An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 5 of 12 1 2 3 4 5 6 7 11 12
Re: THE CYBER-SECURITY THREAD
grelber #21408 04/05/12 11:00 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
First I recommend you update Java if you have an older version installed; that will block the current malware.

As to detection (and eventual removal) of the trojan's presence in Firefox, I don't know. The Safari instructions look for certain items the trojan installs at certain locations. While you can easily substitute 'Firefox' for 'Safari' in the Terminal command, it's by no means certain (although likely) that the malware-installed items have the same name or are at a comparable location for the response to be meaningful. We'd need confirmation of this one way or the other.


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21410 04/06/12 12:39 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
See my earlier posts (#21376 and #21379) in this thread, re Java.

Re: THE CYBER-SECURITY THREAD
grelber #21415 04/06/12 06:23 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Java for OS X Lion 2012-002 (which, at the moment, links to the "Java for OS X Lion 2012-001" Apple doc) just turned up, but it's not clear yet what it's all about. (*)

You may find several articles on this MacFixIt - CNET Reviews page, How to remove the Flashback malware from OS X in particular, both informative and helpful.

Edit:The latter linked article includes location/removal instructions for Firefox.

and

(*) For the non-believers. (And:

Originally Posted By: Apple - Support - Downloads
Java for OS X Lion 2012-002
About Java for OS X Lion 2012-002
April 03, 2012 - 66.9 MB

which is also confusing...old date on new release.)

Last edited by artie505; 04/06/12 08:42 AM. Reason: Clean up/Expand

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
artie505 #21417 04/06/12 09:21 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Software Update identifies my needing Java for OS X Lion 2012-002 and it appears to want to update Java SE 6 to exactly that which the -001 version already. Weird. I'm going to hang loose on this one.

The CNET review article looks enticing, but I'm awfully skittish about running Terminal.
If I do anything in Terminal, could I possibly damage/alter my software or hardware in any manner? If so, then I'm not going to attempt it.

EDIT:
OK, I took a leap of faith and ran the 4 detection commands in Terminal. 'Twould appear that nothing is awry and/or rotten in my iMac. {sigh}

Last edited by grelber; 04/06/12 09:56 AM. Reason: Update
Re: THE CYBER-SECURITY THREAD
grelber #21418 04/06/12 09:59 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: grelber
Software Update identifies my needing Java for OS X Lion 2012-002 and it appears to want to update Java SE 6 to exactly that which the -001 version already. Weird. I'm going to hang loose on this one.

The CNET review article looks enticing, but I'm awfully skittish about running Terminal.
If I do anything in Terminal, could I possibly damage/alter my software or hardware in any manner? If so, then I'm not going to attempt it.

Yeah, I noticed that the "new" updated Java had the same version number as the "old" one, so I don't blame you for hanging back until Apple updates its doc and clarifies.

Terminal... If you copy and paste the commands you'll be safe. By way of example, I've run the "search" commands, and they generated the exact output the article said they would...

Code:
Artie-s-Computer-4:~ artie$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2012-04-06 06:39:50.014 defaults[784:903] 
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
Artie-s-Computer-4:~ artie$

CAVEAT: Terminal commands are always subject to typos by their posters, so you can accommodate your skittishness by avoiding the "destroy" commands, if your iMac is, indeed, infected, until you know they've been tested. (I didn't look, but you may find confirmation in the comments appended to the article.)

In closing, though... Both being a bit of a gambler and having a current backup, I've run any number of Terminal commands posted here on FTM, as well as many others gleaned from sources such as MacFixIt - CNET, and the worst scenario I've ever encountered was a command not running.

Edit: Crossed in the mail...good for you! I was terrified of Terminal at first, but I've come to realize that it's both benign and enormously useful.

Last edited by artie505; 04/06/12 10:05 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
artie505 #21419 04/06/12 10:02 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
RE Terminal... If you copy and paste the commands you'll be safe. By way of example, I've run the "search" commands, and they generated the exact output the article said they would...

That's exactly what I did.

Aside: We seem to running up each other's tailpipes in posting. tongue

Re: THE CYBER-SECURITY THREAD
grelber #21420 04/06/12 10:43 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Something is very wacky at Apple.

The other software update which popped up yesterday is:

Digital Camera RAW Compatibility Update 3.12
This update adds RAW image compatibility to Aperture 3 and iPhoto '11.
• Canon EOS 5D Mark III
April 05, 2012 - 8 MB

But it too points to a previous update:

http://support.apple.com/kb/DL1513

Digital Camera RAW Compatibility Update 3.11
This update adds RAW image compatibility for the following camera to Aperture 3 and iPhoto '11
• Nikon D800
March 22, 2012 - 7.50 MB

Somebody ain't looking after the shop. And it's way too late for an April Fool's Day prank.

Re: THE CYBER-SECURITY THREAD
grelber #21421 04/06/12 11:04 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Updates have been linked to outdated Apple docs consistently, although not necessarily universally, for a while, now.

But don't y'all worry, 'cuz "It just works!" tongue smirk


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
grelber #21422 04/06/12 02:46 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Glad to hear that the Java update issue has been settled (more or less), and that my Terminal guesstimate of the Flashback detection for Firefox was correct. I had run it myself before posting, but since it's a read command a negative result doesn't necessarily mean much.

It's perhaps good to mention again that an additional measure of protection against these variants is afforded by the presence of certain utilities, mostly of the anti-malware or packet sniffer kind. That may not last (and it won't work if you fall for the trojan's request for your password), but at least it's there now for those who are not offered a Java update.


alternaut moderator
Re: THE CYBER-SECURITY THREAD
artie505 #21428 04/06/12 08:42 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Yu wuz right, re RAW Camera Update 3.12:
Even though it pointed to 3.11 (which, strangely enough, seems to have disappeared from the Support Downloads page), downloading it produced the correct update.

In my case, 7.6MB took 15.5 minutes to download; the last 1MB took 235 sec to download = 4.2 KB/sec.

So, I'm going to wait to get to a high-speed access to download the 'new' Java 2012-002 (if only to see how it might differ from the Java 2012-001 which I installed the other day).

Re: THE CYBER-SECURITY THREAD
grelber #21429 04/06/12 09:13 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I just d/l'ed from the Apple v 001 page (the v 002 page to which I linked earlier), and got a package labeled identified by command-I as "Java for OS X 2012-002," the checksum of which differs from that of v 001, so there's apparently some difference between the two. crazy

Last edited by artie505; 04/07/12 12:13 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
artie505 #21432 04/06/12 09:53 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Web tool checks if your Mac is Flashback-free.

I suppose (hope) this is ok to use, but until I know more about this gang and their bona-fides, a bit of caution can't hurt.

Please, if someone knows the credentials of Dr.Web (as I do not), then enlightenment is indeed most welcome.


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
Pendragon #21433 04/06/12 10:05 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Why bother?

How to (Added: find and) remove the Flashback malware from OS X has already been tested...its "search" functionality, anyhow - neither of us had need for "destroy" - by myself and grelber among, I assume, many others.

Last edited by artie505; 04/06/12 10:06 PM. Reason: Clean up link

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
Pendragon #21434 04/07/12 12:05 AM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
I agree with Artie here: the 3 Terminal commands provided in his link are easy to run (copy & paste!). No need to involve an unknown entity like Dr. Web. In the rather unlikely case that you should prove positive for a Flashback variant, we'll see about the best way forward.


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21435 04/07/12 12:10 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
> the 3 Terminal commands [....]

grelber's reference to four commands confused me until I noticed this:

Quote:
In addition to the above commands, you can check for the presence of invisible .so files that past variants of the malware create in the Shared user directory by running the following command in the Terminal:
ls -la ~/../Shared/.*.so


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
artie505 #21436 04/07/12 12:32 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
From <<http://www.macintouch.com/readerreports/security/topic4832.html#d06apr2012>> :


David Henderson

I found this email at:
http://prod.lists.apple.com/archives/java-dev/2012/Apr/msg00022.html

Java developers,

Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.

For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.

We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.

Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.

<snip>


MicroMat Inc
Makers of TechTool
Re: THE CYBER-SECURITY THREAD
MicroMatTech3 #21437 04/07/12 12:46 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks for that. I'll credit it as a semi-reasonable excuse, but only semi, because they could have gotten the word out immediately by including it in the release-note to the Software Update item. (I'm assuming that they didn't...don't run Lion, can't check, and nobody's posted otherwise.)


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
Pendragon #21440 04/07/12 06:52 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Dr. Web, "the same Russian security firm that's been tracking the scope and scale of the Flashback malware's spread worldwide," has just turned up on MacFixIt....

Quote:
In order to do this, it cross-checks your Mac's unique hardware with its own database of machines that have been compromised. If it doesn't find your machine, you're in the clear.

Sorry, but I dunno about that...certainly wouldn't recommend it.

How has Dr. Web accumulated this database?

tacit?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
MicroMatTech3 #21445 04/07/12 09:00 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: MicroMatTech3
...
For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.

So ... Does this mean that those of us running Lion and who have installed 2012-001 should not install 2012-002, even though Software Update thinks that we should?

Re: THE CYBER-SECURITY THREAD
grelber #21446 04/07/12 09:11 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
> We considered creating a delta update for users who already installed 001, [....]

No, it means you should install it.

Rather than take the time to prepare both an update to 001 for those who've already installed it and 002 for those who haven't, Apple simply released 002, which is applicable to both. 002 is a "combo."


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
artie505 #21447 04/07/12 09:16 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Okey-dokey.

Re: THE CYBER-SECURITY THREAD
grelber #21448 04/07/12 09:38 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
In case you didn't see it, you should be aware of this exchange quoted from MMT3' first linked source:

Quote:
Ira Lansing
Re:
When I download the installer and open, I get this message;
"There may be a problem with this disk image. Are you sure you want to open it? Opening this disk may make your computer less secure or cause other problems."
Anybody else?
Yes, I saw that as well. I thought it might have been because I stopped and started the download a couple of times and thought I had finished but hadn't. When it was completely downloaded it did go through the installation process with no apparent problems that I could see.

I'm running Snow Leopard, and I got the same warning; it came up before the dmg opened.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
artie505 #21449 04/07/12 10:27 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Ditto, re 2012-001.

EDIT:
But it didn't happen when I just installed 2012-002.

Last edited by grelber; 04/07/12 07:16 PM. Reason: Update
Re: THE CYBER-SECURITY THREAD
Pendragon #21450 04/07/12 10:36 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: Pendragon
... if someone knows the credentials of Dr.Web (as I do not), then enlightenment is indeed most welcome.

For what it's worth, there's a dandy little website out there which provides safety/reliability information on other websites: Webutation.net
It touts itself as "Open Website Reputation against fraud & malware".

Review of Dr. Web at www.drweb.com would seem to indicate good things.

Re: THE CYBER-SECURITY THREAD
grelber #21451 04/07/12 12:12 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
I think it would be great if the basic info about this and its removal could be split out and stickied, so we could link to it, perhaps somewhere other than the Lounge.


MacBook 2.4 Ghz · 4 Gb ram · 10.7.5
stuff I'm interested in
iPhone 4s 7.0.2
Page 5 of 12 1 2 3 4 5 6 7 11 12

Moderated by  alternaut, cyn 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.045s Queries: 64 (0.032s) Memory: 0.7216 MB (Peak: 0.8877 MB) Data Comp: Zlib Server Time: 2024-03-28 14:37:00 UTC
Valid HTML 5 and Valid CSS