Author Topic: Another malware/trojan Mac attack (Read 3033 times)

Xairbusdriver · « **on:** April 16, 2012, 05:08:07 PM »

Different security firms are calling it by different names; PadSub, SubPad, SadPub, PubSab, etc., etc.

The point is, like the other, recent malware, it is extremely easy to determine if you are infected and to remove the files.

1. Open your user Library.
2. Open the LaunchAgents directory/folder
3. Look for a file named "com.apple.PubSabAgent.plist"
4. Open the Preferences directory/folder
5 Look for a file named "com.apple.PubSabAgent.pfile"

If either file is found, delete them.

You may also need to remember that if you have not used the latest Java updater and you find these files (or the previous "FlashBack" malware), your back-up may also be infected. Easiest solution is to dump/delete that backup and make a new one.

Paddy · « **Reply #1 on:** April 16, 2012, 07:23:59 PM »

And there is another variant, spread via infected Word docs.

http://www.macworld.com/article/1166398/tw..._is_slight.html

Xairbusdriver · « **Reply #2 on:** April 16, 2012, 07:33:01 PM »

And that one was protected by a Word update/Service pack several years ago.

Once a vector is identified, the "community" creates packages that are sold to anyone that wants to use them to create malware. So, there are "new" variants popping up. Some "developers" are not as efficient at creating these things so, their endeavors come out just a little too late to make much of a dent; the fix is already in before many of these low-lifes even get the things on-line.

Of course, it continues to feed the PC/Mac fanbois arguments...

Paddy · « **Reply #3 on:** April 17, 2012, 10:55:11 AM »

I find it bizarre that nowhere in the first couple of articles I read on this latest "threat" is there any mention of the fact that the Word vulnerability supposedly being exploited was fixed in June of 2009! The updates were available for those running Microsoft Office Word 2000, Microsoft Office Word 2002, Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. Obviously, anyone running Office/Word 2010 (PC) or Office 2011(Mac) isn't affected.

http://technet.microsoft.com/en-us/securit...lletin/MS09-027

I am getting SO sick of the gloating (generally completely misplaced) on the part of the PC fanbois - AND the goofy news reports from supposedly reputable "technical" reporters. The one on the CBC the other morning was ridiculous. He didn't strengthen his case any (which was basically that since Macs were now so much more popular, that they were getting more attention from the malware community...the old security by obscurity chestnut trotted out once again...) when he repeatedly referred to OS TEN as OS "Ex"

He also failed to mention that Apple had not only released a fix (yes, it was belated, bad Apple...we get that part) but that they had released a detection and removal tool. Typical news outlet - half the story (the scary part...ooooh) is better than the entire thing.

lizharbin · « **Reply #4 on:** April 21, 2012, 03:54:53 PM »

QUOTE(Xairbusdriver @ Apr 16 2012, 06:08 PM) <{POST_SNAPBACK}>

Different security firms are calling it by different names; PadSub, SubPad, SadPub, PubSab, etc., etc.

The point is, like the other, recent malware, it is extremely easy to determine if you are infected and to remove the files.

1. Open your user Library.
2. Open the LaunchAgents directory/folder
3. Look for a file named "com.apple.PubSabAgent.plist"
4. Open the Preferences directory/folder
5 Look for a file named "com.apple.PubSabAgent.pfile"

If either file is found, delete them.

You may also need to remember that if you have not used the latest Java updater and you find these files (or the previous "FlashBack" malware), your back-up may also be infected. Easiest solution is to dump/delete that backup and make a new one.

Are we purchasing protection from these boogers yet? My PC user friends are warning me to get something as a precaution. If so, what is the best for both protection and price?

Xairbusdriver · « **Reply #5 on:** April 21, 2012, 04:56:21 PM »

Apple has provided an update for Java that fixes the security hole. That's why I mentioned the "Java updater." It's free, of course. It also removes the malware files, if they are present.

Once the hole is "filled in" there is no further need to search or protect anything from another attack by that vector; that door is sealed shut.

So far, every piece of malware has been downloaded by a user visiting a site that has the malware installer. This attack was different because it did not need the user's password. 99% of the pervious malware attacks have needed that and the user has entered it without concern as to why it was needed. That is called "social engineering." No software package can protect us from ourselves. If you don't know why your (Administrator) password is being requested, don't provide it. Period.

The reason I say that software can't protect us is because current AV software depends on known codes. It can't determine a new variant until it is found, one way or another. One way is for people to automatically provide their password just because it is asked for. Once that is done and a problem is determined, the source of that problem can then be added to the AV definitions/codes and then blocked in the future. The other way for these things to be discovered is for the various AV software developers to find it. So, let them do it instead of doing it for them by providing your password without knowing why. If you have any question about why it is being asked for, just post.

Frankly, I would not recommend paying for any AV software, yet (on the Mac). There are several free apps that do a fine job on the Mac. I use and recommend <ClamX AV>. I let it run daily. There is even a newer version than the one I have installed but it does nothing to affect what it looks for and I am skipping the update. It automatically updates it malware definitions, however, and that is the most important part of any AV software.

Again, neither this nor any other software can protect you form new attacks that you allow because you enter a password when requested.

RNKIII · « **Reply #6 on:** April 21, 2012, 08:12:30 PM »

OK, so I took ABD's advice..... misteak #1

and DLD latest version of ClamXav from the developer's site....
am running 10.7.x and when I start up ClamXav... a window pops up and, in effect, tells me I can't run that as Power PC items cannot be run on this machine?!?!?! and then ClamX quits..... App. info tells me it is a 'universal' app...

SO what is that all about???

TIA,

Bob K.

Xairbusdriver · « **Reply #7 on:** April 21, 2012, 09:39:48 PM »

I have no idea what might be wrong, assuming you downloaded 2.2.5 (the latest version). I'm using 2.2.4, which is also a "Universal" app and running it in Lion, as we speak. I'll suggest three possibilities:

1. The download is corrupt. You can use the instruction at the ClamX website to use the SHA1 checksum, if you downloaded it from there. I'm not sure if the MAS version uses that checksum.
2. The latest version has a bug! I notice it is dated just yesterday. I tend to wait a few days before updating any app.
3. You downloaded the version for 10.4. That may not run on Lion (or even Leopard/Snow Leopard).

Quickest solution is to do another download, use the checksum and see if it works. If it doesn't, contact the developer, detailing your experiences and your reliance on my recommendation.

RNKIII · « **Reply #8 on:** April 21, 2012, 10:14:22 PM »

Yes, I did DL the latest version, 2.2.5, from the developer's site.
I will try the site tomorrow to worh with the checksum.
Don't understand the problem either..... It may be tied to a similar message I'm getting from SETI software that started a couple of weeks ago...

May be generally a good time to restore the Lion...

Bob K. rnkiii

lizharbin · « **Reply #9 on:** April 22, 2012, 03:02:55 PM »

QUOTE(Xairbusdriver @ Apr 21 2012, 05:56 PM) <{POST_SNAPBACK}>

Apple has provided an update for Java that fixes the security hole. That's why I mentioned the "Java updater." It's free, of course. It also removes the malware files, if they are present.

Once the hole is "filled in" there is no further need to search or protect anything from another attack by that vector; that door is sealed shut.

So far, every piece of malware has been downloaded by a user visiting a site that has the malware installer. This attack was different because it did not need the user's password. 99% of the pervious malware attacks have needed that and the user has entered it without concern as to why it was needed. That is called "social engineering." No software package can protect us from ourselves. If you don't know why your (Administrator) password is being requested, don't provide it. Period.

The reason I say that software can't protect us is because current AV software depends on known codes. It can't determine a new variant until it is found, one way or another. One way is for people to automatically provide their password just because it is asked for. Once that is done and a problem is determined, the source of that problem can then be added to the AV definitions/codes and then blocked in the future. The other way for these things to be discovered is for the various AV software developers to find it. So, let them do it instead of doing it for them by providing your password without knowing why. If you have any question about why it is being asked for, just post.

Frankly, I would not recommend paying for any AV software, yet (on the Mac). There are several free apps that do a fine job on the Mac. I use and recommend <ClamX AV>. I let it run daily. There is even a newer version than the one I have installed but it does nothing to affect what it looks for and I am skipping the update. It automatically updates it malware definitions, however, and that is the most important part of any AV software.

Again, neither this nor any other software can protect you form new attacks that you allow because you enter a password when requested.

I downloaded ClamX AV but couldn't understand the instructions for running it. In an attempt to dump things I don't need that went a while back. Should have asked someone here at TS for help.

Huh? My equipment is getting to the point where things aren't being supported and that can get to be a headache in a lot of ways.

Paddy · « **Reply #10 on:** April 22, 2012, 04:14:41 PM »

Liz, did you read this: http://www.clamxav.com/documentation.php ?

Looks pretty straightforward to me...

I've got Clam XAV, but the only time I decided to run it, it was taking so long that I decided to bag it. I was only doing it out of curiosity, not because I thought anything was wrong.

I don't bother, at this point, with AV software. I do read the Mac news daily - if there's something out there to be worried about, I'm sure I'll hear about it LONG before any AV software company managed to update their AV definitions to include the threat. That's the problem with AV software - the malware producers are always one step ahead. The only thing AV software does is protect you from already known threats, all of which Apple has pretty much dealt with. The main threats to Mac users remain, as always, the ones that rely on human engineering - and there's no software to protect you from that, I'm afraid.

Common sense and a suspicious nature is your best defense: don't open email attachments you're not expecting, don't download anything that any website tells you you "need" in order to use the website, don't download things you don't completely trust/trust the source...etc.

Xairbusdriver · « **Reply #11 on:** April 22, 2012, 04:31:39 PM »

ClamX AV can take a very long time to scan your entire drive. But you can specify where it should scan, perhaps a "Downloads" folder where ever you have told the OS to put stuff you download. And you don't have to stop doing things while it does that. Usually. However, since you mentioned your system. it probably will, indeed, grind to a halt while doing anything as intensive as scanning all files. 512MB of memory is exceedingly small these days. I'm not sure you can upgrade to Leopard with that small amount of RAM. And, even if you did, I don't think you would enjoy running it.

As for ClamX AV, there is a version specifically for 10.4. Don't bother with the latest versions which need Leopard or better to run. Of course, it will probably be slower and won't have the same 'bells and whistles' as the newer version. Frankly, with your system, I'd just visit here daily and not worry about your PC friends and their constant need for vigilance (and upgrades to their AV software!).

And, absolutely ask questions here! How else you gonna' learn stuff? There's too much for any one person to know! That's why we keep Paddy, Krissel and Jon around! Of course, after that news, they'll all be wanting a raise!

lizharbin · « **Reply #12 on:** April 23, 2012, 02:48:45 PM »

Thanks Patty and Airbusdriver for all the advice. I'll try keep the warning in mind to use common sense and be suspicious so I won't encounter any of that junque. I did check the for those PubSubAgent files and didn't find any. Hooray!

Xairbusdriver · « **Reply #13 on:** April 23, 2012, 03:27:47 PM »

Computer Incident Response Center Luxembourg (CIRCL) has released a <utility>that installs a Folder Action script on several folders that have been the choice of recent malware installations. The script was suggested by Topher Kessler of C|Net last week. CIRCL just added a few folders and made it into a installation package. It's free, of course. It won't block any installation(s) but you will get a warning that something has been added/changed in one of the folders. You can then see what's in there and if anything looks suspicious. "Suspicious" would be anything without the name of some app you have.

If you are in the process of adding/installing/updating an app, you should expect to get a warning, if it happens to install or change something in one of the folders. Just remember that's normal. What is not normal is to simply be working/surfing and get the warning. In that case, to might be wise to investigate further.

You don't need to panic, scream or stop breathing, just take a look at what's in the folder and mention it at <your favorite forum> (conveniently linked here).

jcarter · « **Reply #14 on:** April 27, 2012, 08:07:57 AM »

http://www.scientificamerican.com/article....=SA_DD_20120426

Does this have anything to do with that? Ive never encountered any of this stuff, so never bother to read much about it. Dont use any Microsoft stuff either.

News:

Author Topic: Another malware/trojan Mac attack (Read 3033 times)