Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Apr 5, 2012, 06:47 PM   #251
MoleSkine
macrumors member
 
Join Date: Jun 2009
Location: New York!
I think I'm infected

Guys I'm not goetting the does not exist for the first command entering into Terminal - Or am I reading it wrong?
Attached Thumbnails
Click image for larger version

Name:	Screen shot 2012-04-05 at 7.45.43 PM.png
Views:	35
Size:	21.2 KB
ID:	334420  
MoleSkine is offline   0 Reply With Quote
Old Apr 5, 2012, 06:53 PM   #252
kazmac
macrumors 65816
 
kazmac's Avatar
 
Join Date: Mar 2010
Location: Bogan, dark moon of Tython
thank you for posting this...

Quote:
Originally Posted by chrisperro View Post
clean here, update your system often and you should not run into this trojans...
The malware self-installs after you visit a compromised or malicious webpage. Obviously, it would be a good idea to update any Macs in your control.

For those who want to check if mac is infected (from F-Secure instructions):
Run the following command in terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get "The domain/default pair ... does not exist" for both - you are clean


from 9to5mac
JOY!

My iMac is completely clean which is more than I can say about my mind...


Thanks so much for posting these...

----------

Quote:
Originally Posted by MoleSkine View Post
Guys I'm not goetting the does not exist for the first command entering into Terminal - Or am I reading it wrong?
until I pasted both of those commands separately and pressed return after entering each command.

Both came up that does not exist when I did it this way.

Hope that helps
kazmac is offline   1 Reply With Quote
Old Apr 5, 2012, 06:55 PM   #253
DrNick8404
macrumors member
 
Join Date: Mar 2012
Location: North Carolina
Thanks y'all... Im clean
__________________
Dr.
2011(late) MacBook Pro 500gb, 2.4ghz, 16gb RAM
2x Gateway FX series gaming laptops
DrNick8404 is offline   0 Reply With Quote
Old Apr 5, 2012, 06:56 PM   #254
Prynce
macrumors member
 
Join Date: Aug 2008
Quote:
Originally Posted by AndyfromTucson View Post
The news reports are claiming 600,000 Mac infected. If that is true, then I would expect at least a few MacRumors forum readers would be infected. Anyone who found a Flashback infection please speak up.
I dispute this figure and the keyword that makes all those warning signs go off in my gut is "RUSSIAN" and appears to me to be a scare tactic to get people to buy antivirus. Now where was that last company from that may have been doing battle with Apple's security updates awhile back and weren't they promoting AV software. Funny how once they were raided Apple won the battle. Could this just be another tactic?
Prynce is offline   0 Reply With Quote
Old Apr 5, 2012, 06:58 PM   #255
StrikerShoot
macrumors newbie
 
Join Date: Feb 2012
Location: Seattle
I got a Flash (Java) popup today, but I did not install it and closed out immediately. I also have not found Flashback on my computer, but I don't really know where to look.
StrikerShoot is offline   0 Reply With Quote
Old Apr 5, 2012, 06:58 PM   #256
Roc P.
macrumors regular
 
Join Date: Feb 2012
Location: Long Island
OK just got home from work and copied and pasted the commands in terminal. CLEAN! Woo hoo! I suspected I would be ok since I do not even have java installed but I wanted to be sure. Thanks everyone for the tips and op for the link!
Roc P. is offline   0 Reply With Quote
Old Apr 5, 2012, 06:59 PM   #257
StrikerShoot
macrumors newbie
 
Join Date: Feb 2012
Location: Seattle
Quote:
Originally Posted by kazmac View Post
JOY!

My iMac is completely clean which is more than I can say about my mind...


Thanks so much for posting these...

----------



until I pasted both of those commands separately and pressed return after entering each command.

Both came up that does not exist when I did it this way.

Hope that helps
And here we go! Thanks for sharing, checking now...
StrikerShoot is offline   0 Reply With Quote
Old Apr 5, 2012, 06:59 PM   #258
Westside guy
macrumors 601
 
Westside guy's Avatar
 
Join Date: Oct 2003
Location: The soggy part of the Pacific NW
Quote:
Originally Posted by GGJstudios View Post
That makes very little, if any, difference. Running a standard account vs an admin account doesn't ensure security.
Nothing like making a statement that goes against well-established computer security practice without bothering to provide even anecdotal evidence in support for your statement...

Using an account that operates at the lowest necessary privilege level is Security 101. Heck, it's remedial - more like Security 097.

This is the standard Unix security model, and it works very well. Microsoft has finally followed suit, to the benefit of their users. Mac makes it very easy to do as well - unfortunately a lot of Mac users still don't think about security because they haven't been caught with their pants down. Yet. They get a little scared when these stories come out; they check to make sure their system is clean... and then they forget all about security, until the next scary story hits.
__________________
Your post count is insufficient to view signature
Westside guy is offline   1 Reply With Quote
Old Apr 5, 2012, 07:08 PM   #259
MacinDoc
macrumors 68020
 
MacinDoc's Avatar
 
Join Date: Mar 2004
Location: The Great White North
Quote:
Originally Posted by lilo777 View Post
Percentage wise - are more Mac computers now infected with malware than their Windows 7 counterparts?
Well, according to Apple, the number of unique OS X installs in 2009 was 75 million. Over the last 3 years, Apple has averaged Mac sales of 5 million per quarter, so that leaves a potential maximum of 135 million Macs. Let's say that in every year since 2009, 10% of the existing Macs were retired, that would reduce the total number of Macs in service by 20 million. So let's say that there are 115 Macs currently in use worldwide. 0.6 million/115 million * 100% = 0.5%

Microsoft has publicly stated that infection rates for Windows 7 were 0.4% one year ago, but they were increasing by 33% year over year. So it would appear that if this claim is correct, and if Microsoft is correctly reporting infection rates, then assuming that year-over-year increases in infection rates of Windows 7 installations remained constant, then infection rates of OS X and Windows 7 would be quite comparable.
__________________
"...because the people who are crazy enough to think they can change the world, are the ones who do."
MacinDoc is offline   0 Reply With Quote
Old Apr 5, 2012, 07:16 PM   #260
GGJstudios
macrumors Westmere
 
Join Date: May 2008
Quote:
Originally Posted by Westside guy View Post
Nothing like making a statement that goes against well-established computer security practice without bothering to provide even anecdotal evidence in support for your statement.
This may help you understand. There have been other more technically detailed explanations posted over the years, which you can find by searching, if you wish.
GGJstudios is offline   -1 Reply With Quote
Old Apr 5, 2012, 07:25 PM   #261
Domalais
macrumors newbie
 
Join Date: Jun 2011
Quote:
Originally Posted by MacinDoc View Post
Well, according to Apple, the number of unique OS X installs in 2009 was 75 million. Over the last 3 years, Apple has averaged Mac sales of 5 million per quarter, so that leaves a potential maximum of 135 million Macs. Let's say that in every year since 2009, 10% of the existing Macs were retired, that would reduce the total number of Macs in service by 20 million. So let's say that there are 115 Macs currently in use worldwide. 0.6 million/115 million * 100% = 0.5%

Microsoft has publicly stated that infection rates for Windows 7 were 0.4% one year ago, but they were increasing by 33% year over year. So it would appear that if this claim is correct, and if Microsoft is correctly reporting infection rates, then assuming that year-over-year increases in infection rates of Windows 7 installations remained constant, then infection rates of OS X and Windows 7 would be quite comparable.
Your math only holds if this is the only trojan affecting Macs. The infection rate for Win 7 is for all malware.
Domalais is offline   0 Reply With Quote
Old Apr 5, 2012, 07:41 PM   #262
borcanm
macrumors regular
 
Join Date: Nov 2008
We all knew this would happen some day. Macs are no longer virus proof.
borcanm is offline   -1 Reply With Quote
Old Apr 5, 2012, 07:43 PM   #263
MoleSkine
macrumors member
 
Join Date: Jun 2009
Location: New York!
Quote:
Originally Posted by MoleSkine View Post
Guys I'm not goetting the does not exist for the first command entering into Terminal - Or am I reading it wrong?

If I run them individ. no messages past the code shows up only when i run them together.
MoleSkine is offline   0 Reply With Quote
Old Apr 5, 2012, 07:43 PM   #264
GGJstudios
macrumors Westmere
 
Join Date: May 2008
Quote:
Originally Posted by borcanm View Post
We all knew this would happen some day. Macs are no longer virus proof.
Please read the thread. Macs have never been virus-proof and this isn't a virus.
GGJstudios is offline   0 Reply With Quote
Old Apr 5, 2012, 07:49 PM   #265
sngx1275
macrumors regular
 
Join Date: Jan 2009
Location: Missouri
Quote:
Originally Posted by MoleSkine View Post
If I run them individ. no messages past the code shows up only when i run them together.
Post #252 answered you. I think.

You need to run them individually. Your screenshot showed the correct response for uninfected, but only on one of the two commands. In your screenshot it appears you didn't hit enter after pasting the other. Both of the commands that start with 'defaults' need to have enter pressed after they are pasted - looks like you only did that after 1 of them.
sngx1275 is offline   0 Reply With Quote
Old Apr 5, 2012, 07:53 PM   #266
MacinDoc
macrumors 68020
 
MacinDoc's Avatar
 
Join Date: Mar 2004
Location: The Great White North
Quote:
Originally Posted by Domalais View Post
Your math only holds if this is the only trojan affecting Macs. The infection rate for Win 7 is for all malware.
Except that if this number is true, then this particular trojan would represent 99.9% of all known Mac malware.

Personally, given that the number is almost identical to the published rate for Windows 7 infections, I suspect that the number of infected machines was just estimated based on this previously published statistic. There is absolutely no reason to believe that the site that published these numbers has any evidence to back them up.

Probably the biggest question regarding the credibility of Dr. Web on this issue is why they didn't disable the botnet when they sinkholed it. This is a serious question to be asked of security companies, because sinkholing a botnet just redirects the illegally incoming information to the security company's server. The more credible security companies use sinkholing to disable botnets, but their less ethical counterparts use these means for financial gain by selling/monetizing the information obtained by the sinkhole.
__________________
"...because the people who are crazy enough to think they can change the world, are the ones who do."

Last edited by MacinDoc; Apr 5, 2012 at 08:18 PM.
MacinDoc is offline   -1 Reply With Quote
Old Apr 5, 2012, 07:53 PM   #267
MoleSkine
macrumors member
 
Join Date: Jun 2009
Location: New York!
Quote:
Originally Posted by sngx1275 View Post
Post #252 answered you. I think.

You need to run them individually. Your screenshot showed the correct response for uninfected, but only on one of the two commands. In your screenshot it appears you didn't hit enter after pasting the other. Both of the commands that start with 'defaults' need to have enter pressed after they are pasted - looks like you only did that after 1 of them.


Yes thanks SNG I just didn't press enter like a shmuck. I am clear - thanks!
MoleSkine is offline   0 Reply With Quote
Old Apr 5, 2012, 08:08 PM   #268
oleus
macrumors newbie
 
Join Date: Mar 2012
ok, so i ran the terminal commands and came up clean, but just noticed that ClamXAV just found jsched / OSX.Flashback 8 and it's still scanning. this was also after i skipped a CLAM update that featured the option to disregard "infected" files for future scans. WTF! what exactly does this virus do to your machine if it's been on my macbook?
oleus is offline   1 Reply With Quote
Old Apr 5, 2012, 08:50 PM   #269
sngx1275
macrumors regular
 
Join Date: Jan 2009
Location: Missouri
Quote:
Originally Posted by oleus View Post
ok, so i ran the terminal commands and came up clean, but just noticed that ClamXAV just found jsched / OSX.Flashback 8 and it's still scanning. this was also after i skipped a CLAM update that featured the option to disregard "infected" files for future scans. WTF! what exactly does this virus do to your machine if it's been on my macbook?
That is interesting. I don't know the answer to that though. Not many (in the big scheme of things) got infected, and even less post on forums, so you might be breaking new ground here. Perhaps someone better informed than I can chime in.

If I had to make a crude, off the cuff, guess. Then I would say that ClamAV quarantined your infection a few days ago. So it has effectively removed it from your system (which is why the terminal stuff shows you are clean). But ClamAV still knows, and is holding, your infection, so it reports that you still 'have it'.

//My guess is based on having a Windows AV 'quarantine' a virus (or suspected one). And how it deals with them. I have no first hand experience with an AV in OS X.
sngx1275 is offline   1 Reply With Quote
Old Apr 5, 2012, 09:09 PM   #270
MacinDoc
macrumors 68020
 
MacinDoc's Avatar
 
Join Date: Mar 2004
Location: The Great White North
Quote:
Originally Posted by oleus View Post
ok, so i ran the terminal commands and came up clean, but just noticed that ClamXAV just found jsched / OSX.Flashback 8 and it's still scanning. this was also after i skipped a CLAM update that featured the option to disregard "infected" files for future scans. WTF! what exactly does this virus do to your machine if it's been on my macbook?
I think the initial package scans for ClamXav and aborts the installation of the full package if the antivirus software is present, so you probably don't have a full/active installation. Just follow the ClamXav recommendations once it finishes its scan.

Let us know what happens with this, because you are the first person I've seen posting to say they have evidence of an infection. You'd think that if more than 600,000 Macs were affected, that at least some people on these forums would be affected.
__________________
"...because the people who are crazy enough to think they can change the world, are the ones who do."
MacinDoc is offline   0 Reply With Quote
Old Apr 5, 2012, 09:11 PM   #271
KevinN206
macrumors regular
 
Join Date: Jan 2009
Quote:
Originally Posted by MacinDoc View Post
Except that if this number is true, then this particular trojan would represent 99.9% of all known Mac malware.

Personally, given that the number is almost identical to the published rate for Windows 7 infections, I suspect that the number of infected machines was just estimated based on this previously published statistic. There is absolutely no reason to believe that the site that published these numbers has any evidence to back them up.

Probably the biggest question regarding the credibility of Dr. Web on this issue is why they didn't disable the botnet when they sinkholed it. This is a serious question to be asked of security companies, because sinkholing a botnet just redirects the illegally incoming information to the security company's server. The more credible security companies use sinkholing to disable botnets, but their less ethical counterparts use these means for financial gain by selling/monetizing the information obtained by the sinkhole.
Having Dr. Web sinkhole the botnet, IMO, is better than having criminals. The question is how would Dr. Web disable the botnets? Should they issue a command so that the trojan deletes itself? Does this violate any (local and international) laws? Is it in Dr. Web's right to delete files from my computer without my authorization even though it's for my best interest? Will Dr. Web be held liable if they damage the computer while trying to disable it?

I think Dr. Web best option is to notify the ISP and let the ISP notify their customers, but this is a time consuming process and potentially costly for both Dr. Web and the ISPs.
KevinN206 is offline   0 Reply With Quote
Old Apr 5, 2012, 09:26 PM   #272
oleus
macrumors newbie
 
Join Date: Mar 2012
Quote:
Originally Posted by sngx1275 View Post
That is interesting. I don't know the answer to that though. Not many (in the big scheme of things) got infected, and even less post on forums, so you might be breaking new ground here. Perhaps someone better informed than I can chime in.

If I had to make a crude, off the cuff, guess. Then I would say that ClamAV quarantined your infection a few days ago. So it has effectively removed it from your system (which is why the terminal stuff shows you are clean). But ClamAV still knows, and is holding, your infection, so it reports that you still 'have it'.

//My guess is based on having a Windows AV 'quarantine' a virus (or suspected one). And how it deals with them. I have no first hand experience with an AV in OS X.
update:

i had no quarantine folder established so i re-ran it, directing it to send it to a folder on my desktop and then i deleted it. i am re-scanning now. it had been a few weeks since i ran Clam before tonight; i figured i was in the clear after running the terminal commands and was shocked to see Clam immediately find it in its scan (it was found within seconds of the clam scan when i first checked tonight).

before i deleted the folder i scanned the desktop with Clam and it saw it there, i couldn't actually see the file in the folder but deleting the folder and rescanning seems to turning up clean (it's past the point where it first found it)

----------

PS - i know i was a rare report of an infection, but i don't know if any of the people who figured they were "clean" after running terminal checked a Clam scan yet.. i bet if everyone was running ClamXAV you'd be seeing more reports. i'm pretty careful with what i click on/authenticate so i'm pretty shocked to have even seen it at all on my setup (even if the existence of CLAM on my macbook may have blocked it from actually installing itself).
oleus is offline   1 Reply With Quote
Old Apr 5, 2012, 09:29 PM   #273
sngx1275
macrumors regular
 
Join Date: Jan 2009
Location: Missouri
oleus - in my experience dealing with windows infections and AV, that seems normal. I think if you can make your AV say the system is clean, and you can pass F-Secure's method of being clean, then you are clean.

I know it is a dirty feeling, knowing that you had something, but if 2 different things say you are clean and you aren't otherwise getting any odd behavior, you should be good to go.
sngx1275 is offline   0 Reply With Quote
Old Apr 5, 2012, 09:29 PM   #274
MacinDoc
macrumors 68020
 
MacinDoc's Avatar
 
Join Date: Mar 2004
Location: The Great White North
Quote:
Originally Posted by KevinN206 View Post
Having Dr. Web sinkhole the botnet, IMO, is better than having criminals. The question is how would Dr. Web disable the botnets? Should they issue a command so that the trojan deletes itself? Does this violate any (local and international) laws? Is it in Dr. Web's right to delete files from my computer without my authorization even though it's for my best interest? Will Dr. Web be held liable if they damage the computer while trying to disable it?

I think Dr. Web best option is to notify the ISP and let the ISP notify their customers, but this is a time consuming process and potentially costly for both Dr. Web and the ISPs.
This is how you take down a botnet with a sinkhole.
__________________
"...because the people who are crazy enough to think they can change the world, are the ones who do."
MacinDoc is offline   0 Reply With Quote
Old Apr 5, 2012, 09:32 PM   #275
oleus
macrumors newbie
 
Join Date: Mar 2012
Quote:
Originally Posted by sngx1275 View Post
oleus - in my experience dealing with windows infections and AV, that seems normal. I think if you can make your AV say the system is clean, and you can pass F-Secure's method of being clean, then you are clean.

I know it is a dirty feeling, knowing that you had something, but if 2 different things say you are clean and you aren't otherwise getting any odd behavior, you should be good to go.
then i feel clean :-)

i still don't fully understand what this virus "does" when fully implemented on a machine. so i don't even know what i was possibly at risk of. what's the point of this virus, i guess is what i am asking. i have read 4 articles and i still don't have that answer.
oleus is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 10:24 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC