Help - infected with Flashback trojan

[alvarnell]

3 hours ago, nickbw said:

Trojans usually load as the EFI calls the OS

In addition to what Treed has said, the current macOS checks the EFI for tampering at every reboot, so even if one is subject to a nation-state or other such attack, the user will be clearly warned of any such attempt.

[Distressed]

1 hour ago, treed said:

This is not true at all. There is absolutely no known Mac malware that can't be removed by AV software, without needing to reboot from a different disk. If something loads with the EFI, that means it's IN the EFI, and that's not something that could be detected or removed by AV software. But unless you're a potential victim of a nation-state attack, that's not something to worry about.

Whew, one less thing to worry about!

[VanessaKing]

Which version of FF are you using? I just downloaded Firefox 59 and the Trojan.OSX.Flashback was apparently downloaded with it—or within it, actually. I was alerted to it (by ClamXav Sentry) as Firefox was being installed. It's more likely Firefox is the issue, that the trojan horse—or false-positive code—was installed with it… and yes, I downloaded it from Mozilla's site, not some dodgy third-party software site.

If you only have the issue in FF, it's probably not Flash—this time—or you'd have it in Safari, too. If you've recently downloaded FF, or upgraded an older version, I'd check your backup(s), go back to an older version of Firefox, and then scan your system again to be sure it's not there. Then install some form of virus/trojan horse checker that checks all of the time, as you work, download files, and install software, etc.

[alvarnell]

3 minutes ago, VanessaKing said:

I just downloaded Firefox 59 and the Trojan.OSX.Flashback was apparently downloaded with it—or within it, actually. I was alerted to it (by ClamXav Sentry) as Firefox was being installed.

That's a False Positive issue that was resolved a couple of months ago. Updating your virus definitions which will fix the problem

You can update ClamXAV's virus definitions by clicking the "Update Definitions" button on the toolbar, or by clicking the ClamXAV menu (top left beside the Apple logo) and choosing "Update Virus Definitions".

I would also recommend setting a schedule via ClamXAV's preferences to update virus definitions on a daily basis - be sure to set a time when you know your computer will be running and logged in.

[VanessaKing]

Yes, I do update my definitions daily—I've always had my preferences set to do so—and I updated them again after this happened, but I still got an alert that I had a live virus. I'd rather be safe than sorry, so after deleting (it wouldn't allow just quarantining as it read it as a live virus) the trojan horse, I've also deleted the installer and the latest version of FF.

If it is a false-positive, they'll need to figure out why it's alerting before I upgrade again.

[alvarnell]

Note that your computer must be awake and logged in for a scheduled update to take place. The status bar at the bottom of the main ClamXAV app window will show the date it was last updated or you can check the update log.

If all is up-to-date, please open a ticket on the ClamXAV Help Desk as everybody else who reported the problem had failed to update their definitions. Locate the line in your ClamXavSentry-scan.log for that infection and copy the entire line into the ticket. Searching the log for FOUND will make it easier to locate.

[VanessaKing]

I'm on top of the update issue, so it's definitely not that—I've been a Mac System and Network specialist, among other things, since the very early '90s, so no need to handle me as if I'm a novice. I've definitely got a handle on things… I really appreciate the assist, but it's not the definition updates.

I'm still running OS 10.9.2 on my MacBook (it's a mid-2010, which I don't want to give up because of the 17" monitor), and upgrading ClamXav itself was causing issues with runaway kexts. I downgraded ClamXav and ClamXav Sentry which fixed the issue, but the definitions are still being updated daily—I'm going to check with them to see if that has some kind of impact, though.

I'd be less concerned, but it alerted that the virus was live, so I'd really like to see Mozilla take a look and see what's what.

I'd use Malwarebytes, but I've never been able to get it to run an entire scan without hanging at about 60% complete.

Thanks again for your input.

[ManfredLC]

1 hour ago, VanessaKing said:

I'm on top of the update issue, so it's definitely not that—I've been a Mac System and Network specialist, among other things, since the very early '90s, so no need to handle me as if I'm a novice. I've definitely got a handle on things… I really appreciate the assist, but it's not the definition updates.

I'm still running OS 10.9.2 on my MacBook (it's a mid-2010, which I don't want to give up because of the 17" monitor), and upgrading ClamXav itself was causing issues with runaway kexts. I downgraded ClamXav and ClamXav Sentry which fixed the issue, but the definitions are still being updated daily—I'm going to check with them to see if that has some kind of impact, though.

I'd be less concerned, but it alerted that the virus was live, so I'd really like to see Mozilla take a look and see what's what.

I'd use Malwarebytes, but I've never been able to get it to run an entire scan without hanging at about 60% complete.

Thanks again for your input.

Hi,

is there a specific reason why you're running OS 10.9.2 instead of 10.9.5?

--

Manfred

[alvarnell]

Running the older version of ClamXAV must be the problem as it probably isn't getting the Mac unique updates that the current versions do. Strange that it causes kext issues, as I’ve never heard that from anybody else. I'll drop out here as it's gone way OT in this forum.

[Distressed]

I am running Firefox 59.0.2 -- I updated from within the program.  But surely, if it contained a trojan, more people would be reporting this.

[alvarnell]

Agree. I've been running 59.0.2 since the day it was released and it tests clean with all current versions of Anti-Malware scanners I have access to. It has to be the older version Vanessa is using on her MacBook.

[Distressed]

On 4/1/2018 at 5:01 PM, alvarnell said:

Perhaps this article will help Launch Services database problems: correcting and rebuilding.

I posted back on Mar 29th that I was having a problem where DreamWeaver was opening my text files, instead of TextEdit.  I followed your advice, Alvarnell, and used “get info” in Finder to change the default file opener for all such files, but it didn’t stick.   I did a few things to flush caches, like powering off and unplugging, resetting NVRAM, and restarting in Safe Mode.  Then I used Onyx, as suggested in the article you linked to, to repair the LaunchServices database. This seemed to work — but only for a few wks.  A couple of days ago, the problem recurred - text files trying to open with DW, and DW icons attached to all textfiles in Finder window.

I found these recent threads, where people are having similar problems with Illustrator trying to open their jpg (and other) files.  Like me, they tried changing the default file opener, and also repairing the LaunchServices database, but were unable to achieve a lasting fix.

There seems to be an ongoing argument among these people (and those trying to advise them) about whether the fault lies with Adobe, or the El Capitan OS.  And some people seem to be having a similar (?) problem they think is due to the Firefox Quantum 58 or 59 browser.  If you are interested, check these threads:

https://forums.adobe.com/thread/2405260
https://forums.adobe.com/thread/2412747?start=40&tstart=0
https://forums.macrumors.com/threads/something-keeps-changing-my-open-with-defaults.2103071/
https://bugzilla.mozilla.org/show_bug.cgi?id=1437281#c23 (a solution is proposed — but seems to involve a downgrade in security)

My resets/Onyx repair provided relief for awhile.  And yesterday, even just changing the default file opener in Finder seems to have worked for now.  But if there’s a permanent solution, I would like to know about it.  And mostly, I would like to feel sure there isn’t something fishy going on.  (I had another clean scan today with MalwareBytes, so hopefully there's not.)

[alvarnell]

Well whatever the issue is, it doesn't involve either Malwarebytes or any known malware, so no need to be discussed further here.

[Distressed]

On 4/2/2018 at 4:51 AM, plb4333 said:

Here's what I use in Firefox 59.01:

I'm very security minded and privacy concerned as well

PLUGINS:

1. Scriptsafe

2. UBlock Origin

3. DuckDuckGo Privacy Essentials

4. Privacy Settings (Plugin)

5. Privacy Badger

6. HTTPS Everywhere

7. WebRTC (Buts there's 2 settings in About:config that will do the same thing)

If I had to pick just one plugin, it definitely would be -SCRIPTSAFE-. It is top-notch and covers everything you can imagine, but easy to set. Can even disable multiple fingerprint gatherings from websites.

Thanks again, plb4333, for this very useful list.  I am learning to use ScriptSafe.  It seems easier than NoScript.  I find it a bit confusing, but I start with allowing the top domain temporarily, and then take it step-wise from there, allowing as little as possible, and avoiding the things that seem to be 3rd party ad-related domains.  I've also gone back to using WOT to label my search results -- not a perfect system, but it still makes me feel safer.  I also have installed #s 2,3,5, and 6 from your list.  Haven't had time to research #4 and #7.

And thank you for your explanation of VPNs.  I installed Windscribe on my mac and my iphone.  I haven't really used it much yet -- I don't get on public wifi, I just use my cell data if I'm checking email -- but I also encouraged a family member to install it while traveling.  (If you have a free acct (2GB), you don't even have to give an email address, but I decided to go for Pro for the month when this travel is happening.)

[plb4333]

35 minutes ago, Distressed said:

Thanks again, plb4333, for this very useful list.  I am learning to use ScriptSafe.  It seems easier than NoScript.  I find it a bit confusing, but I start with allowing the top domain temporarily, and then take it step-wise from there, allowing as little as possible, and avoiding the things that seem to be 3rd party ad-related domains.  I've also gone back to using WOT to label my search results -- not a perfect system, but it still makes me feel safer.  I also have installed #s 2,3,5, and 6 from your list.  Haven't had time to research #4 and #7.

And thank you for your explanation of VPNs.  I installed Windscribe on my mac and my iphone.  I haven't really used it much yet -- I don't get on public wifi, I just use my cell data if I'm checking email -- but I also encouraged a family member to install it while traveling.  (If you have a free acct (2GB), you don't even have to give an email address, but I decided to go for Pro for the month when this travel is happening.)

I'm glad to hear you're using Scriptsafe. For the VPN, everyone should use one. It can make all the difference. Especially when travelling and using a hotel wifi. They are notoriously known for wifi scanners and people trying to grab your login info's. Especially anything financial related.

[alvarnell]

36 minutes ago, plb4333 said:

For the VPN, everyone should use one. It can make all the difference. Especially when travelling and using a hotel wifi. They are notoriously known for wifi scanners and people trying to grab your login info's. Especially anything financial related.

As are several VPN providers. You really need to be careful who you chose as the all have tha ability to harvest your data. There is no regulation of the industry so you have to trust that they will abide by their stated privacy policy.

Edited April 18, 2018 by alvarnell

[plb4333]

Just now, alvarnell said:

As are several VPN providers. You really need to be careful who you chose as the all have tha ability to harvest your data. There is no regulation of the industry so you have to trust that they will abide by their stated privacy policy.

When it comes to security, of course there has to be trust in the VPN providers, what doesn't need trust when going online. The issue can be remedied alot by viewing the reviews for a specific VPN. For the one I use, this was definitely done, along with vpn having no logs. Sure there has to be trust, but also we're placing our trust in our browsers, ISP's, extensions, plugins, etc...(when it comes to data fetching that is). But the point is, when it comes to whether or not to use a VPN, the advantages FAR outweight not using one. There's no 2nd opinion on that one. The fact that you bring this up, to me anyways, is uncalled for, since I value security more than most people and I also think most people realize that in this day of age, our privacy has been, and will continue to be invaded from multiple sources in our daily life. Just going on the internet has a huge risk of our personal data getting snagged and used by some company. We learn to live with this, or its a choice to not go online whatsoever..This is your 2nd time stating the same subject in this regard of using VPN's, if you're this paranoid with security and VPN's, perhaps keep it to yourself and not proclaim this is a weak area of privacy. As I stated above, there are privacy leaks everywhere around us, involving us.

[alvarnell]

Not paranoid, just cautious and familiar with the facts. Here are a few recent articles from respected authors:

Don't use VPN services

Are Free VPN Apps Worth the Risk? Experts Say 'No'

Beware: Most Mobile VPNs Aren't as Safe as They Seem

The Dark Side of Free VPNs: What You Need to Know

Post-FCC Privacy Rules, Should You VPN?

And a handy reference once you've narrowed down the choice: Detailed VPN Comparison Chart

[plb4333]

23 hours ago, alvarnell said:

Not paranoid, just cautious and familiar with the facts. Here are a few recent articles from respected authors:

Don't use VPN services

Are Free VPN Apps Worth the Risk? Experts Say 'No'

Beware: Most Mobile VPNs Aren't as Safe as They Seem

The Dark Side of Free VPNs: What You Need to Know

Post-FCC Privacy Rules, Should You VPN?

And a handy reference once you've narrowed down the choice: Detailed VPN Comparison Chart

Yes, another one of these pro vs cons. It applies everywhere doesn't it? Free VPN's are no good in my view, but otherwise ok, if they're transparent in what they disclose and meets the criteria. Also, do they use their own DNS addresses?. Having no logs at all is important, stuff like that. That's where alot of reading on their site, along with reviews help out. I don't put alot of weight on naysayers, such as 'Don't use VPN services' in general, because the overall majority say a person should, beyond any doubt, protect yourself more so with VPN. Alot of times when there's a blanket statement used as a generality, it will all boil down to a few specifics, and if one or two specifics are ok then its ok in general, but is quite a attention grabber for getting viewers/readers. It really depends on one doing their homework and making sure the VPN providers don't make any changes behind your back without you knowing. I've been using FrootVPN out of Sweden for several years and am quite happy with them. All security points covered. The only thing I wish that company would do more, is advertise their services. Its very hard to find reviews with it listed, there are some, but not many. I do appreciate your bringing up the issues with VPN's and for one to be careful. It's just I felt a little put off by your 1st and 2nd post saying the same thing to me as a reply, like you assume nobody knows cr@p about what they're doing, even before you find out, get the drift yet? Oh! and BTW, I'm *ALSO* very cautious and familiar with the facts and, been so to me much longer than you I would suspect...LOL. Early 1982-2018 computer/security/privacy

Edited April 19, 2018 by plb4333