Flashback Concern

I'm running a MacBook (2007) with OS X 10.6.8 - I have recently heard of this flashback thing and so I became concerned. I have tried to look up files in terminal but I am having trouble...
plutil -convert xml1 /Applications/Safari.app/Contents/Info.plist      results in a prompt that says permission denied.
plutil -convert xml1 /Applications/Firefox.app/Contents/Info.plist    doesn't do anything at all.
I don't use safari or ff, only chrome. I do not recall an apple certificate nor a flash update, recently, though I am seeing reports of people just getting it from infected sites now. I have read through a number of forum posts and I don't have any /User/Shared files other than Blizzard, Garage band demo songs, Library and Blizzard entertainment. I have searched for the files listed on this site
http://www.intego.com/mac-security-blog/flashback-mac-trojan-horse-infections-in creasing-with-new-variant/ and I haven't found anything.
However - I don't have XProtect. There is no sign of it on this computer that I can find. I go to /Library/LaunchDaemons and there is nothing related to xprotect there. If I search on finder for "/usr/libexec/XProtectUpdater" I am told I can't access it because I don't have permission.
Do I have this thing?

Here is what I get:
adam-spauldings-computer:~ adamspaulding$ defaults read ~/.MacOSX/environment
2012-04-05 00:06:45.811 defaults[3113:903]
Domain /Users/adamspaulding/.MacOSX/environment does not exist
adam-spauldings-computer:~ adamspaulding$ ls -la ~/Library/LaunchAgents
total 8
drwxr-xr-x   3 adamspaulding  adamspaulding   102 Aug 12  2010 .
drwx------+ 46 adamspaulding  adamspaulding  1564 Apr  4 23:01 ..
-rw-r--r--   1 adamspaulding  adamspaulding   589 Mar  8  2010 com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3.plist
adam-spauldings-computer:~ adamspaulding$ grep "/Users/" ~/Library/LaunchAgents/*
adam-spauldings-computer:~ adamspaulding$
I tried looking for .so files and couldn't find anything. Maybe I'm being paranoid, but that second command result is freaking me out, and I can't figure out what happened to XProtect...
Also, if I go into the launchagents there is a com.apple.java.updateSharing.plist  is that normal? It's from March 23 2012...

Similar Messages

  • Should I be concerned about flashback trojan?

    How could I find out if my macbook pro is infected with this flashback trojan?

    Two Helpful Links Regarding Flashback Trojan
    A link to a great User Tip about the trojan: Flashback Trojan User Tip
    A related link in the tip to a checker: Malware Checker Dowload Link
    A Google search can reveal a variety of alternatives on how the remove the trojan should your computer get infected. This can get you started.

  • Replace Materialized View with Flashback?

    I'm building a Data Warehouse with the following:
    1. Tables populated throughout the day using CDC from the Application DB
    2. MVs on those tables to keep a daily snapshot of the tables for reporting.
    3. End users access the data through views with VPD applied, on the MVs
    My systems team would like the solution to use as little storage as possible and currently I effectively have a copy of the app DB in the DW tables and would need another copy in the Daily MVs. (It is an insurance DB, so it is complex with lots of data, > 1.5 TB)
    One way to reduce the storage could be to use flashback to keep a static daily version of the tables, so
    At midnight I'd recreate the views like:
    CREATE OR REPLACE VIEW client
    AS SELECT *
       FROM   client_tab
       AS OF TIMESTAMP (TO_TIMESTAMP(TRUNC(SYSDATE)));This would replace my refresh MV script. The end users would then refer to the client view in their reports
    We would obviously need enough undo to store a days worth of data to ensure the flashback views remain consistent, but this is much less than the space required for a full copy. On a busy day there would be about 1% data change.
    No DDL will occur on the tables during the day
    Is there anything else I should be aware of? Can you let me know if (and why) this would not be a good idea?
    This will run on Oracle 11.2.0.1
    Thanks,
    Ben

    I guess I'm having some trouble visualizing the basic data model...
    In most data warehouses that I've seen in the financial industry, reporting the position/ balance/ etc. at a given date involves scanning a single daily partition of each fact table involved and then hitting dimension tables that may or may not be partitioned (slowly changing dimensions would often have effective and expiration date columns to store the range of time a row was valid for, for example). Year-over-year reporting, then, just has to scan two fact table partitions-- the one for today and the one for a year ago. You may not store every intermediate change if there are potentially hundreds of transactions per account per day, but you'd generally put the end state for a given day in a single partition.
    In one of your updates, it sounded like the 1.5 TB of data was just for the data that constituted end-of-day yesterday plus the 1% of changes made today which would imply that there was at least 15 GB of UNDO generated every day that would need to be applied to make flashback query work. That quantity of UNDO would make me pretty concerned from a performance perspective.
    I would also tend to wager that VPD policies applied to views that are doing flashback query would be problematic. I haven't tried it and haven't really worked through all the testing scenarios in my mind, but I would be somewhat surprised if that didn't introduce some sort of hurdle that you'd have to work through/ work around.
    Justin

  • "What to do now if I had the Flashback Trojan?"

    I just did a software update (was overdue) that included the java security fix, and was immediately informed that the "OSX.FlashBack.iv" malware was found and removed.
    Does anyone happen to know how serious a threat the malware presents, how to assess any potential damage it may have done, and what I might do to minimize any after-the-fact damage?

    MadMacs0 wrote:
    I'm pretty sure I would go to all the sites I could remember signing into that had significant financial data of mine on them and change my passwords. If I used the same password on multiple sites (I don't) I would change all those, as well. I already check all my transactions on a daily basis due to a mysterious Credit Card compromise a few months back, but if I wasn't, I would do that. A site called mint.com (run by Intuit) makes it easy to see everything at once, but the in order to do that I have to provide significant information to them.
    I did go to all of my credit card/bank account sites and changed my user names and passwords. And this time, I'll print the info out, but won't do what I've done before (which was to store that info in a spreadsheet that I had saved to my drive).
    As far as mint.com or any other third party is concerned (including the online backup-service companies), I simply don't trust them and/or don't have high enough confidence in the security measures they have in place to hand over my personal info.
    I would certainly endorse the use of Little Snitch as being worth the time, money and effort to install, setup and maintain. It's not for everyone, but I've used it for years to keep track of what information leaves my computer. During the period when it first alerted users to the existence of the Flashback "N" variant I gained new respect for it's capability.
    Thinking about Little Snitch again...I think I read somewhere that FlashBack checks out the system it has targeted and doesn't install itself if it detects the presence of Little Snitch. (If true, I don't know how FlashBack got into my system.) 

  • Is it worth getting antivirus software for my mac with this recent threat with flashback

    I'm concerned about my mac being infected by the flashback virus and I don't know if I should purchase antivirus software or not.  If anyone can recomment any that would be very nice.  Thankyou

    Well, if you applied Apple patches for 10.6.8 & up, then no.
    Still pays to be certain with these tips...
    Disable Java in your Browser settings, not JavaScript.
    Flashback - Detect and remove the uprising Mac OS X Trojan...
    http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html
    In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:
    /Library/Little Snitch
    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
    /Applications/VirusBarrier X6.app
    /Applications/iAntiVirus/iAntiVirus.app
    /Applications/avast!.app
    /Applications/ClamXav.app
    /Applications/HTTPScoop.app
    /Applications/Packet Peeper.app
    If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.
    http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/
    http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660
    Open DNS also blocks the FlashBack thing...
    http://blog.opendns.com/2012/04/09/worried-about-mac-malware-just-set-up-opendns /
    Try putting these numbers in Network>TCP/IP>DNS Servers, for the Interface you connect with...
    208.67.222.222
    208.67.220.220
    Then Apply. For 10.5/10.6/10.7 Network, highlight Interface>Advanced button>DNS tab>little + icon.
    DNS Servers are a bit like Phone books where you look up a name and it gives you the phone number, in our case, you put in apple.com and it comes back with 17.149.160.49 behind the scenes.  
    These Servers have been patched to guard against DNS poisoning, and are faster/more reliable than most ISP's DNS Servers.
    ClamXAV, free Virus scanner...
    http://www.clamxav.com/
    Free Sophos...
    http://www.sophos.com/products/enterprise/endpoint/security-and-control/mac/
    Little Snitch, stops/alerts outgoing stuff...
    http://www.obdev.at/products/littlesnitch/index.html
    Get MacScan...
    http://www.apple.com/downloads/macosx/networking_security/macscan.html

  • Is it worth getting Antivirus software for may mac with this threat of the Flashback virus?

    I'm concerned about my mac being infected bu flashback but I don't know if it is worth purchasing antivirus software or not

    Well, if you applied Apple patches for 10.6.8 & up, then no.
    Still pays to be certain with these tips...
    Disable Java in your Browser settings, not JavaScript.
    Flashback - Detect and remove the uprising Mac OS X Trojan...
    http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html
    In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:
    /Library/Little Snitch
    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
    /Applications/VirusBarrier X6.app
    /Applications/iAntiVirus/iAntiVirus.app
    /Applications/avast!.app
    /Applications/ClamXav.app
    /Applications/HTTPScoop.app
    /Applications/Packet Peeper.app
    If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.
    http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/
    http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660
    Open DNS also blocks the FlashBack thing...
    http://blog.opendns.com/2012/04/09/worried-about-mac-malware-just-set-up-opendns /
    Try putting these numbers in Network>TCP/IP>DNS Servers, for the Interface you connect with...
    208.67.222.222
    208.67.220.220
    Then Apply. For 10.5/10.6/10.7 Network, highlight Interface>Advanced button>DNS tab>little + icon.
    DNS Servers are a bit like Phone books where you look up a name and it gives you the phone number, in our case, you put in apple.com and it comes back with 17.149.160.49 behind the scenes.  
    These Servers have been patched to guard against DNS poisoning, and are faster/more reliable than most ISP's DNS Servers.
    ClamXAV, free Virus scanner...
    http://www.clamxav.com/
    Free Sophos...
    http://www.sophos.com/products/enterprise/endpoint/security-and-control/mac/
    Little Snitch, stops/alerts outgoing stuff...
    http://www.obdev.at/products/littlesnitch/index.html
    Get MacScan...
    http://www.apple.com/downloads/macosx/networking_security/macscan.html

  • Flashback Trojan infection

    My Macbook Pro has been running funny recently and I decided to install ClamXav to see if anything was wrong. It came back showing infection names: OSX.Flashback-8 & OSX.Flashback-12.
    What shoud I do at this point?
    I am running version 10.5.8.
    Is there any way I can remove this trojan? I want to make sure my computer is safe.
    I am really concerned and need quick help.
    Thank you.

    This site is slightly more secure for finding out if you are infected as it uses a secure link to enter your UUID
    https://www.drweb.com/flashback/?lng=en
    However, you already know you are infected.
    The second link that clintonfrombirmingham entered is the only one I recommend for removal at this time.
    After the trojan is gone, you need to disable Java in all your browsers to keep from being reinfected. You should also keep a watch on all the financial institutions you have visited since being infected to make certain that privacy information was not compromised and consider changing the passwords to all those sites as well as any others that use the same password.

  • How deal with FLASHBACK trojan?

    Hey folks!
    I updated Adobe Flash player a few days ago (the update popped up - I did not search for it) and I think I may have installed the "Flashback" trojan 'cuz I did the update in a hurry. Is there any way to find out if the trojan has found it's way in to the computer or is a format and reinstallation of the OS necessary? Thanks!!!

    woofmatix wrote:
     So I guess if that file ain't there, the Trojan has not entered the system right?
    Don't assume anything, run a scan using ClamXav and if your Apple Software Update works you can pretty much be rest assured you don't have it.
    Also I would like to know if this comes as an update or just an installer.
    It's a trojan installer on hostile web sites.
    If you look at your Adobe Flash System Preference pane it's got it's own system to check with Adobe and verify the download. The confusion happens because there is a pop-up when one visits a web page and their Flash is outdated.
    I always download my Flash here
    http://get.adobe.com/flashplayer/
    If your still concerned you can peform a
    Restoring OS X 10.5 10.6. 10.7 - simple overwrite OS method
    https://discussions.apple.com/message/16276201#16276201
    That will flush anything out of OS X, but you still need to clean up Applications and Users folders.

  • Half a million Mac computers 'infected with malware'... is this a legitimate concern?

    Received an email "Half a million Mac computers 'infected with malware' "... is this a legitimate concern?

    The email itself may be suspect but the story is not:
    http://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-h alf-a-million-macs-and-counting.ars
    although the original source (a Russian anti-virus company ) may or may not be genuine, Ars Technica is highly respected.
    As limnos says, you should disable Java (not Javascript) and also turn off 'Open safe files after downloading' in Safari Preferences/General.
    You should also read this:
    Flashback Trojan - Detection, and how to remove (with caution):
    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

  • Entered password, concerned about hacking

    Dear all,
    When I recently had a messageboard site open, the Software Update dialog box opened (of its own accord) and asked that I enter my user password so that it could make changes.  As I have Software Update run automatically, I didn't think much of it, and entered my administrator password -- only to realize that Software Update was in fact not open, and when I opened it manually confirmed that it had last run 48 hours before.
    Naturally I'm concerned that someone on the messageboard site had remotely connected to my computer and I had entered my password for him/her.  I immediately changed my OS X password and restarted my computer, but about 10 minutes after restarting a "shade" covered my screen and text appeared, in several languages, telling me that my computer needed to be restarted.
    I restarted the computer manually and sent an error report to Apple as prompted, but am still extremely worried that someone has access to my computer.
    Has anyone had similar experiences?  Does anyone know what might be going on (if anything's going on)?  Thank you very, very much.

    JKapDRC wrote:
    And also, should I install a (free) malware/anti-virus scanner?  If so, which one?
    You've been infected by what appears to be the latest strain of the Flashback Trojan Horse, although the question is not settled yet. See this thread
    <https://discussions.apple.com/message/18007476#18007476>
    which seems to have been the first mention of this strain. In addition to <~/.rserv>, you probably also have <~/Library/LaunchAgents/com.adobe.reader.plist>, which is the launch agent periodically running .rserv.
    Regarding clean-up, so far, none of the A/V people seem to have picked up on it, so installing any A/V utility at this point may not do you any good. Until they are updated to deal with this strain, you cannot be sure that they will detect it or clean it properly. WRT Flashback, I would not trust any A/V utility. IMHO, the only safe solution is, as recommended by Linc Davis, to erase the hard disk and re-install from backup—if you have a backup which you are absolutely sure pre-dates the date of infection. Otherwise, I'd install the OS anew, re-install from the original installers, and restore from backup documents only; no apps and no preferences or configuration files.
    Further, any password used since the infection must be considered compromised, and that could be your bank account, Gmail, or this forum. As soon as you've cleared the infection, go immediately to any account you've accessed (this forum included) and change the password.
    As precautionary measure, disable Java in all your browsers, not just Safari; and consider whether or not un-installing it altogether might not be a bad idea.
    There are a few additional things which you might be interested in doing before erasing everything (disconnect from the network while doing it).
    Take .rserv and com.adobe.reader.plist (it has nothing to do with Adobe Reader, btw), zip 'em together, and save the archive to submit it to A/V sites, like ClamAV or VirusTotal.
    Check you browser history and log messages (in Console). See how trungson did it here
    <https://discussions.apple.com/message/18010355#18010355>
    It might give you an idea of when the infection occurred. The primary vector seems to be hacked or infected Wordpress blogs, but no-one seems to know for sure if there are others. That's why I asked what message board you were on—it would be useful to check what software it's running on and if it has been hacked.

  • Can you be infected with the OSX Flashback-8 malware with OSX 10.8.5?

    So I have a iMac that i bought during the Snow Leapord OSX period. Today I happened to find out that it was infected with the Flashback 8 malware that ClamXav detected. I did all the removal instructions by downoading the software updates. Something tbh I shouldve done ages ago. To cut to the point, I also have a Macbook that i bought 2 months ago with Mountain Lion ofcourse, can that Flashback malware effect any computers with Mountain Lion or any Mac after the update Apple released that removes the malware? If so what updates are there for people who bought Macbooks or Desktops after the update was released?

    Back in the Spring of 2011 Dr. Web and Kaspersky estimated that over 600,000 Macs were infected through the Flashback backdoor and at least being re-directed to advertising sites. There were theories that other functions could be downloaded into infected Macs, but at the time nothing else was found to be occurring. Most of the infected Macs in the resulting Flashback botnet were disinfected through various means, including the afore mentioned Apple MRT that was distributed with each new Security and Java update.
    Intego owns one of the servers and periodically monitors the network for infected Macs that check in to see what they should be doing. Back in January they estimated that there were still 22K infected Macs checking in.
    Their expressed concern (they are trying to sell software) was that some malware gang would take over the botnet when current licenses expire next year and use the network in some way.
    Why there are still that many infected Macs out there is anybody's guess. I suppose there could be that many users who haven't kept their OS up-to-date. It's possible that some of the WordPress blog sites that were used to initially infect Macs were never cleaned up, so any user with Java turned on in their browser visiting one of those sites could still be newly infected. In those cases, only the communications module would have been installed, so they aren't fully infected nor would they even be registered as having been infected, but would still be trying to check a server.

  • HT5244 What does Flashback malware do once it is installed on my machine?

    Hi, Just read HT5244 About Flashback malware, and I still don't know what it does once it installs on my machine.  Anone know?
    Thanks.
    You can call me Ray

    Hi Ray,
    Since it allows potentially malicious Java code to run on your computer, the possibilities are many. The most serious concern is a suspicion (though unverified) that Flashback and its variants could mine confidential information from your computer and upload it to whomever is collecting the data for whatever purpose it intends. A somewhat lesser but still significant concern is that it could simply cause random crashes, slowdowns, data loss and other annoyances.
    To alleviate the first concern there is a tool called Little Snitch that alerts you to any outgoing network requests. It requires some knowledge of what requests are legitimate and what are suspicious, but allows you to block requests that you believe are malicious attempts to steal your information, or simple invasions of your computing privacy. It has been established that - in an attempt to conceal its existence - the malware you reference will not install itself on a computer running Little Snitch as well as a number of other third party utilities.
    Little Snitch is not for everyone. If you were to use it to block all outgoing network requests, for instance, many normal and required functions would fail.

  • Flashback/malware on iPad IOS?

    Hi everyone,
    Although I haven't heard anything about the flashback malware affecting IOS, I believe yesterday while I was browsing on Safari I stumbled on a site that was infected as it tried to open something but a pop up appeared saying something along the lines of 'cannot be opened as java is not installed'on the IOS.
    However, after that when I tried to browse in google again, it refused to open any links on google - it would just go back to the google home screen every time I pressed a link. I had to close safari completely before I could browse again. I went back to the same site and the message didn't pop up a second time and I was able to view the site.
    I was a bit concerned as this has never happened before when using Safari on IOS, especially after hearing about the flashback malware fiasco. Are there any flashback variants/malware that has affected IOS to date?
    Thanks

    tango400 wrote:
    ...cannot be opened as java is not installed on the IOS.
    That message meant that Java is not installed on the IOS.

  • During EXPDP .flb (Flashback logs) generation is very High

    hi,
    my database is in flashback log mode and i created a gurented restore point to take back my DB to restore point..in this status i start logical backup by EXPDP of a schema and during expdp lot of .flb logs were generated..
    what is the concern of this EXPDP with the huge generation of .flb log ...plz guide
    DB Version is 10g(10.2.0.4)
    regards,

    Hi,
    As per my undestanding,
    1) Datapump uses "flashback query."
    2)Flashback query does not use flashback logs. It uses UNDO.
    3)Flashback Query uses Oracle's multiversion read-consistency capabilities to restore data by applying undo as needed. Oracle Database 10g automatically tunes a parameter called the undo retention period. The undo retention period indicates the amount of time that must pass before old undo information—that is, undo information for committed transactions—can be overwritten. The database collects usage statistics and tunes the undo retention period based on these statistics and on undo tablespace size
    Your expdp job has nothing to do with flashback log.
    Best regards,
    Rafi.
    http://rafioracledba.blogspot.com

  • What is known about Mac flashback trojan malware?

    What is known about Mac flashback trojan malware?

    LOL... Don't want to see this guy shirtless, anyway... Seriously, this Flashback thing is not to be taken lightly, and the first line of defense is the user's sense of precaution. Don't click on dubious weblinks, don't download (or if you do, don't open) dubious files, etc...
    Now, this said, there's an ongoing criticism as to how quickly (or rather, slowly) Apple has been patching the vulnerabilities that could lead to an infection by such a malware. Some websites insist on the fact that if Apple let the third-party vendors (Oracle comes to mind where Java is concerned) patch their own software under Apple's supervision, such risks of infection would be next to nil, but that's another debate.

Maybe you are looking for