Question about OS X Flashback.K trojan
On this instructional post:
The initial instructions are:
- 1. Run the following command in Terminal:
ls -lA ~/Library/LaunchAgents/
- 2. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
I ran the indicated command and encountered this output:
Node00:~ mdyson$ ls -lA ~/Library/LaunchAgents/
-rw-r--r-- 1 mdyson staff 697 Nov 15 10:19 com.adobe.AAM.Updater-1.0.plist
-rw-r--r-- 1 mdyson staff 574 Dec 1 17:51 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
-rw-r--r-- 1 mdyson staff 618 Nov 14 17:54 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.1A4046BE-D44F-4F2D-B3C7-FD38ED0EF401.plist
-rw-r--r-- 1 mdyson staff 889 Nov 14 17:25 [email protected]plist
-rw-r--r-- 1 mdyson staff 425 Dec 22 13:36 com.apple.FolderActions.enabled.plist
-rw-r--r-- 1 mdyson staff 517 Dec 22 13:36 com.apple.FolderActions.folders.plist
[email protected] 1 mdyson staff 803 Jan 7 13:43 com.google.keystone.agent.plist
[email protected] 1 mdyson staff 543 Jan 30 10:58 ws.agile.1PasswordAgent.plist
In item 2, based on multiple results, my apparent next step would be to contact "our customer care" but I am not an F-Secure customer and instructions as to exactly whom and how I am to contact them are lacking. For various reasons I did have Java installed and enabled in Safari.
Based on the above output should I even be worried?
Thanks in advance!
I also get similar results. Have contacted support, will post again if I get answers.
I got this when I ran step one of the disinfection protocol on Lion:
Last login: Wed Apr 4 11:13:58 on ttys001
[macbook-extreme-3:~] mheister% ls -lA ~/Library/LaunchAgents/
-rw-r--r-- 1 mheister staff 618 Oct 13 23:56 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.B79424B2-1668-442A-BD41-D4B3BDC74654.plist
-rw-r--r-- 1 mheister staff 425 Mar 24 10:42 com.apple.FolderActions.enabled.plist
-rw-r--r-- 1 mheister staff 517 Apr 3 20:35 com.apple.FolderActions.folders.plist
-rw-r--r-- 1 mheister staff 815 Jan 10 2009 com.apple.SafariBookmarksSyncer.plist
Instructions are to contact CS here if the response is more than one line. Suggestions???
F-Secure have a write up on Flashback.K...
see link:- http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
Always check for Apple Mac OS X Security Updates via this site:-
What I really hate about Apple is that they release the security updates patches very late.
Please update your Java, Safari updates via Apple Software Updates. Remember always updates
your Adobe Flash for MAC OS X from the main sites (www.adobe.com). If you need to check for
Adobe Latest updates please go to this site to check if you got the latest version.
Remember to update the Xprotect plist from your Apple Mac OS X Security. Follow this steps below with
Please also read the following sites:-
Eset Threat Centre release this detections since 31032012
If you go their main ESET threat Centre site (link above) , it seems they release new variants of Flashblack K ...
Detections dated 03 April 2012, 02 April 2012, 01 April 2012, and 31 March 2012.
Please take note of the new variant of Flashback R. Which Intego detected.
On a look out for any new virus detections for Mac OS X via this sites:- (Please keep this handy as always!!!)
(Kaspersky & Ikarus detection are same)
To send F-Secure for Support.
Please create the FSDIAG and attach the file via this link:-
The F-Secure Call Center is via:-
Also do an online Chat from the Tech Support. (Closed on public holidays)6 1Like
Thank you for the quick and thorough reply!
Also please take note of the steps below which Norton recommends.
Follow the recommendations steps as layout by Norton.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
- Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
- Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
- Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
- Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
- Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
- Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
- If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
- Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
- Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
- Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
- If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
And those steps which I mentioned earlier. (Which is very very important)
Anyway does Safari have NoScript Addons???
The best is to turn off Java and Flash.
Only use it when you know it is a trusted website.
Use CCleaner for Mac.
Download Macscan Trial. If you suspected that your computer have been infected.
And do a full scan.
On a lookout with latest security news or updates via www.us-cert.gov (US Homeland Security)
Some of the Apps in the Apple Apps Store are malware. So be extra carefull.
Be wary of iTunes Credit Card Scam.
Macintosh-5:~ leanderpaulboucher$ ls -lA ~/Library/LaunchAgents/
-rw-r--r-- 1 leanderpaulboucher staff 574 Oct 13 09:35 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
-rw-r--r-- 1 leanderpaulboucher staff 815 Jun 28 2011 com.google.keystone.agent.plist
Listed above are the file names that resulted in running:
ls -lA ~/Library/LaunchAgents/
I'm a noob at this. What does this mean? Am I infected or not and what do I do next?
What Chris and me posted are the same.
You can read my posting via the same site.
Here is the remedy to Flashback I variant remover from F-Secure.
There is Flashback J which Eset is detecting.
dated NOD32 - v.7032 (20120406)
We have release a tool to remove the Flashback Mac OS X malware. You can refer to our Weblog below:
I agree. This removal tool has helped me earlier with such problem. Thanks guys.
You're welcome lee.
I should give a credit to the guys at F-Secure & the F-Secure SAS Team, The Project Managers!
They have done a great job at this!!! (Without them ... we won't be here by now.)
Keep up the good work guys.
Not to mentioned, CNET too did a good job.
- I'm always "the last in line". (Someone will know what I mean to this. He would LOL! Yeah D.I.O)