An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 5 of 12 < 1 2 3 4 5 6 7 ... 11 12 >
Topic Options
#21408 - 04/05/12 04:00 PM Re: THE CYBER-SECURITY THREAD [Re: grelber]
alternaut Offline

Moderator

Registered: 08/04/09
First I recommend you update Java if you have an older version installed; that will block the current malware.

As to detection (and eventual removal) of the trojan's presence in Firefox, I don't know. The Safari instructions look for certain items the trojan installs at certain locations. While you can easily substitute 'Firefox' for 'Safari' in the Terminal command, it's by no means certain (although likely) that the malware-installed items have the same name or are at a comparable location for the response to be meaningful. We'd need confirmation of this one way or the other.
_________________________
alternaut moderator

Top
#21410 - 04/05/12 05:39 PM Re: THE CYBER-SECURITY THREAD [Re: alternaut]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
See my earlier posts (#21376 and #21379) in this thread, re Java.

Top
#21415 - 04/05/12 11:23 PM Re: THE CYBER-SECURITY THREAD [Re: grelber]
artie505 Online


Registered: 08/04/09
Java for OS X Lion 2012-002 (which, at the moment, links to the "Java for OS X Lion 2012-001" Apple doc) just turned up, but it's not clear yet what it's all about. (*)

You may find several articles on this MacFixIt - CNET Reviews page, How to remove the Flashback malware from OS X in particular, both informative and helpful.

Edit:The latter linked article includes location/removal instructions for Firefox.

and

(*) For the non-believers. (And:

Originally Posted By: Apple - Support - Downloads
Java for OS X Lion 2012-002
About Java for OS X Lion 2012-002
April 03, 2012 - 66.9 MB

which is also confusing...old date on new release.)


Edited by artie505 (04/06/12 01:42 AM)
Edit Reason: Clean up/Expand
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21417 - 04/06/12 02:21 AM Re: THE CYBER-SECURITY THREAD [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Software Update identifies my needing Java for OS X Lion 2012-002 and it appears to want to update Java SE 6 to exactly that which the -001 version already. Weird. I'm going to hang loose on this one.

The CNET review article looks enticing, but I'm awfully skittish about running Terminal.
If I do anything in Terminal, could I possibly damage/alter my software or hardware in any manner? If so, then I'm not going to attempt it.

EDIT:
OK, I took a leap of faith and ran the 4 detection commands in Terminal. 'Twould appear that nothing is awry and/or rotten in my iMac. {sigh}


Edited by grelber (04/06/12 02:56 AM)
Edit Reason: Update

Top
#21418 - 04/06/12 02:59 AM Re: THE CYBER-SECURITY THREAD [Re: grelber]
artie505 Online


Registered: 08/04/09
Originally Posted By: grelber
Software Update identifies my needing Java for OS X Lion 2012-002 and it appears to want to update Java SE 6 to exactly that which the -001 version already. Weird. I'm going to hang loose on this one.

The CNET review article looks enticing, but I'm awfully skittish about running Terminal.
If I do anything in Terminal, could I possibly damage/alter my software or hardware in any manner? If so, then I'm not going to attempt it.

Yeah, I noticed that the "new" updated Java had the same version number as the "old" one, so I don't blame you for hanging back until Apple updates its doc and clarifies.

Terminal... If you copy and paste the commands you'll be safe. By way of example, I've run the "search" commands, and they generated the exact output the article said they would...

Code:
Artie-s-Computer-4:~ artie$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2012-04-06 06:39:50.014 defaults[784:903] 
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
Artie-s-Computer-4:~ artie$

CAVEAT: Terminal commands are always subject to typos by their posters, so you can accommodate your skittishness by avoiding the "destroy" commands, if your iMac is, indeed, infected, until you know they've been tested. (I didn't look, but you may find confirmation in the comments appended to the article.)

In closing, though... Both being a bit of a gambler and having a current backup, I've run any number of Terminal commands posted here on FTM, as well as many others gleaned from sources such as MacFixIt - CNET, and the worst scenario I've ever encountered was a command not running.

Edit: Crossed in the mail...good for you! I was terrified of Terminal at first, but I've come to realize that it's both benign and enormously useful.


Edited by artie505 (04/06/12 03:05 AM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21419 - 04/06/12 03:02 AM Re: THE CYBER-SECURITY THREAD [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
RE Terminal... If you copy and paste the commands you'll be safe. By way of example, I've run the "search" commands, and they generated the exact output the article said they would...

That's exactly what I did.

Aside: We seem to running up each other's tailpipes in posting. tongue

Top
#21420 - 04/06/12 03:43 AM Re: THE CYBER-SECURITY THREAD [Re: grelber]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Something is very wacky at Apple.

The other software update which popped up yesterday is:

Digital Camera RAW Compatibility Update 3.12
This update adds RAW image compatibility to Aperture 3 and iPhoto '11.
• Canon EOS 5D Mark III
April 05, 2012 - 8 MB

But it too points to a previous update:

http://support.apple.com/kb/DL1513

Digital Camera RAW Compatibility Update 3.11
This update adds RAW image compatibility for the following camera to Aperture 3 and iPhoto '11
• Nikon D800
March 22, 2012 - 7.50 MB

Somebody ain't looking after the shop. And it's way too late for an April Fool's Day prank.

Top
#21421 - 04/06/12 04:04 AM Re: THE CYBER-SECURITY THREAD [Re: grelber]
artie505 Online


Registered: 08/04/09
Updates have been linked to outdated Apple docs consistently, although not necessarily universally, for a while, now.

But don't y'all worry, 'cuz "It just works!" tongue smirk
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21422 - 04/06/12 07:46 AM Re: THE CYBER-SECURITY THREAD [Re: grelber]
alternaut Offline

Moderator

Registered: 08/04/09
Glad to hear that the Java update issue has been settled (more or less), and that my Terminal guesstimate of the Flashback detection for Firefox was correct. I had run it myself before posting, but since it's a read command a negative result doesn't necessarily mean much.

It's perhaps good to mention again that an additional measure of protection against these variants is afforded by the presence of certain utilities, mostly of the anti-malware or packet sniffer kind. That may not last (and it won't work if you fall for the trojan's request for your password), but at least it's there now for those who are not offered a Java update.
_________________________
alternaut moderator

Top
#21428 - 04/06/12 01:42 PM Re: THE CYBER-SECURITY THREAD [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Yu wuz right, re RAW Camera Update 3.12:
Even though it pointed to 3.11 (which, strangely enough, seems to have disappeared from the Support Downloads page), downloading it produced the correct update.

In my case, 7.6MB took 15.5 minutes to download; the last 1MB took 235 sec to download = 4.2 KB/sec.

So, I'm going to wait to get to a high-speed access to download the 'new' Java 2012-002 (if only to see how it might differ from the Java 2012-001 which I installed the other day).

Top
#21429 - 04/06/12 02:13 PM Re: THE CYBER-SECURITY THREAD [Re: grelber]
artie505 Online


Registered: 08/04/09
I just d/l'ed from the Apple v 001 page (the v 002 page to which I linked earlier), and got a package labeled identified by command-I as "Java for OS X 2012-002," the checksum of which differs from that of v 001, so there's apparently some difference between the two. crazy


Edited by artie505 (04/06/12 05:13 PM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21432 - 04/06/12 02:53 PM Re: THE CYBER-SECURITY THREAD [Re: artie505]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Web tool checks if your Mac is Flashback-free.

I suppose (hope) this is ok to use, but until I know more about this gang and their bona-fides, a bit of caution can't hurt.

Please, if someone knows the credentials of Dr.Web (as I do not), then enlightenment is indeed most welcome.
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21433 - 04/06/12 03:05 PM Re: THE CYBER-SECURITY THREAD [Re: Pendragon]
artie505 Online


Registered: 08/04/09
Why bother?

How to (Added: find and) remove the Flashback malware from OS X has already been tested...its "search" functionality, anyhow - neither of us had need for "destroy" - by myself and grelber among, I assume, many others.


Edited by artie505 (04/06/12 03:06 PM)
Edit Reason: Clean up link
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21434 - 04/06/12 05:05 PM Re: THE CYBER-SECURITY THREAD [Re: Pendragon]
alternaut Offline

Moderator

Registered: 08/04/09
I agree with Artie here: the 3 Terminal commands provided in his link are easy to run (copy & paste!). No need to involve an unknown entity like Dr. Web. In the rather unlikely case that you should prove positive for a Flashback variant, we'll see about the best way forward.
_________________________
alternaut moderator

Top
#21435 - 04/06/12 05:10 PM Re: THE CYBER-SECURITY THREAD [Re: alternaut]
artie505 Online


Registered: 08/04/09
> the 3 Terminal commands [....]

grelber's reference to four commands confused me until I noticed this:

Quote:
In addition to the above commands, you can check for the presence of invisible .so files that past variants of the malware create in the Shared user directory by running the following command in the Terminal:
ls -la ~/../Shared/.*.so
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21436 - 04/06/12 05:32 PM Re: THE CYBER-SECURITY THREAD [Re: artie505]
MicroMatTech3 Offline


Registered: 08/04/09
From <<http://www.macintouch.com/readerreports/security/topic4832.html#d06apr2012>> :


David Henderson

I found this email at:
http://prod.lists.apple.com/archives/java-dev/2012/Apr/msg00022.html

Java developers,

Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.

For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.

We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.

Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.

<snip>
_________________________
MicroMat Inc
Makers of TechTool

Top
#21437 - 04/06/12 05:46 PM Re: THE CYBER-SECURITY THREAD [Re: MicroMatTech3]
artie505 Online


Registered: 08/04/09
Thanks for that. I'll credit it as a semi-reasonable excuse, but only semi, because they could have gotten the word out immediately by including it in the release-note to the Software Update item. (I'm assuming that they didn't...don't run Lion, can't check, and nobody's posted otherwise.)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21440 - 04/06/12 11:52 PM Re: THE CYBER-SECURITY THREAD [Re: Pendragon]
artie505 Online


Registered: 08/04/09
Dr. Web, "the same Russian security firm that's been tracking the scope and scale of the Flashback malware's spread worldwide," has just turned up on MacFixIt....

Quote:
In order to do this, it cross-checks your Mac's unique hardware with its own database of machines that have been compromised. If it doesn't find your machine, you're in the clear.

Sorry, but I dunno about that...certainly wouldn't recommend it.

How has Dr. Web accumulated this database?

tacit?
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21445 - 04/07/12 02:00 AM Re: THE CYBER-SECURITY THREAD [Re: MicroMatTech3]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: MicroMatTech3
...
For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.

So ... Does this mean that those of us running Lion and who have installed 2012-001 should not install 2012-002, even though Software Update thinks that we should?

Top
#21446 - 04/07/12 02:11 AM Re: THE CYBER-SECURITY THREAD [Re: grelber]
artie505 Online


Registered: 08/04/09
> We considered creating a delta update for users who already installed 001, [....]

No, it means you should install it.

Rather than take the time to prepare both an update to 001 for those who've already installed it and 002 for those who haven't, Apple simply released 002, which is applicable to both. 002 is a "combo."
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21447 - 04/07/12 02:16 AM Re: THE CYBER-SECURITY THREAD [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Okey-dokey.

Top
#21448 - 04/07/12 02:38 AM Re: THE CYBER-SECURITY THREAD [Re: grelber]
artie505 Online


Registered: 08/04/09
In case you didn't see it, you should be aware of this exchange quoted from MMT3' first linked source:

Quote:
Ira Lansing
Re:
When I download the installer and open, I get this message;
"There may be a problem with this disk image. Are you sure you want to open it? Opening this disk may make your computer less secure or cause other problems."
Anybody else?
Yes, I saw that as well. I thought it might have been because I stopped and started the download a couple of times and thought I had finished but hadn't. When it was completely downloaded it did go through the installation process with no apparent problems that I could see.

I'm running Snow Leopard, and I got the same warning; it came up before the dmg opened.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21449 - 04/07/12 03:27 AM Re: THE CYBER-SECURITY THREAD [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Ditto, re 2012-001.

EDIT:
But it didn't happen when I just installed 2012-002.


Edited by grelber (04/07/12 12:16 PM)
Edit Reason: Update

Top
#21450 - 04/07/12 03:36 AM Re: THE CYBER-SECURITY THREAD [Re: Pendragon]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: Pendragon
... if someone knows the credentials of Dr.Web (as I do not), then enlightenment is indeed most welcome.

For what it's worth, there's a dandy little website out there which provides safety/reliability information on other websites: Webutation.net
It touts itself as "Open Website Reputation against fraud & malware".

Review of Dr. Web at www.drweb.com would seem to indicate good things.

Top
#21451 - 04/07/12 05:12 AM Re: THE CYBER-SECURITY THREAD [Re: grelber]
roger Offline


Registered: 08/04/09
Loc: Vermont
I think it would be great if the basic info about this and its removal could be split out and stickied, so we could link to it, perhaps somewhere other than the Lounge.
_________________________
MacBook 2.4 Ghz · 4 Gb ram · 10.7.5
stuff I'm interested in
iPhone 4s 7.0.2

Top
Page 5 of 12 < 1 2 3 4 5 6 7 ... 11 12 >

Moderator:  alternaut, cyn