advertisement
Deals | News | Forums

The Forum is sponsored by 
 

AAPL stock: $102.50 ( +0.25 )

*Cached every 60 seconds. For live updating, Click Here

You are currently viewing the Tips and Deals forum
I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: Paul F.
Date: March 29, 2012 01:18PM
One of the three users I support that have Admin priviledges on their computers called me yesterday morning... Word kept crashing on launch... so did Excel from Office 2004.

Long troubleshooting story short; it was ANY app launched under Rosetta (we still have LOADS of PPC only software... and will for years...). Rosetta was what was crashing, taking the launched app down with it. (this is 10.6.8, by the way... as you might have guessed from the Rosetta reference).

After spending hours reading nonsensical console logs and crash report, I spotted something; Word was looking for something at "/Users/Shared/.libgmalloc.dylib"

Again, to shorten the story somewhat... another couple hours googling turned up that it was likely caused by a Trojan!

[www.f-secure.com]


The user didn't "think so", but I suspect they entered their username and password when prompted for something they shouldn't have...


The removal method was a little convoluted... and required terminal. Fortunately, I only flubbed the commands a couple times (missing or adding spaces improperly in the commands). Thank god I didn't flub an "rm" command smiling smiley


And no... that computer didn't have antivirus software on it.
It does now.



Paul F.
-----
A sword never kills anybody; it is a tool in the killer's hand. - Lucius Annaeus Seneca c. 5 BC - 65 AD
----
Good is the enemy of Excellent. Talent is not necessary for Excellence.
Persistence is necessary for Excellence. And Persistence is a Decision.

--

--

--
Eureka, CA
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: cbelt3
Date: March 29, 2012 01:22PM
Damn. I read about that on /. this morning.

It was too good to last. Nice, though, that it enters through MS Office.

Viruses are STILL Bill Gate's FAULT !!!
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: samintx
Date: March 29, 2012 01:24PM
OK, what do we use on macs for virus control. I thought nothing. I use OFFICE 2011 all the time.
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: billb
Date: March 29, 2012 01:33PM
Quote
samintx
OK, what do we use on macs for virus control. I thought nothing. I use OFFICE 2011 all the time.

Common sense should still work.
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: LaserKun
Date: March 29, 2012 01:40PM
Yep, the very rare common sense works great - it is just rarely common.
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: Paul F.
Date: March 29, 2012 01:43PM
Here's one hint... if opening a WORD document asks you to enter your username and password; don't do it... it's a trap! smiling smiley

If the user account you use most often is NOT the "Admin" account on the computer, it's a non-issue.



Paul F.
-----
A sword never kills anybody; it is a tool in the killer's hand. - Lucius Annaeus Seneca c. 5 BC - 65 AD
----
Good is the enemy of Excellent. Talent is not necessary for Excellence.
Persistence is necessary for Excellence. And Persistence is a Decision.

--

--

--
Eureka, CA
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: lost in space
Date: March 29, 2012 01:44PM
ah, nothing new here. I found a trojan on our lab Macs once.

It was a Hypercard stack, in 1996.
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: N-OS X-tasy!
Date: March 29, 2012 01:57PM
Quote
Paul F.
Here's one hint... if opening a WORD document asks you to enter your username and password; don't do it... it's a trap! smiling smiley





It is what it is.
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: decay
Date: March 29, 2012 02:10PM
Still no reason to panic, but we should be aware:

[reviews.cnet.com]

Putting the Mac Malware scene into perspective, this threat is not known to be widespread and appears to be used in a direct attack that targets Tibetan businesses and organizations. It is also a single addition to the small group of malware that has currently been developed for OS X, which at less than 70 variants is minuscule in comparison to the millions developed yearly for Windows PCs. Additionally, this and the vast majority of known malware for OS X are Trojan horse based threats, and are not viral in nature, meaning they do not spread uncontrollably on their own and require tricking the user (in this case with spam) to install.
So far, the spam e-mails, including links to the malicious Web pages, have only been sent to the Tibetan organizations; however, it is possible that they could be issued elsewhere.



[blog.intego.com]

These Word documents exploit a Word vulnerability that was corrected in June, 2009, but also take advantage of the fact that many users don’t update such software. Word 2004 and 2008 are vulnerable, but the latest version, Word 2011 is not. Also, this vulnerability only works with .doc files, and not the newer .docx format.

These files are not very large – the samples that Intego has analyzed range from 90 K to 230 K – and there is no indication that they may be dangerous. There is no request for a password, and the user does not need to be an administrator for this malware to install. It is worth noting that this is not only an attack on Mac users; Intego has found several samples of the same documents that contain code that will run on Windows.




---
I buy records. Getting rid of some? Let me know.
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: mattkime
Date: March 29, 2012 02:13PM






VTPKL it!
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: haikuman
Date: March 29, 2012 02:24PM
I did not purchase a Mac so I could run Windoz.



“Stay Hungry Stay Foolish"
Steve Jobs

"There are only two mantras yum and yuk mine is yum "
Bernard Mickey Wrangle<>Tom Robbins<> "Still Life With Woodpecker"

"There is a fine line between a rut and a groove"
G.D. Kittredge III

"


Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: GGD
Date: March 29, 2012 02:35PM
This article also lists terminal commands to determine if you are infected.

[reviews.cnet.com]

Quote

F-Secure's analysis offers a detailed method for detecting and ultimately removing the malware from your system, though you can easily detect the malware in its known variants by running the following three commands sequentially in the OS X Terminal utility (found in the /Applications/Utilities/ folder):

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info DYLD_INSERT_LIBRARIES
defaults read /Applications/Firefox.app/Contents/Info DYLD_INSERT_LIBRARIES

If your system is not infected then the output of these commands will state in part that the domain/default pair "does not exist"; however, if it is infected then Terminal will output a path that points to the malware, and you can follow the instructions provided in F-Secure's analysis to remove the malware from your system.
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: michaelb
Date: March 29, 2012 03:12PM
Quote
decay
There is no request for a password, and the user does not need to be an administrator for this malware to install.

So can anyone explain what this means practically? It is concerning if there is a trojan for the mac that doesn't require proper authentication for the installation. I don't have any version of word, so this one won't effect me.
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: TheCaber
Date: March 29, 2012 05:34PM
In GGD's quote, do you see the first Terminal command to examine default settings contained in ~/.MacOSX/environment ?

The tilde '~' is an abbreviation for your home directory. If you are running MS Word for Mac and happen to encounter the 'carefully crafted' .doc file, it will install itself in your home directory (or a subdirectory that you own) and create the default settings to make sure it runs as you.

No privilege needed, other than your ownership of your home directory.

The other two checks are for changes to Safari or Firefox. Since they reside in the /Applications folder, they are presumably owned by 'root' or some user with Administrator privilege. The browsers aren't necessary to run the malware; they are necessary for the malware to propagate to other users of the system.



=TC
"Ye Olde Farte of Ye Internette"--a Wilted Tindmill® Production
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: TheCaber
Date: March 29, 2012 05:44PM
For example, I started Applications->Utilities->Terminal.app and 'copy-and-paste'd each of the command lines in GGD's quote. Here's what it looked like, and the results returned:
% defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
2012-03-29 19:25:01.919 defaults[55530:903] 
The domain/default pair of (/Users/daasawyer/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
% defaults read /Applications/Safari.app/Contents/Info DYLD_INSERT_LIBRARIES
2012-03-29 19:25:14.615 defaults[55531:903] 
The domain/default pair of (/Applications/Safari.app/Contents/Info, DYLD_INSERT_LIBRARIES) does not exist
% defaults read /Applications/Firefox.app/Contents/Info DYLD_INSERT_LIBRARIES
2012-03-29 19:25:24.839 defaults[55532:903] 
The domain/default pair of (/Applications/Firefox.app/Contents/Info, DYLD_INSERT_LIBRARIES) does not exist
%
and I conclude that I don't suffer that particular form of malware (yet).

This is a bit of nasty social engineering (that tricks you into opening an infected document which uses the Microsoft non-secure execution environment), not a true worm or virus which would not require human intervention to propagate.



=TC
"Ye Olde Farte of Ye Internette"--a Wilted Tindmill® Production
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: Black
Date: March 29, 2012 06:14PM
Quote
TheCaber
For example, I started Applications->Utilities->Terminal.app and 'copy-and-paste'd each of the command lines in GGD's quote. Here's what it looked like, and the results returned:
% defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
2012-03-29 19:25:01.919 defaults[55530:903] 
The domain/default pair of (/Users/daasawyer/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
% defaults read /Applications/Safari.app/Contents/Info DYLD_INSERT_LIBRARIES
2012-03-29 19:25:14.615 defaults[55531:903] 
The domain/default pair of (/Applications/Safari.app/Contents/Info, DYLD_INSERT_LIBRARIES) does not exist
% defaults read /Applications/Firefox.app/Contents/Info DYLD_INSERT_LIBRARIES
2012-03-29 19:25:24.839 defaults[55532:903] 
The domain/default pair of (/Applications/Firefox.app/Contents/Info, DYLD_INSERT_LIBRARIES) does not exist
%
and I conclude that I don't suffer that particular form of malware (yet).

This is a bit of nasty social engineering (that tricks you into opening an infected document which uses the Microsoft non-secure execution environment), not a true worm or virus which would not require human intervention to propagate.

Thanks for the explanations!




MR/F Guestmap: [www.mapservices.org]
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: Ammo
Date: March 29, 2012 07:40PM
So is there a malware program that would have flagged this Trojan? I am not comfortable messing around with terminal.



Murphy's Law of Mechanical Repair - After your hands become coated with grease, your nose begins to itch.
Options:  Reply • Quote
Re: I actually had a Mac infected with a Trojan yesterday! Really!
Posted by: decay
Date: March 29, 2012 08:46PM
On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

you could copy any old app and rename it to one of the above...



---
I buy records. Getting rid of some? Let me know.
Options:  Reply • Quote
Sorry, only registered users may post in this forum.

Click here to login