Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: An OS X Malware Incident  (Read 3831 times)

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
An OS X Malware Incident
« on: March 03, 2017, 03:39:29 PM »

Other half mentioned her MAC had been behaving oddly for a day or two, with weird popups and bogus security warnings. Malwarebytes found and (hopefully) removed two bad things.

I'm always interested in how we got infected, and after some detective work I found what looked like a Flash Player update package lying around in a tmp folder, and that package had been downloaded about the same time as the malware.   And yet, she doesn't actually have Flash Player installed, so why the update?   :-\

The answer may lie in bogus flash updates that apparently did the rounds last year...

https://www.intego.com/mac-security-blog/fake-flash-player-update-infects-mac-with-scareware

Signed with a valid developer's certificate, so quite easy to be taken in. :(
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: An OS X Malware Incident
« Reply #1 on: March 08, 2017, 01:37:32 AM »

That's really good to know, thanks indeed for alerting us to that, much appreciated.
Logged

petef

  • Reg Member
  • ***
  • Posts: 135
Re: An OS X Malware Incident
« Reply #2 on: March 15, 2017, 01:05:41 PM »

I fixed an infected MacBook Pro for a friend last year. I don’t know what the cause was but here are some of my notes.

Hotspot Shield
REMOVED following these instructions
https://discussions.apple.com/thread/5525093?tstart=0

Upgraded, including OS X El Capitan 10.11.6


Suspect processes
User id 401 unborough or obtrusionist
  intrudance
  emmetropy
  endolabyrithitis

Dodgy entries in /Libary/LaunchDaemons mostly dated 2016-05 and -06.

https://www.malwarebytes.com/mac-download/
FIXED - identified and cleaned the above names and more
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: An OS X Malware Incident
« Reply #3 on: March 15, 2017, 07:58:09 PM »

Yes I also used Malwarebytes and it seemed to do a good job.   It missed a few files in caches, but with the underlying process kicked out they were harmless.

Just underlines though, the danger of the modern mindset that 'updates are good', and perhaps 'especially flash updates'.

Just today, I visited a BBC news page that invited me to click on a link to install/enable flash.   I declined, as I distrust flash.   I'm not suggeting the BBC page was malicious, but it is all part of the social attitudes that the  bad guys are exploiting... 'It is inviting me to update flash player, so it must be a good and legitimate website'.  No, it may also be a very bad and malicious site, and the package it links to may not be flash player at all.
Logged

petef

  • Reg Member
  • ***
  • Posts: 135
Re: An OS X Malware Incident
« Reply #4 on: March 15, 2017, 09:06:20 PM »

Generally speaking updates are good. Security problems are spotted, reported and then fixed. The vulnerabilities are when a third party offer a fix. The skilful exploiters are plausible. If something I use needs an update I will use the official channels from either Apple or the software company.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: An OS X Malware Incident
« Reply #5 on: March 15, 2017, 10:03:36 PM »

I actually rather strongly disagree that updates are generally 'good'.

Updates frequently destabilise a previously stable environment through unintentional side effects, often because of rushed and inadequate testing of patched software.  Worse, they allow software vendors (microsoft!) to deliberately install unwanted sohftware or modify behaviours, masquerading as updates.

If an update provides new features, and these features are useful to me, I may install it - but even then it is often a pain as I like to ensure I can revert if the new version causes problems and that's not always easy - usually impossible for example with iOS updates.

If an update fixes a major bug or security vulnerability I generally take a balanced decision... Convince myself that I understand the risk and can live with it, stop using the product, or install the update.  In the last case I regard that as  a necessary evil, but not something I would call good.

Just my unconventional opinion. :)
Logged