or Connect
AppleInsider › Forums › Software › Mac OS X › 'Flashback' trojan estimated to have infected 600K Macs worldwide
New Posts  All Forums:Forum Nav:

'Flashback' trojan estimated to have infected 600K Macs worldwide - Page 4

post #121 of 125
Quote:
Originally Posted by PB View Post

I cannot tell about Dr. Web but here is what I found about Kaspersky. The have set up a web site where you can check if a Mac has been infected by the Flashback/Flashfake trojan, based on its UUID. I did the check and my Macbook was found infected. But I know it is not since I already ran the available tools (command-line from f-secure and the Symantec utility) to check this out for myself. So, I am clean and Kasperksy insists that I am not. Two explanations come into mind:

(1) They are liars and their intention is to increase sales.
(2) Their methodology is fundamentally flawed.

If you have any other explanations I am very curious to hear them.

Here's some: (1) you entered your UUID incorrectly; (2) the tools and instructions from F Secure and Symantec are wrong, you are infected; (3) it's just an plain old false positive, i.e. an error by Kaspersky's online tool.

(3) is probably the most likely but it says more about your mindset that you would jump from having a single false positive to the conclusion that a widely known security vendor are "liars." And how would they increase "sales"? The Flashback removal tool they and other vendors offer are all free with no obligation to pay for anything else. You can choose to buy their paid solutions but you're free not to - use the Flashback tools and delete them and never deal with them again.

If I was as distrustful and quick to label folks as liars as you, I might question whether you actually got a false positive - all we have is your claim that Kaspersky's tool identified your computer as infected while the tools from F-Secure and Symantec did not. Maybe you're so keen and eager to "protect" Apple that you're lying. How's that for questioning someone's motives instead of addressing the content of their arguments?

But I take you at your word. All I'd say is that it's a massive leap to say a single false positive demonstrates the existence of a Big Lie to hookwink and scare Mac users worldwide. My blood work comes back from my doctor and if the results turn out to be a false positive, I hardly jump to the conclusion that my doctor, the lab and the pharmaceutical industry as a whole are engaged in a vast conspiracy to drive up medical spending. Your case appears to be a false positive, nothing more, nothing less. Your tiny bit of evidence doesn't support either of your conclusions. At most, it demonstrates Kaspersky's tool isn't perfect and makes mistakes. It hardly proves the counting methodology is "fundamentally flawed."

What I'm still waiting for is an explanation of HOW the methodology is so flawed that it can't be trusted at all - why doesn't counting the number of bots that check in with a command server as those bots are instructed to do by the trojan give you an accurate count of the size of the infection? If you have any explanation why this doesn't work - one that doesn't resort to charges of lying, which doesn't actually rebut or undermine the methodology but only attacks the integrity of the researchers - I am very curious to hear it.
post #122 of 125
Quote:
Originally Posted by ddarko View Post

To jump from having a single false positive to the conclusion that a widely known security vendor are "liars" is paranoia, pure and simple.

In case you missed it, I did not jump to any conclusions. I am trying to find reasonable explanations. Like it or not, lying is one of them.

Quote:
Originally Posted by ddarko View Post

What I'm still waiting for is an explanation of HOW the methodology is flawed

I do not have the technical knowledge to find out how and why, I can only report what I saw. And what I saw seriously questions their approach. Wrong methodology is the other possible explanation.

Quote:
Originally Posted by ddarko View Post

If you have any explanation why this doesn't work - one that doesn't resort to charges of lying, which doesn't actually rebut or undermine the methodology but only attacks the integrity of the researchers - I am very curious to hear it.

Again, instead of making an effort to enlighten me as to what explanations we could give, except the obvious ones that I stated before, you try to discredit my findings by turning the attention to the technical aspects no one here could ever know. Nice try! But the big question marks remains: what is behind this?

Anyone else willing to risk a guess?
post #123 of 125
Quote:
Originally Posted by ddarko View Post

Here's some: (1) you entered your UUID incorrectly; (2) the tools and instructions from F Secure and Symantec are wrong, you are infected; (3) it's just an plain old false positive, i.e. an error by Kaspersky's online tool.

OK, this is what I wanted to see. Yes, it may be an error of the online tool. But then they should retire it until it runs correctly. Same goes to f-secure and Symantec if their tools do not work correctly. Also, I disabled Java two years ago, so no, I am not infected.
post #124 of 125
Quote:
Originally Posted by PB View Post

In case you missed it, I did not jump to any conclusions. I am trying to find reasonable explanations. Like it or not, lying is one of them.

It's not a live check. They are matching your UUID against their database of records of contacts to their server.

- your computer was infected and sent a contact to their server
- they setup an online tool to verify if your UUID is in their database
- if it finds your UUID, it will tell you that you are infected

All the tool means is that at some point in time, your machine contacted them. They may only check against the original database.

You should also check you don't have the other payload someone noted on the forum about the .rserv file. In the terminal, type:

ls -a ~/

If you see a file called .rserv, you still have an executable contacting their servers. There will also be a launchagent called ~/Library/Launchagents/com.adobe.reader.plist, which is used to run it.
post #125 of 125
@ Marvin: Thank you for the input; thoughtful and focused as always.

I understand that this is not a system scan but a simple database check, otherwise it would not ask the UUID.

Also, I checked up everything you suggested, even for the ~/Library/Preferences/Preferences.dylib used by old versions of Flashback, just in case, and I came out clean. I checked even my Time Machine backups for older traces of .rserv etc, in case I forgot something, but nothing.

I run Little Snitch and Java is disabled for at least 2 years now. The fact that Kaspersky's online tool flags my Mac as infected is still a big mystery to me. But considering what an AI user said here, probably it should be not.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › 'Flashback' trojan estimated to have infected 600K Macs worldwide