Re: 14 antivirus apps found to have security problems.

Aspirant

Re: 14 antivirus apps found to have security problems.

Hi Calvin ,

Do you guys have a product that you think would disinfect an already very infected mac? Ive managed to stump 3 very highly acclaimed mac specialists here in LA , their suggestions were unable to rid my system of my attacker, ( we believe they have law enforcement capabilities, but illegal use) the last engineer finally seemed to find the root of the problem but not the solution. I'm told I have spoofing certificates , which I've definitely found,exploits of the DaVinci root kit which is heavily encrypted in my EFI sector ? Malicious tracking cookies, and a lot of coding, seems all my apps are working against me including my antivirus program kaspersky. If you think you have something that may resolve this or better yet , help figure out where it came from ( because it's completely turned my life upside down) I'd be very interested in knowing about it. I believe I know who's behind it, I have a lot of IP Address's pointing to one company , but need little more than that. No law enforcement agency will help ;/ even with a lot of proof, they just don't see this every dAy and don't know what to do with it I suppose. FBI just thinks I'm talking about some little Trojan I cAn get rid off with most virus removers . Won't heAr me out.
Thanks for yr time ,
Lookin for my life back !
Michelle
80 REPLIES 80
Senior Advisor

Re: 14 antivirus apps found to have security problems.

Hi Michelle,

 

You can try F-Secure Antivirus for Mac for a Free Trial of 30 days only.

 

But you need to remove the other antivirus on your mac.

 

http://www.f-secure.com/en/web/home_global/anti-virus-for-mac#trial

 

If both your Windows and Mac are infected. You need one antivirus for Mac and one antivirus for Windows.

 

For Antivirus for Windows try trial of 30 days...

 

http://www.f-secure.com/en/web/home_global/anti-virus#trial

 

Please see my previous post

 

http://community.f-secure.com/t5/Home-Security/Crisis-MORCUT-Mac-OSX-Malware/td-p/15056

 

Other links:-

 

http://securelist.com/blog/research/64215/adobe-flash-player-0-day-and-hackingteams-remote-control-s...

 

http://news.drweb.com/?i=2604&lng=en

 

 

 

Unfortunately Dr Web for Light Antivirus for mac now is not a free version.

 

You have to make a purchase via Apple Apps Store.

 

https://itunes.apple.com/us/app/dr.web-light/id471859438?mt=12

 

I recommend you check this site for known mac malwares...

 

http://www.thesafemac.com/

 

There are free ones which you can try ....

 

http://www.avira.com/en/download/product/avira-free-antivirus-for-mac

 

http://www.clamxav.com/

 

Known spyware for mac. (Not malware but spywares)

 

http://macscan.securemac.com/spyware-list/

 

Known Mac Adware ....

 

http://www.thesafemac.com/arg/

Senior Advisor

Re: 14 antivirus apps found to have security problems.

Michelle,

 

If you happen to get the latest Crisis Malware, then you can try Intego Virusbarrier.

 

http://www.intego.com/antivirus-internet-security-x8#/virusbarrier-x8

 

See the link here:-

 

http://www.intego.com/mac-security-blog/new-osx-crisis-variant-invokes-pope-francis/

 New OSX/Crisis Variant Invokes Pope Francis Posted on January 20th, 2014 by Arnaud Abbati A new sample of OSX/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab during the weekend. We currently do not have information about the origin of the file on VirusTotal, named “Frantisek,” but it is an Eastern European first name meaning Francis. Could it be related to Pope Francis? Like the previous variants, OSX/Crisis.C is delivered through a dropper that installs silently, without requiring a password, and works on Mac OS X 10.5, 10.6, and 10.7. However, Hacking Team has updated some of the dropper code and the backdoor configuration file format. The dropper executes an unusual segment: __INITSTUB. The original entry point EIP points to this code segment before reaching the almost empty _main function of the program. For this reason, an incautious researcher using a debugger could get infected without even noticing it. While it uses a different way to resolve system symbols, it crashes on OS X Mountain Lion or OS X Mavericks (segmentation fault). This might be a 64-bit bug in the malware. Following is a screenshot of the resolved symbols hash of the dropper in IDA: OSX/Crisis.C - screenshot of the resolved symbols hash of the dropper in IDA When the dropper runs successfully, it hides the following files in the user’s home directory (in the Library/Preferences folder), inside a fake application bundle called OvzD7xFr.app: 1 backdoor: 8oTHYMCj.XIl (32-bit) 1 configuration file: ok20utla.3-B 2 kernel extentions: Lft2iRjk.7qa (32-bit) and 3ZPYmgGV.TOA (64-bit) 1 scripting addition: EDr5dvW8.p_w (FAT) 1 XPC service: GARteYof._Fk (FAT) 1 TIFF image, a System Preferences icon, ripped of Linkinus preferences panel: q45tyh Then it executes the backdoor and finishes the installation by creating a LaunchAgent file, com.apple.mdworker.plist. Similar to OSX/Crisis.B, this binary is obfuscated using MPress packer. It doesn’t run on OS X 10.9 as it is linked against the Apple System Profiler private framework, SPSupport, which is now 64-bit only; an “Image not found” exception is raised, and then it crashes. Furthermore, on a supported target, the backdoor simply uninstalls its files and quits. This could be related to a corrupted configuration file (the sample one starts with NULL bytes). Other than a few new tricks, features implemented by the backdoor component are similar to previous variants: it patches the Activity Monitor application to hide itself, takes screenshots, captures audio and video, gathers user locations, connects to WiFi hotspots, syncs collected data with a Command and Control (C&C) server, and tricks the user using social engineering to gain System Administrator privileges and drop its rootkit. At the time of this writing, the overhaul detection rate on VirusTotal is very low. Intego VirusBarrier with up-to-date malware definitions protects Mac users against this malware, detected as OSX/Crisis.C. This entry was posted in Malware and tagged crisis, hacking team, Mac, osx, OSX/Crisis.C, rcs. Bookmark the permalink.

 

OSX/Crisis.C - screenshot of the resolved symbols hash of the dropper in IDA

 

Aspirant

Re: 14 antivirus apps found to have security problems.

Thank you so much for your reply , now I know you get a ton of people a day that aren't that, for a lack if a better word, properly versed in all the many types if malicious goings on out there , and I'm not saying I'm an expert by ANY means. However I've hired some if the best, knowledgable in this specific field, people to take a look at what is going on, ( very reluctantly, and for quite a price) they finally did. They were actually excited ! Due to it being something , like I said before , new they had not encountered nor heard of in the community. Apparently this thing installs before the operating system and highly disguises itself and is heavily encrypted. I can't uninstall adobe, nor any of my other security or regular apps, and I'm talking about removing them using terminal scripting not just drag to trash . It acts / appears like if it's gone, but in fact nothing changes. Im telling you, These people ( the hackers ) have more control/ permissions on my counter than I do as the administrator. They definitly have root access, but it appears as I do. I turned on my computer today and in ONE Second where I did nothing but turn it on and open console, there were over 100 console outputs ,as if I was very active on my machine in that 1 SECOND ! I saw a lot of " try to remove observer from null key path" I have pictures of everything. Some Warnings, network changes , ( mind you I was connected to the Ethernet the entire time, it's all I'll use now ) the MAC address En1 output it says in my console does not match that of the one in my system pref. while on Ethernet . I've never enabled bluetooth infact I deleted it, never signed into iCloud , never turned on 'find my mac, haven't even entered my new Apple ID into this machine since wiping it and reinstalling OSX. I've gotten a new hard drive, 2 new routers and a modem . Had 4 different specialist /engineers diagnose it, using some fancy program to totally wipe everything from my system. Still it continues. If I can attach some screen shoots from today I'm going to try, again this was when I turned on the machine and nothing else other than open console .
I am willing to pay for a program no problem , as long as you think it will work, I m very sceptical it will, because very reputable people have told me this is not a common malware/ spyware thing that can be removed with a program , I'm told I will need the means and technology of something / someone bigger like law enforcment to help , problem is, I believe it's law enforcment that's doing this;( , just Basically I feel hopeless, I can't even go to adobe help because my computer won't allow me to the site. Is this not something your company might be interested in looking into? I can send you my logs .. Apple had me make a copy of all of them but then said all they could do was wipe the system which I've done and didn't work . ;(
It really is a case if a very rich man ( who own s a company I used to work for and am in 2 law suites with ) abusing his power to violate and break ,MANY LAWS, because no one is going to stop him. He's giving an order to have a company illegaly monitor me. I need a judge to court order this company to show me the warrant their supposed to have in order to do this , then explain why they've broken ALL if their own company rules on how and what they can monitor . Their trying to scare me quite due to knowledge I have, And ya know what. Sad but it's true. There going to get away with a 200,000 lawsuit and illegaly firing me, and security fraud , tax evasion, just to name a few because no one will listen to me. All the evidence is right there .
Sorry had to vent there... Phew!!!!! If your still reading I'm amazed!
Point is I'll try anything, i dont want to give up , the last specialist that did the semi forensics gave me a little disc drive to give to whoever might help, with all the info on it.
I know your company is interested in new strains and sorts of attacks , would they be interested maybe in looking at this? Everyone that's looked at it can't figure it or, seems to be a mishmash of many things . And still going.
Do you have customer support I might call to walk me through the installation of the product you recommend incase I have trouble , and assure it doesn't get corrupt like kaspersky did?
Again I can't explain how much in appreciate your time. I hope you may find this somewhat interesting .
Michelle

Ok couldn't attach photo but one line said something about :
Kav_agent:
Object [221]: class KLThreatToString is in both /Library/ApplicationSupport/Kaspersky/Lab/Kav/Applications/Kaspersky Anti-Virus
Agent.app/contents/MacOS/Kav_agent. one of the two will be used . Which one us undefined.

As.well as :
Confugd: network changed: V4( en0+ 192.168.0.106) DNS+Proxy

I didn't change it do anything and was on Ethernet with everything else not only turned off but
Aspirant

Re: 14 antivirus apps found to have security problems.

Ok I know you know ALOT more than I, but that all is EXACTLY what has happened ! except I have maverick s 10.9.3 I swear , you just nailed it with that last article you posted , it is exactly what is happening but I have even more .
Aspirant

Re: 14 antivirus apps found to have security problems.

Is there any way I can email you some screen shots? I definitely have logs on my console and files re: Launchserviced ( maybe normal , I don't know ) but it refers to application "system preferences" isn't in fPermittedfrontapps...... Blah blah so isn't permitting .

Com.apple.applekit.xpc.documenPopoverViewService: Assertion failed: 13E28: liblaunch.dylib + 25164 [ A50A0C7B-3216-3984-8AE0-B503BAF1DADA]: 0x25

Then same com.applekit......
Something about a " Bogus Event received by listener connection.

Does this mean anything to you ?
If you think your products can take care if this I will buy ANYTHING, only thing is , sorta wanted the info if I ever am able to use it to prosecute the company I believe did it. ( I'm in a lawsuit with their sister company ) they are a monitoring company for law enforcment and are supposed to have a warrant to be monitoring me not even in the way they are . This is just illegal for anyone ! But that's why they have the technology . I have IP 's logging into my email ,everyday ,tracing back to their home office . Can't be coincidence .
Anyway, unique situation, not quite sure what to do, and no agency or govt' will help. Sorta unbelievable .
Thanks for any more advice. !!
Senior Advisor

Re: 14 antivirus apps found to have security problems.

Okay ...

 

I have to let you know that I did not work for F-Secure. But I can try my best to help you.

 

You are using Mac OS X 10.9.3. Mavericks.

 

May I know what Apple computer are you using? iMac, Mac mini, Macbook Air, Macbook Pro???

 

I come to know that you are currently using Kaspersky.

 

Did you call Kaspersky tech support for help??? Have you check the Kaspersky support web page??? Like the link below??? Because right now you are on F-Secure forum not Kaspersky....

 

http://support.kaspersky.com/kismac

 

Have done a full scan on your Kaspersky Antivirus for Mac???

 

Since you are in the F-Secure forum did you send the infected Davinci file via F-Secure for Analysis....

 

http://www.f-secure.com/en/web/labs_global/submit-samples/sas

 

Click on submit sample to send the infected file over to F-Secure for analysis.

 

You have to create an account and register in order for you to send the virus infected file to F-Secure for analysis.

 

If you intend to install F-Secure Antivirus for Mac trial version free for 30 days only.

 

You need to uninstall Kaspersky Antivirus..

 

Because you can only use 1 antivirus if you need to run F-secure antivirus for Mac.

 

You can go to F-Secure chat online. (Provided you are using F-Secure antivirus for Mac)

 

http://www.f-secure.com/en/web/home_global/support/contact/chat

 

F-Secure is located in Finland.

 

 

 

 

Senior Advisor

Re: 14 antivirus apps found to have security problems.

The best option, is you recorded it via Video on your camera phone or a Video cam.

 

If you are innocent.

 

At least you have proof to back you up.

 

This is a malware, there is nothing to alarm...

 

 

Senior Advisor

Re: 14 antivirus apps found to have security problems.

Alternatively,

 

Have you try another antivirus to detect???

 

Like Intego??? For Instance...

 

Does the article below fit the discription what you have seen on your Mac???

 

http://www.intego.com/mac-security-blog/new-osx-crisis-variant-invokes-pope-francis/

 

Because Virus comes with many variants...

 

You can download the Intego Virusbarrier trial version free for a period of time.

 

You can go to this link

 

http://www.intego.com/mac-protection-bundle-x8#/virusbarrier-x8

 

click on free trial button

 

enter your email

 

and wait for intego reply

 

and download the software from the link given email reply from Intego

 

and install intego virus barrier

 

once you have done that

 

do a "Full Scan"

 

see if it can detect the malware and remove or delete them.

 

 

 

 

Aspirant

Re: 14 antivirus apps found to have security problems.

Oh my god thank you sooo much I'm doing this tomorrow .I don't have a PC, this is all happening on my MacBook Pro . I called kaspersky.... Not much help. They couldn't quit wrap their heAd around it.