks guys.

Rusli

You're welcome lee.

 

 

I should give a credit to the guys at F-Secure & the F-Secure SAS Team, The Project Managers!

 

They have done a great job at this!!! (Without them ... we won't be here by now.)

 

Keep up the good work guys.

 

Not to mentioned, CNET too did a good job.

 

 

 

- I'm always "the last in line". (Someone will know what I mean to this. He would LOL! Yeah D.I.O)