An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Security Query - BC.Exploit
#20527 02/04/12 06:22 PM
Joined: Aug 2009
Likes: 14
ryck Online OP
OP Online

Joined: Aug 2009
Likes: 14
This morning I tried logging into my bank account but the bank did not recognize my machine and went to it's security process of asking for the answer to a personal question.

The only time I've ever had that happen is when I've deleted a preference file.

I'm currently running a full disk scan of ClamXav (about 3/5 of the way through) and so far the scan log shows a quarantine for BC.Exploit.CVE_2011_3412

Curiously it's attached to a very old Excel file...about 6 or 7 years. The file is one that the client will have kept on file so it's not an issue to delete it.

Once ClamXav is done, is there something I should be doing other than deleting files?

EDIT: The ClamXav scan was begun after I had first booted from my clone and used DiskWarrior to repair files and rebuild the directory. My first assumption was that I had done something that would cause the bank not to be able to find whatever it needs to find in order to recognize my machine.

YET ANOTHER EDIT: It's been a while since I've done a full disk scan but, when it was done previously (both by ClamXav and by Sophos), the BC Exploit item wasn't found.

UPDATE: ClamXav has concluded the scan and found BC Exploit in five places:

In the quarantine folder this is a .xls Excel file
/Data/dpi Media/Projects & Proposals/Clientname Projects/Union/Rating Process/RatersNotes04:19:04.xls: moved to '/Users/myname/Desktop/Quarantine/RatersNotes04:19:04.xls'

In the quarantine folder this is a textedit type of Document
/Users/myname/Library/Mail/Mailboxes/Projectname/~All Else/Raters Notes.mbox/mbox: moved to '/Users/myname/Desktop/Quarantine/mbox'

In the quarantine folder these three are mail messages
/Users/myname/Library/Mail/Mailboxes/Projectname/~All Else/Raters Notes.mbox/Messages/2197.emlx: moved to '/Users/myname/Desktop/Quarantine/2197.emlx'

/Users/myname/Library/Mail/Mailboxes/Projectname/~All Else/Reports-Data.mbox/Messages/2235.emlx: moved to '/Users/myname/Desktop/Quarantine/2235.emlx'

/Users/myname/Library/Mail/Mailboxes/Projectname/~All Else/Unsorted.mbox/Messages/2517.emlx: moved to '/Users/myname/Desktop/Quarantine/2517.emlx'


Last edited by ryck; 02/04/12 08:34 PM.

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Security Query - BC.Exploit
ryck #20528 02/04/12 09:37 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
FWIW, the top file returned in a quick Google search for BC.Exploit.CVE_2011_3412 ClamX (and several similar ones) is this recent thread about results with ClamXav's Windows sister app, ClamWin. This thread suggests that this particular detection may be made in error*.

Searching the ClamX Support Forum yielded the recent thread More false positives?, with similar considerations. Beyond this, there is little hard evidence for an actual outbreak, despite the numbers of search results. Given this possibility, I wonder if a Sophos scan would produce the same result.

*) Separate from this there is mention of the preferability to quarantine suspect files rather than to remove them, if only because the latter prevents successful recovery of the file should the detection prove erroneous. It appears you already use this setting.


alternaut moderator
Re: Security Query - BC.Exploit
alternaut #20529 02/04/12 10:24 PM
Joined: Aug 2009
Likes: 14
ryck Online OP
OP Online

Joined: Aug 2009
Likes: 14
Originally Posted By: alternaut
Separate from this there is mention of the preferability to quarantine suspect files rather than to remove them, if only because the latter prevents successful recovery of the file should the detection prove erroneous. It appears you already use this setting.

And I have now gone back into ClamXav and changed the preferences so I won't do that again.

Fortunately this is a client file and so I have it backed up several ways, including the mail files. In this case, though, the likelihood of ever needing anything from this file (it contains several thousand emails and documents) is very slim.


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Security Query - BC.Exploit
alternaut #20530 02/04/12 10:25 PM
Joined: Aug 2009
Likes: 14
ryck Online OP
OP Online

Joined: Aug 2009
Likes: 14
Thank you very much. This is greatly appreciated.

Originally Posted By: alternaut
Beyond this, there is little hard evidence for an actual outbreak, despite the numbers of search results. Given this possibility, I wonder if a Sophos scan would produce the same result.

Good thought. I will run Sophos tonight (it takes about 8 hours to complete). In the meantime, I've gone to my Super Duper clone and replaced the .xls file that was quarantined so that it will come across the same file as ClamXav saw.

Originally Posted By: alternaut
Separate from this there is mention of the preferability to quarantine suspect files rather than to remove them, if only because the latter prevents successful recovery of the file should the detection prove erroneous. It appears you already use this setting.

And I have now gone back into ClamXav and changed the preferences so I won't do that again.

Fortunately this is a client file and so I have it backed up several ways, including the mail files. In this case, though, the likelihood of ever needing anything from this file is very slim. The project wrapped four years ago and the result has been going just fine.

Last edited by ryck; 02/04/12 10:28 PM.

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Security Query - BC.Exploit
ryck #20531 02/04/12 11:47 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
BC.Exploit is a Windows-only exploit that can be used to run arbitrary code on Windows XP, Vista, and 7 running Microsoft Publisher 2003 and Microsoft Publisher 2007. There is a memory issue in Publisher that allows an attacker to create a booby-trapped Publisher file which will infect a computer with malware if it opens the file in Publisher.

This vulnerability only affects Windows computers and only if they are running Microsoft Publisher. The vulnerability can only be found in .pub files; if you see it in other file types (such as Excel files), it's a false positive.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Security Query - BC.Exploit
tacit #20534 02/05/12 01:20 AM
Joined: Aug 2009
Likes: 14
ryck Online OP
OP Online

Joined: Aug 2009
Likes: 14
Originally Posted By: tacit
BC.Exploit is a Windows-only exploit that can be used to run arbitrary code on Windows XP, Vista, and 7 running Microsoft Publisher 2003 and Microsoft Publisher 2007.

This vulnerability only affects Windows computers and only if they are running Microsoft Publisher. The vulnerability can only be found in .pub files; if you see it in other file types (such as Excel files), it's a false positive.

Good to know it's benign.

So, to close the loop, I guess I can assume that I "got it" from someone using a Windows machine. During this project there was a lot of file-exchanging and, as I recall, I was the only Mac.

Can I further assume that the only reason it hasn't popped up until now is because previous scans ignored it - it not being a Mac issue? Although I have the "all clear" I will run the Sophos check for curiosity's sake to see if the false positive error is just ClamXav.


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Security Query - BC.Exploit
alternaut #20538 02/05/12 04:17 PM
Joined: Aug 2009
Likes: 14
ryck Online OP
OP Online

Joined: Aug 2009
Likes: 14
Originally Posted By: alternaut
....I wonder if a Sophos scan would produce the same result.

One of the "infected files" was restored and a Sophos full scan was conducted. Sophos did not identify the file as a problem so it appears the false positive issue is just with ClamXav.


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Security Query - BC.Exploit
ryck #20541 02/05/12 06:40 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: ryck
Good to know it's benign.

Can I further assume that the only reason it hasn't popped up until now is because previous scans ignored it - it not being a Mac issue?

Sophos did not identify the [restored] file as a problem so it appears the false positive issue is just with ClamXav.

Thanks for the update, that's pretty much what I suspected. To follow up on the other comment and question, BC.Exploit isn't necessarily benign, but chances that it will affect you are small. You'd have to run the target MS software under susceptible versions of Windows on your Mac.

I also don't think you can assume that 'it' was ignored until now by ClamXav, assuming that the recent malware call was valid. Because of the scarcity of Mac threats, Mac anti-malware for the longest time has been mostly involved with detecting and neutralizing Windows threats, as they may be passed on unnoticed by Mac users via email etc. The issue of false positives (which seems what's happening) is likely caused by errors in ClamXav's signature file update.


alternaut moderator

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.023s Queries: 30 (0.015s) Memory: 0.6138 MB (Peak: 0.6988 MB) Data Comp: Zlib Server Time: 2024-03-28 09:20:47 UTC
Valid HTML 5 and Valid CSS