An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 6 of 12 1 2 4 5 6 7 8 11 12
Re: THE CYBER-SECURITY THREAD
roger #21452 04/07/12 12:41 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
That's pretty much incorporated in artie's post #21433 (and slightly altered by me herein):

How to [detect and] remove the Flashback malware from OS X

Re: THE CYBER-SECURITY THREAD
grelber #21453 04/07/12 01:21 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
yes, but I'm trying to drive a bit of traffic here. there is also perhaps more information than a casual Mac user would need in that article.

just thinking out loud.


MacBook 2.4 Ghz · 4 Gb ram · 10.7.5
stuff I'm interested in
iPhone 4s 7.0.2
Re: THE CYBER-SECURITY THREAD
roger #21454 04/07/12 02:54 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
MacWorld compiled a decent summary of the current Flashback trojan story, arguably the worst malware to hit the Mac so far:

What you need to know about the Flashback trojan.


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21455 04/07/12 03:31 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
For those of you who don't like to use Terminal to check for the Flashback.K presence, there are scripts to perform the check for both Safari and Firefox: Quick Applescript to check your Mac for the Flashback infection. This script is partially based on earlier efforts by Hannes Juutilainen and Patrick Gallagher.

A direct download link to the script here appears not possible, but the download is accessible by pasting the following URL in your browser's address bar and hitting Return:

http://macstuff.beachdogs.org/blog/wp-content/uploads/2012/04/Flashback_checker.scpt_1.zip

or via the link marked 'Flashback Checker Script' immediately above the script window on the first page linked to above.

How to use the script:
- Double-click on script to open Script Editor, then select Run from SE's toolbar.
- Alternatively, you can move Flashback_checker.scpt_1 to the /Library/Scripts folder and access it transparently from the Script menu in the (right side) menu bar.

Last edited by alternaut; 04/07/12 06:04 PM. Reason: Addressed direct script download link issue

alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21456 04/07/12 05:22 PM
Joined: Aug 2009
Likes: 7
Offline

Joined: Aug 2009
Likes: 7
Originally Posted By: alternaut
That link takes me here, a dead end. Can you fix it?


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: THE CYBER-SECURITY THREAD
jchuzi #21457 04/07/12 05:54 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Thanks for the heads-up & sorry for the link failure: my Copy-Paste trial and the initial use of the hyperlink worked OK, but a direct link to

http://macstuff.beachdogs.org/blog/wp-content/uploads/2012/04/Flashback_checker.scpt_1.zip

is now apparently disallowed, although pasting the URL in your browser's address bar still works. I changed the post above accordingly.


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21458 04/07/12 08:25 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Comments on disabling Java

1. Java in browsers. Perhaps the most important precaution against the latest Flashback trojans for those who cannot update Java (PPC Macs and Macs running on Leopard or older Mac OS X versions), but who still need Java functionality in their browsers to access and use certain web sites, is to disable Java in the browser's preferences during general web browsing. This will block the trojan's main infection vector by preventing Java applet execution.

When Java is needed, as for cross-platform functionality like that in certain secure banking sites etc., Java can be enabled for the duration. It would be prudent to make sure that your Mac is not infected with the trojan before you use such banking sites. It wouldn't hurt to verify with your bank if their site is still secure either.

2. Stand-alone Java apps. A secondary recommendation associated with protection against the Flashback trojans is to disable Java on your Mac entirely, using the Java Preferences utility installed in Utilities as part of a Java install. This will prevent local stand-alone Java (dependent) applications to run on your Mac. If you already disabled Java in your browser(s), however, this will not provide any added protection against the current Flashback trojan variants. That said, disabling Java instead of removing it has the advantage that you will still be able to quickly run any Java dependent software you may need, without having to reinstall Java from scratch.

While many users will not be discombobulated by disabling Java entirely, others could be. You can find out which Java dependent apps you have installed by Spotlight-searching for .jar, and checking which app any such file belongs to, using the path provided at the bottom of the Spotlight results window. It turns out that a surprising number of software titles is more or less Java dependent. The following non-exhaustive listing may help to get an idea. Please note that the presence of a particular item doesn't mean it is particularly important (or even current). It's just a set of examples, some of which you may recognize, particularly the ones in bold.

Adobe products such as Flash, Fireworks and Dreamweaver (GoLive)
aMaze
antlrworks
Apache-Tomcat
Apple Disk Transfer ProDOS
Arachnophilia
Art Of Illusion
ATutor
Barcode4J
Birthday
ClickRepair (and other Brian Davies audio utilities)
CMS Made Simple
CompileAndGo
CrushFTP
Cyberduck
Databrid (installer)
DataCrow
DateStamp Batch Stamper
Decrypto
Duplicate Files Searcher
Eclipse
eCueCardsMac
ekspos
Electronics Optimizer
Elite People Search
Elite Video Downloader
Encyclopedia Brittanica discs
FilePhile
FoundationStone
Gallery
GIFted Motion
GlassFish Server
GoToMeeting
GraphicConverter
Helma
Home Credit Card Manager
Home Loan Interest Manager
HostMonitor
iDiet
ImageJ
Install_MovieFinder
[installers], various
Interactive 3D Surface Plot
IPMonitor
iTunes Lyrics Locator
iWisdom
JaBack
JAlbum
JAME
JarBundler
JavaEmbeddingPlugin
JJSplit
Jmol
JSubFixer
KemetAPI
Log Parser QL
Mac FLV To Mp3 Converter
Mare Internum
Matrex
MJPEG Lossless Rotate
MM3-WebAssistant
MoneyDance
MRJ Adapter
myPhoneDesktop
Myster PR
Nevitium
Newton-II
NM Collector JE
Obba
OpenDS
OpenMocha
OpenOffice (and other open source application suites)
Osmose
PageSucker
Panther Sleek
PDF OCR X
PMan
PowerFolder
Professional Data Security
PSCafePOS
Puzzle Collection
ReFactorIT
Requiem
Saphe
ScenePainter
Sophie
Space Exploration
Speech and Debate Timekeeper
Stanza
StarLogo
StreamRipStar
StreamTastic
sudokumat
SuperAnalyzer
Timekeeper
TiVo Transfer
TurboTax 2010
U3
UnixExplorer
[updaters], various
VidMasta
vSEC CMS U-Series
Wamcom
WebEdition CMS
WebEx
WebMin
Wireless Link Test
Xerver
XMLSpear
YouTube Downloader
Zumocast


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21469 04/08/12 01:07 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Application to check your Mac for, and remove if necessary, the Flashback Trojan. Here.

But how well this works, and if there are downsides/risks in using this critter, well, the reviews are still forthcoming.


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
Pendragon #21471 04/08/12 02:22 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
On top of your uncertainty is the fact that this utility leaves the PPC Macs out in the cold. Still, it's an improvement over yesterday and easier than the Terminal approach for most users.

PS, supposedly the current version of the free Sophos Anti-Virus for Mac Home Edition will do the Flashback trojan detection and removal job for both PPC and Intel Macs running Mac OS X 10.4 or higher. I'm sure other malware utilities will follow, if they aren't there already.

Last edited by alternaut; 04/08/12 03:51 PM. Reason: Added removal option for PPC Macs

alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21508 04/10/12 04:36 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Gradually, the ins and outs of the latest Flashback malware outbreak are becoming clearer. In the article Security firm offers more Flashback details, free tools Dan Moren of MacWorld summarizes some of the findings so far.

Briefly, Kaspersky Labs, a Russia-based computer security company, managed to reverse-engineer the latest Flashback (aka Flashfake) trojan, and in particular the way a computer infected with it (a 'bot') interacts with its command & control server(s). Like Dr. Web (the Russian computer security vendor who first provided numbers of infected Macs) before them, this allowed Kaspersky to impersonate such a C&C server, and eavesdrop on the ongoing communications between Flashback bots and their C&C servers. Such a monitoring setup is called a 'sinkhole'. Since each bot calling 'home' identifies itself with a code incorporating its unique hardware identifier (UUID, see System Profiler), this allows for a bot count. Depending on the exact UUID format used in combination with OS fingerprinting of the bots, this allows a platform estimate (Macs vs computers running another OS). Hence the conclusion that at least 98% of over 600.000 computers infected are Macs.

Another important issue is where exactly those infected computers picked up the Flashback malware. It appears that this is related to the recent and widespread compromise of sites using WordPress, a popular blogging software. While the details of this subversion are not entirely clear, what happened to visitors of affected blogs is: they were redirected to several malicious sites that hosted malware 'kits' including the Flashback trojan. It turns out that the C&C servers of the subverted WordPress blog sites closely match those of the Flashback trojan, clearly suggesting a link between the two.

Kaspersky is now offering an online Flashback check based on the computer's UUID, another downloadable checker-removal utility (Intel only), plus a set of security recommendations for Mac users.


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21511 04/10/12 07:10 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Something's fishy with that online Flashback check at http://flashbackcheck.com/

I just visited the site and the following came up as part of the home page:
IMPORTANT JAVA UPDATE
We have checked the version of Java installed on your computer and discovered that you are running a vulnerable version. You should update as soon as possible.
We suggest that you use the Mac OS X automatic software update feature.


Given that I've updated my Java SE 6 twice (2012-001 and 2012-002), unless those updates are defective (which we've all been assured they are not), then the Flashback check site might well be a portal to contaminate one's computer with something nasty.

Anybody want to speculate on what's going on?

Re: THE CYBER-SECURITY THREAD
grelber #21513 04/10/12 08:51 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
I can't say exactly what Kaspersky's web site is checking when you visit it, but it may have been your browser's Java plugin rather than Java itself. Plugins have an update cycle all their own. Assuming your Java update went well and is now up to snuff, that may not be true for your browser's plugin or the plugin database. Search for 'Mama LaGrande Chung' on this reader report page for more details and the associated fix.


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21514 04/10/12 09:48 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Well, if they're claiming to check Java (and not the Java plug-in), then it would give one pause as to how reliable anything they have to say is.
I'm taking a big pass on this one.

Re: THE CYBER-SECURITY THREAD
alternaut #21515 04/10/12 10:10 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Can the world really rely on this UUID # check?
  1. What's the liklihood that any one particular infected Mac is included in the database?
  2. Is there any estimate of how many Macs were infected in the earliest days of the trojan's life, prior to its being discovered, reverse-engineered, and having its activity logged, however long that period of time was?
  3. In the face of Terminal commands, and GUIs therefore, that actually detect the presence of the trojan, what's the point of even wasting your time with such a contraption?
And this... I don't remember in which of the many articles I've looked at this was reported, but I did read that the first thing the trojan does is scan a Mac for particular apps, Little Snitch likely being the the most widely distributed one, and passes by machines that are running any of them.

I don't recall that being mentioned in this thread, and I'm wondering whether it's factual?

Last edited by artie505; 04/10/12 10:15 PM. Reason: Cleanup

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
artie505 #21516 04/11/12 12:36 AM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Dealing with your questions/comments in sequence:

1. I assume you're referring to the database of Flashback infected computers Kasperski compiled with their sinkhole approach. Given the fact that the bots regularly contact home, or can be made to do so with appropriate commands, the likelihood that any particular infected Mac is included approaches 100% in a matter of hours as long as it's running and connected to the internet.

2. An estimate subject to the constraints you list is effectively meaningless. To my knowledge Dr. Web was the first to come up with numbers of infected Macs, using a sinkhole approach similar to the one Kasperski used in their confirmation of these numbers. But this was in early April, and candidate Flashback variants have been around for months.
Another aspect of this is the size of the drive-by network of WordPress (and perhaps other) sites that redirected its visitors to the Flashback infection sites. That had to be in place and sufficient large to be able to quickly build the Flashback botnet we now have (or had, as people are cleaning up). But this number too is an estimate, albeit one that precedes that of the Flashback botnet by a month or more.

3. Your local Flashback detection via Terminal or script is just that: local, and it looks for the actual spoor of the trojan. Kasperski's UUID-test approach does things in a different way, by checking its database of infected Macs (the ones that called back 'home' or the sinkhole) for the UUID you provide. I wouldn't be surprised if this Kasperski tool may still claim (for some time at least) you're infected after you've cleaned the trojan out of an infected Mac. Meanwhile, the database gets updated continually, and cleaned computers will gradually vanish from its rolls as they stop calling back home (with the same caveat as given under #1 above).

The presence of software that makes the trojan erase itself has been mentioned here before, albeit in passing. More specifically, if you check F-Secure's descriptions (see this post for the links) you'll find MS Office components listed for Flashback.K, and antivirus utilities etc. for Flashback.I. So, to the extent that these F-Secure descriptions are reliable, it's factual.

Last edited by alternaut; 04/12/12 02:18 PM. Reason: Added Dr. Web link

alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21522 04/11/12 06:10 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks for the clarification, but I'm still left wondering:
  1. Can we be 100% certain that Kaspersky's (or anybody else's) data collection is 100% inclusive...that they haven't missed something somewhere?
  2. Regardless of 1, why rely on somebody else's computer to tell you whether or not yours is infected when you can so easily make the determination on your own computer?
  3. All else aside, if your Mac is, in fact, infected, won't Little Snitch invariably alert you by warning you that something is trying to call home (as I've been led to believe is the case with all trojans)?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
artie505 #21523 04/11/12 09:26 AM
Joined: Aug 2009
Likes: 7
Offline

Joined: Aug 2009
Likes: 7


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: THE CYBER-SECURITY THREAD
jchuzi #21524 04/11/12 09:34 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: jchuzi

I saw that earlier, and I just scratched my head wondering what Apple could offer that isn't already out there?

Granted that the source will be as reliable as a source can be, but there've been absolutely no questions raised about the present providers.

This part intrigues me, but it doesn't sound like it would be part of a removal tool:

Originally Posted By: CNET
"In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions," Apple wrote on its Web site. "Apple is working with ISPs worldwide to disable this command and control network."


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
artie505 #21526 04/11/12 01:04 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
OK, here goes:

1. AFAICT, the UUID test is solid; the platform test somewhat less so. But there is no way to assess infection in a computer that's off, or not connected to the internet for whatever reason. So no, there's no 100% certainty in this test.

2. The UUID check is just another option offered by a commercial entity, albeit a rather unique one that will certainly appeal to a subset of Mac users out there. So no, it's not strictly necessary, but yes, people will use it. Heck, I did, if only just for giggles.

3. Yes, Little Snitch will let you know who's calling home, and you might notice and even recognize malware comm attempts if you don't respond reflexively to the LS dialogs. But I wouldn't bet the bank on that. In reality, however, you will never see those dialogs, because the mere presence of LS will make the trojan abort its infection procedure and erase itself.

As to Apple offering a detection/removal tool, this has even more of the advantage I mentioned above in item #2: an officially sanctioned tool from 'Olympus' itself. That said, I'd like to point out another aspect of the cleanup effort: it has been mentioned that the proliferation of detection/removal tools opens an opportunity for malicious abuse. It's conceivable that such a tool could harbor malware itself. That suspicion/possibility is less likely with an Apple product.


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21529 04/11/12 05:57 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks for taking the time to address my inveterate curiosity.

I remain inherently distrustful of the UUID test, but I get your "subset" point. (I, too, ran it just to see what it would say.)

And I wonder how many people have gotten caught up in the hysteria despite the fact that they're running Little Snitch, which is why I brought it to the forefront in the first place.

I wonder if Apple's tool will be anything more than another curiosity satisfier by the time it's released?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
artie505 #21534 04/12/12 11:37 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Has there been any feedback from those who may have used the F-Secure Flashback Removal Tool?


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: THE CYBER-SECURITY THREAD
Pendragon #21535 04/12/12 02:10 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
While it looks like it's a bit early for lots of comments to accumulate at the most likely suspects, there are a few in this MacInTouch Reader Report of today (April 12), under the heading 'Java'. Note that the fact that the tool requests an admin password makes perfectly good sense from a technical point of view, but the reticent reaction in the comment(s) is understandable too.


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21538 04/12/12 03:48 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: alternaut
... Note that the fact that the tool requests an admin password makes perfectly good sense from a technical point of view, but the reticent reaction in the comment(s) is understandable too.

Ya think?! tongue shocked

Re: THE CYBER-SECURITY THREAD
grelber #21543 04/12/12 05:53 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
You can't make that omelette without breaking some eggs, you know, but who wants to risk throwing in Granny's fine bone china (and who knows what else) as well? smirk


alternaut moderator
Re: THE CYBER-SECURITY THREAD
alternaut #21544 04/12/12 06:53 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Especially her bank accounts and credit card accounts. tongue

Aside: You know, we need an emoticon for "apoplectic". Any ideas? A popped vein in the forehead might be a challenge.

Page 6 of 12 1 2 4 5 6 7 8 11 12

Moderated by  alternaut, cyn 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.049s Queries: 65 (0.040s) Memory: 0.7357 MB (Peak: 0.9303 MB) Data Comp: Zlib Server Time: 2024-03-28 09:42:41 UTC
Valid HTML 5 and Valid CSS