An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#20527 - 02/04/12 10:22 AM Security Query - BC.Exploit
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
This morning I tried logging into my bank account but the bank did not recognize my machine and went to it's security process of asking for the answer to a personal question.

The only time I've ever had that happen is when I've deleted a preference file.

I'm currently running a full disk scan of ClamXav (about 3/5 of the way through) and so far the scan log shows a quarantine for BC.Exploit.CVE_2011_3412

Curiously it's attached to a very old Excel file...about 6 or 7 years. The file is one that the client will have kept on file so it's not an issue to delete it.

Once ClamXav is done, is there something I should be doing other than deleting files?

EDIT: The ClamXav scan was begun after I had first booted from my clone and used DiskWarrior to repair files and rebuild the directory. My first assumption was that I had done something that would cause the bank not to be able to find whatever it needs to find in order to recognize my machine.

YET ANOTHER EDIT: It's been a while since I've done a full disk scan but, when it was done previously (both by ClamXav and by Sophos), the BC Exploit item wasn't found.

UPDATE: ClamXav has concluded the scan and found BC Exploit in five places:

In the quarantine folder this is a .xls Excel file
/Data/dpi Media/Projects & Proposals/Clientname Projects/Union/Rating Process/RatersNotes04:19:04.xls: moved to '/Users/myname/Desktop/Quarantine/RatersNotes04:19:04.xls'

In the quarantine folder this is a textedit type of Document
/Users/myname/Library/Mail/Mailboxes/Projectname/~All Else/Raters Notes.mbox/mbox: moved to '/Users/myname/Desktop/Quarantine/mbox'

In the quarantine folder these three are mail messages
/Users/myname/Library/Mail/Mailboxes/Projectname/~All Else/Raters Notes.mbox/Messages/2197.emlx: moved to '/Users/myname/Desktop/Quarantine/2197.emlx'

/Users/myname/Library/Mail/Mailboxes/Projectname/~All Else/Reports-Data.mbox/Messages/2235.emlx: moved to '/Users/myname/Desktop/Quarantine/2235.emlx'

/Users/myname/Library/Mail/Mailboxes/Projectname/~All Else/Unsorted.mbox/Messages/2517.emlx: moved to '/Users/myname/Desktop/Quarantine/2517.emlx'



Edited by ryck (02/04/12 12:34 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#20528 - 02/04/12 01:37 PM Re: Security Query - BC.Exploit [Re: ryck]
alternaut Offline

Moderator

Registered: 08/04/09
FWIW, the top file returned in a quick Google search for BC.Exploit.CVE_2011_3412 ClamX (and several similar ones) is this recent thread about results with ClamXav's Windows sister app, ClamWin. This thread suggests that this particular detection may be made in error*.

Searching the ClamX Support Forum yielded the recent thread More false positives?, with similar considerations. Beyond this, there is little hard evidence for an actual outbreak, despite the numbers of search results. Given this possibility, I wonder if a Sophos scan would produce the same result.

*) Separate from this there is mention of the preferability to quarantine suspect files rather than to remove them, if only because the latter prevents successful recovery of the file should the detection prove erroneous. It appears you already use this setting.
_________________________
alternaut moderator

Top
#20529 - 02/04/12 02:24 PM Re: Security Query - BC.Exploit [Re: alternaut]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: alternaut
Separate from this there is mention of the preferability to quarantine suspect files rather than to remove them, if only because the latter prevents successful recovery of the file should the detection prove erroneous. It appears you already use this setting.

And I have now gone back into ClamXav and changed the preferences so I won't do that again.

Fortunately this is a client file and so I have it backed up several ways, including the mail files. In this case, though, the likelihood of ever needing anything from this file (it contains several thousand emails and documents) is very slim.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#20530 - 02/04/12 02:25 PM Re: Security Query - BC.Exploit [Re: alternaut]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Thank you very much. This is greatly appreciated.

Originally Posted By: alternaut
Beyond this, there is little hard evidence for an actual outbreak, despite the numbers of search results. Given this possibility, I wonder if a Sophos scan would produce the same result.

Good thought. I will run Sophos tonight (it takes about 8 hours to complete). In the meantime, I've gone to my Super Duper clone and replaced the .xls file that was quarantined so that it will come across the same file as ClamXav saw.

Originally Posted By: alternaut
Separate from this there is mention of the preferability to quarantine suspect files rather than to remove them, if only because the latter prevents successful recovery of the file should the detection prove erroneous. It appears you already use this setting.

And I have now gone back into ClamXav and changed the preferences so I won't do that again.

Fortunately this is a client file and so I have it backed up several ways, including the mail files. In this case, though, the likelihood of ever needing anything from this file is very slim. The project wrapped four years ago and the result has been going just fine.


Edited by ryck (02/04/12 02:28 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#20531 - 02/04/12 03:47 PM Re: Security Query - BC.Exploit [Re: ryck]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
BC.Exploit is a Windows-only exploit that can be used to run arbitrary code on Windows XP, Vista, and 7 running Microsoft Publisher 2003 and Microsoft Publisher 2007. There is a memory issue in Publisher that allows an attacker to create a booby-trapped Publisher file which will infect a computer with malware if it opens the file in Publisher.

This vulnerability only affects Windows computers and only if they are running Microsoft Publisher. The vulnerability can only be found in .pub files; if you see it in other file types (such as Excel files), it's a false positive.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#20534 - 02/04/12 05:20 PM Re: Security Query - BC.Exploit [Re: tacit]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: tacit
BC.Exploit is a Windows-only exploit that can be used to run arbitrary code on Windows XP, Vista, and 7 running Microsoft Publisher 2003 and Microsoft Publisher 2007.

This vulnerability only affects Windows computers and only if they are running Microsoft Publisher. The vulnerability can only be found in .pub files; if you see it in other file types (such as Excel files), it's a false positive.

Good to know it's benign.

So, to close the loop, I guess I can assume that I "got it" from someone using a Windows machine. During this project there was a lot of file-exchanging and, as I recall, I was the only Mac.

Can I further assume that the only reason it hasn't popped up until now is because previous scans ignored it - it not being a Mac issue? Although I have the "all clear" I will run the Sophos check for curiosity's sake to see if the false positive error is just ClamXav.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#20538 - 02/05/12 08:17 AM Re: Security Query - BC.Exploit [Re: alternaut]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: alternaut
....I wonder if a Sophos scan would produce the same result.

One of the "infected files" was restored and a Sophos full scan was conducted. Sophos did not identify the file as a problem so it appears the false positive issue is just with ClamXav.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#20541 - 02/05/12 10:40 AM Re: Security Query - BC.Exploit [Re: ryck]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: ryck
Good to know it's benign.

Can I further assume that the only reason it hasn't popped up until now is because previous scans ignored it - it not being a Mac issue?

Sophos did not identify the [restored] file as a problem so it appears the false positive issue is just with ClamXav.

Thanks for the update, that's pretty much what I suspected. To follow up on the other comment and question, BC.Exploit isn't necessarily benign, but chances that it will affect you are small. You'd have to run the target MS software under susceptible versions of Windows on your Mac.

I also don't think you can assume that 'it' was ignored until now by ClamXav, assuming that the recent malware call was valid. Because of the scarcity of Mac threats, Mac anti-malware for the longest time has been mostly involved with detecting and neutralizing Windows threats, as they may be passed on unnoticed by Mac users via email etc. The issue of false positives (which seems what's happening) is likely caused by errors in ClamXav's signature file update.
_________________________
alternaut moderator

Top

Moderator:  alternaut, dianne, MacManiac