Motherboard Forums


Reply
Thread Tools Display Modes

Does the Flashback trojan affect Chrome? Lion?

 
 
Alan Browne
Guest
Posts: n/a
 
      04-07-2012, 01:43 PM
Does the Flashback trojan affect Chrome as well?
Does the Flashback trojan affect browsers under Lion?

I executed this in terminal
defaults read /Applications/Chrome.app/Contents/Info LSEnvironment

and got a file does not exist error. But I'm not sure that's a valid
test. (I just used the same test as for Safari and substituted Chrome).

--
"I was gratified to be able to answer promptly, and I did.
I said I didn't know."
-Samuel Clemens.
 
Reply With Quote
 
 
 
 
Alan Browne
Guest
Posts: n/a
 
      04-07-2012, 03:46 PM
On 2012-04-07 11:30 , Jolly Roger wrote:
> In article<2vCdnZ7ns8AN2R3SnZ2dnUVZ_umdnZ2d@giganews. com>,
> Alan Browne<(E-Mail Removed)> wrote:
>
>> Does the Flashback trojan affect Chrome as well?
>> Does the Flashback trojan affect browsers under Lion?
>>
>> I executed this in terminal
>> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
>>
>> and got a file does not exist error. But I'm not sure that's a valid
>> test. (I just used the same test as for Safari and substituted Chrome).

>
> My suggestion: Install the latest Apple software update for Java and go
> on with life.


DL'ing just before I opened your reply. For some reason it did not
appear yesterday when I did a s/w update check.

I assume, once installed, that Java can be turned back on in the browsers?


--
"I was gratified to be able to answer promptly, and I did.
I said I didn't know."
-Samuel Clemens.
 
Reply With Quote
 
 
 
 
Michelle Steiner
Guest
Posts: n/a
 
      04-07-2012, 03:59 PM
In article <(E-Mail Removed)>,
Alan Browne <(E-Mail Removed)> wrote:

> Does the Flashback trojan affect Chrome as well?
> Does the Flashback trojan affect browsers under Lion?
>
> I executed this in terminal
> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
>
> and got a file does not exist error. But I'm not sure that's a valid
> test. (I just used the same test as for Safari and substituted Chrome).


Here's a script I found on the web that checks for the Flashback trojan:

--see if this entry exists.* If not an error will occur and be trapped
try
do shell script "defaults read /Applications/Safari.app/Contents/Info*
LSEnvironment"
--set this variable if this entry exists
set LSE to "true"
on error errmsg
--set this variable if the error contains the message "does not exist"
if errmsg contains "does not exist" then
set LSE to "false"
end if
end try
--search Firefox for infections
try
do shell script "defaults read /Applications/Firefox.app/Contents/Info*
LSEnvironment"
--set this variable if this entry exists
set FLSE to "true"
on error errmsg
--set this variable if the error contains the message "does not exist"
if errmsg contains "does not exist" then
set FLSE to "false"
end if
end try
--see if this entry exists.* If not an error will occur and be trapped
try
do shell script "defaults read ~/.MacOSX/environment
DYLD_INSERT_LIBRARIES"
set DLib to "true"
on error errmsg
--set this variable if the error contains the message "does not exist"
if errmsg contains "does not exist" then
set DLib to "false"
end if
end try
--if all variables are false then the machine isn't infected
if LSE is "false" and DLib is "false" and FLSE is "false" then
display alert "You are not infected with Flashback"
--if any variable is true the machine may be infected and needs closer
inspection
else if LSE is "true" or DLib is "true" or FLSE is "true" then
display alert "You may have the Flashback infection" & return & "Go to
following URL for more information:" & return & return &
"http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml"
end if

--
Tea Party Patriots is to Patriotism as
People's Democratic Republic is to Democracy.
 
Reply With Quote
 
Kurt Ullman
Guest
Posts: n/a
 
      04-07-2012, 04:05 PM
In article <(E-Mail Removed)>,
Jolly Roger <(E-Mail Removed)> wrote:

> In article <(E-Mail Removed)>,
> Alan Browne <(E-Mail Removed)> wrote:
>
> > Does the Flashback trojan affect Chrome as well?
> > Does the Flashback trojan affect browsers under Lion?
> >
> > I executed this in terminal
> > defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
> >
> > and got a file does not exist error. But I'm not sure that's a valid
> > test. (I just used the same test as for Safari and substituted Chrome).

>
> My suggestion: Install the latest Apple software update for Java and go
> on with life.


Quick question for JR or whoever. IF you had the FB trojan does it still
work after the update or does that take care of it? If you have it do
you need to do something to get rid of it or does the update kill it
off?

--
People thought cybersex was a safe alternative,
until patients started presenting with sexually
acquired carpal tunnel syndrome.-Howard Berkowitz
 
Reply With Quote
 
Alan Browne
Guest
Posts: n/a
 
      04-07-2012, 05:56 PM
On 2012-04-07 11:59 , Michelle Steiner wrote:
> In article<2vCdnZ7ns8AN2R3SnZ2dnUVZ_umdnZ2d@giganews. com>,
> Alan Browne<(E-Mail Removed)> wrote:
>
>> Does the Flashback trojan affect Chrome as well?
>> Does the Flashback trojan affect browsers under Lion?
>>
>> I executed this in terminal
>> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
>>
>> and got a file does not exist error. But I'm not sure that's a valid
>> test. (I just used the same test as for Safari and substituted Chrome).

>
> Here's a script I found on the web that checks for the Flashback trojan:


That script checks for Safari and Firefox transport of the trojan, not
Chrome. I emulated the same command found variously around the web
(above) but I'm not absolutely sure it's a correct test.

IAC, the Apple update went in an hour or so ago in two Macs. Just my
son's Mac left to check.

--
"I was gratified to be able to answer promptly, and I did.
I said I didn't know."
-Samuel Clemens.
 
Reply With Quote
 
Alan Browne
Guest
Posts: n/a
 
      04-07-2012, 05:59 PM
On 2012-04-07 12:04 , Jolly Roger wrote:
> In article<ruOdnRcyQ6Pe_B3SnZ2dnUVZ_rWdnZ2d@giganews. com>,
> Alan Browne<(E-Mail Removed)> wrote:
>
>> On 2012-04-07 11:30 , Jolly Roger wrote:
>>> In article<2vCdnZ7ns8AN2R3SnZ2dnUVZ_umdnZ2d@giganews. com>,
>>> Alan Browne<(E-Mail Removed)> wrote:
>>>
>>>> Does the Flashback trojan affect Chrome as well?
>>>> Does the Flashback trojan affect browsers under Lion?
>>>>
>>>> I executed this in terminal
>>>> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
>>>>
>>>> and got a file does not exist error. But I'm not sure that's a valid
>>>> test. (I just used the same test as for Safari and substituted Chrome).
>>>
>>> My suggestion: Install the latest Apple software update for Java and go
>>> on with life.

>>
>> DL'ing just before I opened your reply. For some reason it did not
>> appear yesterday when I did a s/w update check.
>>
>> I assume, once installed, that Java can be turned back on in the browsers?

>
> According to Apple:
>
> <http://support.apple.com/kb/HT5228>
>
> This updates Java to 1.6.0_31:
>
> "Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of
> which may allow an untrusted Java applet to execute arbitrary code
> outside the Java sandbox. Visiting a web page containing a maliciously
> crafted untrusted Java applet may lead to arbitrary code execution with
> the privileges of the current user. These issues are addressed by
> updating to Java version 1.6.0_31."


Not the most unambiguous statement.

At least using a non-admin account has some level of protection for the
system. But the privacy of the user account infected with this is at
risk. Can't convince my son to go to a two tier though.

--
"I was gratified to be able to answer promptly, and I did.
I said I didn't know."
-Samuel Clemens.
 
Reply With Quote
 
Michelle Steiner
Guest
Posts: n/a
 
      04-07-2012, 06:18 PM
In article <(E-Mail Removed)>,
Alan Browne <(E-Mail Removed)> wrote:

> > Here's a script I found on the web that checks for the Flashback
> > trojan:

>
> That script checks for Safari and Firefox transport of the trojan, not
> Chrome. I emulated the same command found variously around the web
> (above) but I'm not absolutely sure it's a correct test.


Chrome uses the same WebKit that Safari uses, so it may be that the Safari
test also works for Chrome.

--
Tea Party Patriots is to Patriotism as
People's Democratic Republic is to Democracy.
 
Reply With Quote
 
David Empson
Guest
Posts: n/a
 
      04-07-2012, 10:17 PM
Michelle Steiner <(E-Mail Removed)> wrote:

> In article <(E-Mail Removed)>,
> Alan Browne <(E-Mail Removed)> wrote:
>
> > > Here's a script I found on the web that checks for the Flashback
> > > trojan:

> >
> > That script checks for Safari and Firefox transport of the trojan, not
> > Chrome. I emulated the same command found variously around the web
> > (above) but I'm not absolutely sure it's a correct test.

>
> Chrome uses the same WebKit that Safari uses, so it may be that the Safari
> test also works for Chrome.


Chrome has its own built-in build of WebKit. It doesn't use the system
one installed as part of Safari.

In any case, the script is directly checking the Safari and Firefox
applications, so it won't check whether Chrome (or any other web
browser) has been modified.

In the case of Firefox, it also makes the mistake of assuming where
Firefox was installed, which is not a good idea as Firefox is installed
using drag-and-drop, so the user could have put it in a non-standard
place. (Safari is installed via a package and shouldn't be moved.)

--
David Empson
(E-Mail Removed)
 
Reply With Quote
 
*Hemidactylus*
Guest
Posts: n/a
 
      04-07-2012, 10:43 PM
On 04/07/2012 01:59 PM, Alan Browne wrote:
> On 2012-04-07 12:04 , Jolly Roger wrote:
>> In article<ruOdnRcyQ6Pe_B3SnZ2dnUVZ_rWdnZ2d@giganews. com>,
>> Alan Browne<(E-Mail Removed)> wrote:
>>
>>> On 2012-04-07 11:30 , Jolly Roger wrote:
>>>> In article<2vCdnZ7ns8AN2R3SnZ2dnUVZ_umdnZ2d@giganews. com>,
>>>> Alan Browne<(E-Mail Removed)> wrote:
>>>>
>>>>> Does the Flashback trojan affect Chrome as well?
>>>>> Does the Flashback trojan affect browsers under Lion?
>>>>>
>>>>> I executed this in terminal
>>>>> defaults read /Applications/Chrome.app/Contents/Info LSEnvironment
>>>>>
>>>>> and got a file does not exist error. But I'm not sure that's a valid
>>>>> test. (I just used the same test as for Safari and substituted
>>>>> Chrome).
>>>>
>>>> My suggestion: Install the latest Apple software update for Java and go
>>>> on with life.
>>>
>>> DL'ing just before I opened your reply. For some reason it did not
>>> appear yesterday when I did a s/w update check.
>>>
>>> I assume, once installed, that Java can be turned back on in the
>>> browsers?

>>
>> According to Apple:
>>
>> <http://support.apple.com/kb/HT5228>
>>
>> This updates Java to 1.6.0_31:
>>
>> "Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of
>> which may allow an untrusted Java applet to execute arbitrary code
>> outside the Java sandbox. Visiting a web page containing a maliciously
>> crafted untrusted Java applet may lead to arbitrary code execution with
>> the privileges of the current user. These issues are addressed by
>> updating to Java version 1.6.0_31."

>
> Not the most unambiguous statement.
>
> At least using a non-admin account has some level of protection for the
> system. But the privacy of the user account infected with this is at
> risk. Can't convince my son to go to a two tier though.
>

I find this part interesting on the check and removal instructions:

http://www.f-secure.com/v-descs/troj...shback_i.shtml

Quote:
Installation

On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine
and proceed to delete itself.
--
*Hemidactylus*
 
Reply With Quote
 
Barry Margolin
Guest
Posts: n/a
 
      04-07-2012, 11:53 PM
In article <1ki89k9.3f2ir0vzr138N%(E-Mail Removed)>,
(E-Mail Removed) (David Empson) wrote:

> In the case of Firefox, it also makes the mistake of assuming where
> Firefox was installed, which is not a good idea as Firefox is installed
> using drag-and-drop, so the user could have put it in a non-standard
> place. (Safari is installed via a package and shouldn't be moved.)


If you know enough to install it in an unusual place, you shouldn't have
too much trouble modifying the command to access that place.

--
Barry Margolin, (E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Does Flashback affect Doze? Fred Moore Apple 2 04-10-2012 12:09 AM
Flashback.G trojan Tim McNamara Apple 0 02-23-2012 11:50 PM
Does having a newsgroup affect buying decision? me@privacy.net Dell 8 04-12-2006 03:39 PM
Does a motherboard chipset affect the overall performance!!!!!!!!!? Hesham Elhadad IBM 0 05-06-2004 01:33 PM
Oc cpu on a asus a7n8x-x nf2 does temp affect the overal performance... FX Asus 3 11-04-2003 11:48 AM


All times are GMT. The time now is 02:41 PM.


Welcome!
Welcome to Motherboard Point
 

Advertisment