Global Mac Trojan Attack - What you need to know

Discussion of general issues, not related to a specific Mac or iDevice operating system.
8string
Forum Member - Level 1
Forum Member - Level 1
Posts: 23
Joined: Thu Jul 21, 2011 8:41 pm

Global Mac Trojan Attack - What you need to know

Post by 8string » Fri Apr 06, 2012 8:19 am

First off, it does not appear to be able to infect iPads or iPhones.

More than half a million Apple computers have been infected with the Flashback Trojan, according to a Russian anti-virus firm.

background at BBC
http://www.bbc.co.uk/news/science-environment-17623422

Apple has released a security update, but users who have not installed the patch remain exposed.
*INSTALL THE CURRENT SECURITY UPGRADE BY GOING TO THE APPLE MENU,AND USING SOFTWARE UPDATE TO DO IT.

The security firm F-Secure has also posted detailed instructions about how to confirm if a machine is infected and how to remove the Trojan.
THIS IS FOR THOSE MORE TECHNICAL, IF YOU CAN FOLLOW THOSE INSTRUCTIONS AT THE F-SECURE SITE, DO SO.
http://www.f-secure.com/v-descs/trojan- ... ck_i.shtml

If you cannot follow these instructions, find someone who can, maybe someone from this board.

"Java's developer, Oracle, issued a fix to the vulnerability on 14 February, but this did not work on Macintoshes as Apple manages Java updates to its computers."

Do not do online banking or log into any special site like Paypal, until you have validated that your Mac is NOT infected. The keystroke logging will transmit your login and password to the bad guys. It is critical to make sure you are not infected already.

Assume you will want to buy some inexpensive antivirus software. I personally have used Intego Software's Virus Barrier (X6) for years. It is an excellent package. F-Secure also sells a Mac package. They have been good in the past on Windows.

The rule of thumb on back door Trojans is that you should assume that *if* you have been infected that you will have to wipe your drive clean and reload everything with protections in place. Make sure that your *backup* is not infected, as if you are using Apple's wonderful Time Machine you are possibly copying the infected OS bits (if you have chosen to copy them) to the backup as well. You do have a backup, right? (G)

Note the following, what this means is that if you were running antivirus software, the Trojan would not install itself:

On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

If you have questions, you should contact your normal Mac business store, such as the one in Port Townsend. I am available for consultation (for free) this weekend, if you need to ask questions. I am not volunteering to come to your home or business as that's a business transaction, and frankly I'm not looking to do that kind of business. Email me at abergstein AT hotmail.com (replace the AT with @ as usual). For those of you who don't know me, I spent over 20 years in the IT industry, including 12 years at Microsoft. I have been the manager of one of the largest Mac business networks in the Pacific Northwest prior to MS, which was a company called Physio Control. We went through Mac virus infections in the early 90s, so this is nothing new. I've spoke at your monthly meeting in the past on Lightroom and Apeture. I currently run a video production company in Port Townsend and use Macs and PCs to edit video.
-------------------------------------------------------
"People used to say that Apple computers, unlike Windows PCs, can't ever be infected - but it's a myth," said Timur Tsoriev, an analyst at Kaspersky Lab.

8string
Forum Member - Level 1
Forum Member - Level 1
Posts: 23
Joined: Thu Jul 21, 2011 8:41 pm

Re: Global Mac Trojan Attack - What you need to know

Post by 8string » Sun Apr 08, 2012 8:42 pm

Known list of Mac Trojans.

XoverTrojan Horse OSX
Monitorer XKeylogger OSX
TIFF VulnerabilityExploit OSX
BlazingTools Perfect KeyloggerKeylogger OSX
Aobo KeyloggerKeylogger OSX
eWatchTrojan Horse OSX
Refog KeyloggerKeylogger OSX
MonitorerKeylogger Classic
DutyWatch RemoteKeylogger OSX
Spector Pro 2010Keylogger OSX
KeystrokesWatchKeylogger OSX
PokerStealerTrojan Horse OSX
KeystrokeRecorder XKeylogger OSX
KidloggerKeylogger OSX
DevilRobber Trojan HorseTrojan Horse OSX
Termite(OSX)Trojan Horse OSX
BlackHole RATTrojan Horse OSX
Agent BobKeylogger OSX
KeyCaptorKeylogger OSX
Peeping TomKeylogger Classic
SpyMeRemote Admin Program OSX
TypeSaverKeylogger Classic
AppleScript.THTTrojan Horse OSX
trojan.osx.boonanaTrojan Horse OSX
Spector Pro 2009Keylogger OSX
OSXvncRemote Admin Program OSX
SpectorKeylogger OSX
MAC DefenderTrojan Horse OSX
Aobo Keylogger ProKeylogger OSX
MacLifeInsuranceKeylogger Classic
ToredTrojan Horse OSX
Keybag ProKeylogger OSX
KeyBagKeylogger OSX
Lose LoseMalware OSX
OlyxTrojan Horse OSX
FlashBack Trojan HorseTrojan Horse OSX
Keyboard SpyKeylogger OSX
ImulerTrojan Horse OSX
Tsunami Trojan HorseTrojan Horse OSX
BackTrackKeylogger OSX
HellRaiserTrojan Horse OSX
KeyloggerKeylogger OSX
Amac KeyloggerKeylogger OSX
MonitorerX ProKeylogger OSX
TextTrapKeylogger Classic
iMunizatorScareware OSX
TextMeleonKeylogger OSX
Super SaveKeylogger Classic
TypeAgentKeylogger OSX
Screenshots RemoteSpyware OSX
DutyWatchKeylogger OSX
SpyTrojan Horse OSX
Refog Personal MonitorKeylogger OSX
KeyStrokeKeylogger Classic
Qhosts Trojan HorseTrojan Horse OSX
DNSChangerTrojan Horse OSX
TypeRecorder XKeylogger OSX
Last ResortKeylogger Classic
Keyboard and Mouse RecorderKeylogger OSX
UnderHandTrojan Horse OSX
Mac Remote ControlRemote Admin Program OSX
CarbonKeysKeylogger OSX
Keystroke RecorderKeylogger Classic
Termite(OS9)Trojan Horse Classic
TypeRecorderKeylogger Classic
EZmalTrojan Horse OSX
Instant Access DialerTrojan Horse OSX
TakeDown SuiteTrojan Horse Classic
Invisible OasisKeylogger Classic

Mac Spyware Definitions
Spyware - Spyware is a generic term for any program that takes your personal information and stores it on your computer or sends it out to the internet for retrieval by a third party. There are a few different types of individual spyware programs, including keyloggers, trojan horses, dialer applications, remote administration programs, as well as tracking cookies. Spyware can exhibit a combination of traits found in trojan horses, keyloggers, and remote administration programs, and these programs are considered hybrid spyware.

Keystroke Loggers - MacScan detects against keystroke loggers, also known as keyloggers, keystroke recorders, key nabbers, key loggers or key capture programs. When a keystroke logger is installed, keystrokes are recorded — capturing data such as usernames, passwords, credit card numbers, social security numbers, personal data and other information typed. The data may be logged to a file for later retrieval or transfered over the Internet.

MacScan detects both commercially available keystroke recorders as well as keyloggers released by hackers. Although many of the commercially available keystroke recorders are marketed to parents as a way to monitor their children on the internet, many of these programs can be used in the same manner to spy on others without consent. Scenarios may include shared use computers (school, office, cyber cafes) and corporate espionage.

Trojan Horses - Trojan Horses are malicious programs that are disguised as innocent files, usually run invisibly on your system, and enable a remote attacker to transfer files to and from your computer, delete your files, and view your sensitive information. The DNSChanger trojan horse, which recently attacked OS X, can intercept the websites you are attempting to visit, and redirect you to malicious websites which will steal your login information.

8string
Forum Member - Level 1
Forum Member - Level 1
Posts: 23
Joined: Thu Jul 21, 2011 8:41 pm

Re: Global Mac Trojan Attack - What you need to know

Post by 8string » Mon Apr 09, 2012 6:51 am

Good layman's article on Mac vulnerabilities, especially since older Macs have not been updated by Apple (i.e. Leopard and Tiger users). This is likely a good time to consider upgrading to the latest OS, if the applications you run are supported by it. If you are running an older Mac OS, then you absolutely should be running an antivirus package,as Apple is no longer putting out updates for security vulnerabilities on them. This is why some Mac users are reporting that their "Software Update" is saying that they don't have any updates to receive. It's not because you don't need them.

http://www.zdnet.com/blog/apple/quick-p ... ojan/12712?
"For older machines running pre-Snow Leopard OSes that haven’t been updated by Apple, there may or may not be a problem of infection. Still, to make sure, you can either disable Java in your web browser (in Safari it’s a Security preference), or turn it off altogether using the Java Preferences application, which can be found in the Utilities folder in Applications. I understand that the Mac client for CrashPlan Pro requires Java...The primary reason that there have been few malware attacks on the Mac platform is because most computers in the world run Windows. Sadly, that shield is weakening."

User avatar
Richard Serkes
Forum Member - Level 5
Forum Member - Level 5
Posts: 1027
Joined: Thu Mar 31, 2011 9:21 pm
Location: Port Angeles, WA

Re: Global Mac Trojan Attack - What you need to know

Post by Richard Serkes » Tue Apr 10, 2012 7:49 am

Cult of Mac recommends this nifty little app to see if your Mac is infected. It will NOT clean your Mac if it is, it will only tell you if you have a problem.

https://github.com/jils/FlashbackChecker/wiki
---
Always burn your bridges. You never know who's coming up from behind.

User avatar
Bob Wiswell
Forum Member - Level 3
Forum Member - Level 3
Posts: 247
Joined: Thu Apr 07, 2011 4:38 pm

Re: Global Mac Trojan Attack - What you need to know

Post by Bob Wiswell » Tue Apr 10, 2012 6:19 pm

Richard,
I can't get this link to go anywhere. I have tried selecting it directly in your message and by copying and pasting the URL into my Camino browser. It always times out and doesn't come up with anything. I am using Tiger and from the discussions I have been reading I am vulnerable because Apple is no longer putting out software updates for this OS.

Is the URL incorrect or do I need to use a different browser?

PS: I just tried it in Safari and it timed-out there also.

User avatar
Stephen Hart
Forum Member - Level 5
Forum Member - Level 5
Posts: 3140
Joined: Thu Apr 07, 2011 10:09 am

Re: Global Mac Trojan Attack - What you need to know

Post by Stephen Hart » Tue Apr 10, 2012 8:16 pm

The link seems to work fine for me.

From what I've read, there's no evidence that earlier OS X versions are susceptible to this trojan horse. Each OS X version has a different version of Java. I'm not saying that Tiger, for example, isn't vulnerable, just that I haven't seen anything saying it is.

Furthermore, the degree of spread of this trojan is not clear.

If you still have problems with the link Richard posted, you could try this page:

http://www.f-secure.com/v-descs/trojan- ... ck_k.shtml

That has all the steps, using Terminal. Though it looks long, there are only two steps if you haven't downloaded and installed the trojan horse.

Let us know if you still have a problem.
"Design is not just what it looks like and feels like. Design is how it works."
Steve Jobs

User avatar
Richard Serkes
Forum Member - Level 5
Forum Member - Level 5
Posts: 1027
Joined: Thu Mar 31, 2011 9:21 pm
Location: Port Angeles, WA

Re: Global Mac Trojan Attack - What you need to know

Post by Richard Serkes » Tue Apr 10, 2012 8:55 pm

Bob Wiswell wrote:Richard,
I can't get this link to go anywhere. I have tried selecting it directly in your message and by copying and pasting the URL into my Camino browser. It always times out and doesn't come up with anything. I am using Tiger and from the discussions I have been reading I am vulnerable because Apple is no longer putting out software updates for this OS.

Is the URL incorrect or do I need to use a different browser?

PS: I just tried it in Safari and it timed-out there also.
It's working for me in both Safari and Firefox. Can you get to other websites? I'm wondering if your ISP is having problems and that's why you're timing out.
---
Always burn your bridges. You never know who's coming up from behind.

User avatar
Bob Wiswell
Forum Member - Level 3
Forum Member - Level 3
Posts: 247
Joined: Thu Apr 07, 2011 4:38 pm

Re: Global Mac Trojan Attack - What you need to know

Post by Bob Wiswell » Wed Apr 11, 2012 7:36 am

I just now tried the link and it went through fine. I also tried Stephen's link and it worked. I don't know why it didn't work before. I had actually tried it earlier when Richard first posted it and it wouldn't work. I don't think it was Olypen (my ISP) messing up as I was online to other sites during that time.

Anyway, chalk it up to one of those gremlins that seem to pop up occasionally. It is working now. I haven't checked about being infected. Will do that later.

User avatar
Richard Serkes
Forum Member - Level 5
Forum Member - Level 5
Posts: 1027
Joined: Thu Mar 31, 2011 9:21 pm
Location: Port Angeles, WA

Re: Global Mac Trojan Attack - What you need to know

Post by Richard Serkes » Wed Apr 11, 2012 9:05 am

Just download the file (it's very small) and run the app. It takes less than five (5) seconds for the app to run. If you're clean then all is good. If not, you'll need to take action to clean your hard drive. Instructions can be found in this thread and others on this forum to clean your hard drive.

Remember, this app just checks your hard drive it won't clean it if it's infected.

By the by, I checked all three Macs at our house and all three were OK.
---
Always burn your bridges. You never know who's coming up from behind.

User avatar
Bob Wiswell
Forum Member - Level 3
Forum Member - Level 3
Posts: 247
Joined: Thu Apr 07, 2011 4:38 pm

Re: Global Mac Trojan Attack - What you need to know

Post by Bob Wiswell » Wed Apr 11, 2012 5:39 pm

I may be overworking this for my notebook that is running Tiger. 8string mentioned old systems, specifically Leopard and Tiger, but when I went to the github website it says the detection system is only for 10.5 and later. I have disabled JavaScript in Camino and both JavaScript and Java in Safari. What am I going to be missing out on, or what won't work now when using these browser?

Having said this, we have another notebook that is running Snow Leopard, 10.6, and it appears I need to redirect my attention there.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests