AAPL stock: $427.00 ( -4.77 ) *Cached every 60 seconds. For live updating, Click Here |
| Tips and Deals ---- 'Friendly' Political Ranting |
You are currently viewing the Tips and Deals forum
| I actually had a Mac infected with a Trojan yesterday! Really! Date: March 29, 2012 01:18PM |
One of the three users I support that have Admin priviledges on their computers called me yesterday morning... Word kept crashing on launch... so did Excel from Office 2004.
Long troubleshooting story short; it was ANY app launched under Rosetta (we still have LOADS of PPC only software... and will for years...). Rosetta was what was crashing, taking the launched app down with it. (this is 10.6.8, by the way... as you might have guessed from the Rosetta reference).
After spending hours reading nonsensical console logs and crash report, I spotted something; Word was looking for something at "/Users/Shared/.libgmalloc.dylib"
Again, to shorten the story somewhat... another couple hours googling turned up that it was likely caused by a Trojan!
[www.f-secure.com]
The user didn't "think so", but I suspect they entered their username and password when prompted for something they shouldn't have...
The removal method was a little convoluted... and required terminal. Fortunately, I only flubbed the commands a couple times (missing or adding spaces improperly in the commands). Thank god I didn't flub an "rm" command
And no... that computer didn't have antivirus software on it.
It does now.
Paul F.
-----
A sword never kills anybody; it is a tool in the killer's hand. - Lucius Annaeus Seneca c. 5 BC - 65 AD
----
Good is the enemy of Excellent. Talent is not necessary for Excellence.
Persistence is necessary for Excellence. And Persistence is a Decision.
--
Eureka, CA
Long troubleshooting story short; it was ANY app launched under Rosetta (we still have LOADS of PPC only software... and will for years...). Rosetta was what was crashing, taking the launched app down with it. (this is 10.6.8, by the way... as you might have guessed from the Rosetta reference).
After spending hours reading nonsensical console logs and crash report, I spotted something; Word was looking for something at "/Users/Shared/.libgmalloc.dylib"
Again, to shorten the story somewhat... another couple hours googling turned up that it was likely caused by a Trojan!
[www.f-secure.com]
The user didn't "think so", but I suspect they entered their username and password when prompted for something they shouldn't have...
The removal method was a little convoluted... and required terminal. Fortunately, I only flubbed the commands a couple times (missing or adding spaces improperly in the commands). Thank god I didn't flub an "rm" command
And no... that computer didn't have antivirus software on it.
It does now.
Paul F.
-----
A sword never kills anybody; it is a tool in the killer's hand. - Lucius Annaeus Seneca c. 5 BC - 65 AD
----
Good is the enemy of Excellent. Talent is not necessary for Excellence.
Persistence is necessary for Excellence. And Persistence is a Decision.
--
Eureka, CA
| Re: I actually had a Mac infected with a Trojan yesterday! Really! Date: March 29, 2012 01:43PM |
Here's one hint... if opening a WORD document asks you to enter your username and password; don't do it... it's a trap!
If the user account you use most often is NOT the "Admin" account on the computer, it's a non-issue.
Paul F.
-----
A sword never kills anybody; it is a tool in the killer's hand. - Lucius Annaeus Seneca c. 5 BC - 65 AD
----
Good is the enemy of Excellent. Talent is not necessary for Excellence.
Persistence is necessary for Excellence. And Persistence is a Decision.
--
Eureka, CA
If the user account you use most often is NOT the "Admin" account on the computer, it's a non-issue.
Paul F.
-----
A sword never kills anybody; it is a tool in the killer's hand. - Lucius Annaeus Seneca c. 5 BC - 65 AD
----
Good is the enemy of Excellent. Talent is not necessary for Excellence.
Persistence is necessary for Excellence. And Persistence is a Decision.
--
Eureka, CA
| Re: I actually had a Mac infected with a Trojan yesterday! Really! Date: March 29, 2012 01:57PM |
Quote
Paul F.
Here's one hint... if opening a WORD document asks you to enter your username and password; don't do it... it's a trap!
RIP, Greg the DogSitter. You are missed.
| Re: I actually had a Mac infected with a Trojan yesterday! Really! Date: March 29, 2012 02:10PM |
Still no reason to panic, but we should be aware:
[reviews.cnet.com]
Putting the Mac Malware scene into perspective, this threat is not known to be widespread and appears to be used in a direct attack that targets Tibetan businesses and organizations. It is also a single addition to the small group of malware that has currently been developed for OS X, which at less than 70 variants is minuscule in comparison to the millions developed yearly for Windows PCs. Additionally, this and the vast majority of known malware for OS X are Trojan horse based threats, and are not viral in nature, meaning they do not spread uncontrollably on their own and require tricking the user (in this case with spam) to install.
So far, the spam e-mails, including links to the malicious Web pages, have only been sent to the Tibetan organizations; however, it is possible that they could be issued elsewhere.
[blog.intego.com]
These Word documents exploit a Word vulnerability that was corrected in June, 2009, but also take advantage of the fact that many users don’t update such software. Word 2004 and 2008 are vulnerable, but the latest version, Word 2011 is not. Also, this vulnerability only works with .doc files, and not the newer .docx format.
These files are not very large – the samples that Intego has analyzed range from 90 K to 230 K – and there is no indication that they may be dangerous. There is no request for a password, and the user does not need to be an administrator for this malware to install. It is worth noting that this is not only an attack on Mac users; Intego has found several samples of the same documents that contain code that will run on Windows.
[www.giyf.com]
[reviews.cnet.com]
Putting the Mac Malware scene into perspective, this threat is not known to be widespread and appears to be used in a direct attack that targets Tibetan businesses and organizations. It is also a single addition to the small group of malware that has currently been developed for OS X, which at less than 70 variants is minuscule in comparison to the millions developed yearly for Windows PCs. Additionally, this and the vast majority of known malware for OS X are Trojan horse based threats, and are not viral in nature, meaning they do not spread uncontrollably on their own and require tricking the user (in this case with spam) to install.
So far, the spam e-mails, including links to the malicious Web pages, have only been sent to the Tibetan organizations; however, it is possible that they could be issued elsewhere.
[blog.intego.com]
These Word documents exploit a Word vulnerability that was corrected in June, 2009, but also take advantage of the fact that many users don’t update such software. Word 2004 and 2008 are vulnerable, but the latest version, Word 2011 is not. Also, this vulnerability only works with .doc files, and not the newer .docx format.
These files are not very large – the samples that Intego has analyzed range from 90 K to 230 K – and there is no indication that they may be dangerous. There is no request for a password, and the user does not need to be an administrator for this malware to install. It is worth noting that this is not only an attack on Mac users; Intego has found several samples of the same documents that contain code that will run on Windows.
[www.giyf.com]
| Re: I actually had a Mac infected with a Trojan yesterday! Really! Date: March 29, 2012 02:13PM |
| Re: I actually had a Mac infected with a Trojan yesterday! Really! Date: March 29, 2012 02:24PM |
I did not purchase a Mac so I could run Windoz.
“Stay Hungry Stay Foolish"
"There are only two mantras yummm and yuk "
"There is a fine line between a rut and a groove"
"Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly
and applying the wrong remedies."Groucho Marx
"I got to that part and I knew there was going to be some weapons grade stupid to follow"Lux Interior
"When all the trees have been cut down, when all the animals have been hunted,
when all the waters are polluted, when all the air is unsafe to breathe, only then
will you discover you cannot eat money."
~ Cree Prophecy
“Stay Hungry Stay Foolish"
"There are only two mantras yummm and yuk "
"There is a fine line between a rut and a groove"
"Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly
and applying the wrong remedies."Groucho Marx
"I got to that part and I knew there was going to be some weapons grade stupid to follow"Lux Interior
"When all the trees have been cut down, when all the animals have been hunted,
when all the waters are polluted, when all the air is unsafe to breathe, only then
will you discover you cannot eat money."
~ Cree Prophecy
| Re: I actually had a Mac infected with a Trojan yesterday! Really! Date: March 29, 2012 08:46PM |
On execution, the malware checks if the following path exists in the system:
/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app
If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.
you could copy any old app and rename it to one of the above...
[www.giyf.com]
/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app
If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.
you could copy any old app and rename it to one of the above...
[www.giyf.com]
Sorry, only registered users may post in this forum.