'Flashback' trojan estimated to have infected 600K Macs worldwide

123457»

Comments

  • Reply 121 of 124
    pbpb Posts: 4,255member
    Quote:
    Originally Posted by ddarko View Post


    To jump from having a single false positive to the conclusion that a widely known security vendor are "liars" is paranoia, pure and simple.



    In case you missed it, I did not jump to any conclusions. I am trying to find reasonable explanations. Like it or not, lying is one of them.



    Quote:
    Originally Posted by ddarko View Post


    What I'm still waiting for is an explanation of HOW the methodology is flawed



    I do not have the technical knowledge to find out how and why, I can only report what I saw. And what I saw seriously questions their approach. Wrong methodology is the other possible explanation.



    Quote:
    Originally Posted by ddarko View Post


    If you have any explanation why this doesn't work - one that doesn't resort to charges of lying, which doesn't actually rebut or undermine the methodology but only attacks the integrity of the researchers - I am very curious to hear it.



    Again, instead of making an effort to enlighten me as to what explanations we could give, except the obvious ones that I stated before, you try to discredit my findings by turning the attention to the technical aspects no one here could ever know. Nice try! But the big question marks remains: what is behind this?



    Anyone else willing to risk a guess?
  • Reply 122 of 124
    pbpb Posts: 4,255member
    Quote:
    Originally Posted by ddarko View Post


    Here's some: (1) you entered your UUID incorrectly; (2) the tools and instructions from F Secure and Symantec are wrong, you are infected; (3) it's just an plain old false positive, i.e. an error by Kaspersky's online tool.



    OK, this is what I wanted to see. Yes, it may be an error of the online tool. But then they should retire it until it runs correctly. Same goes to f-secure and Symantec if their tools do not work correctly. Also, I disabled Java two years ago, so no, I am not infected.
  • Reply 123 of 124
    MarvinMarvin Posts: 15,377moderator
    Quote:
    Originally Posted by PB View Post


    In case you missed it, I did not jump to any conclusions. I am trying to find reasonable explanations. Like it or not, lying is one of them.



    It's not a live check. They are matching your UUID against their database of records of contacts to their server.



    - your computer was infected and sent a contact to their server

    - they setup an online tool to verify if your UUID is in their database

    - if it finds your UUID, it will tell you that you are infected



    All the tool means is that at some point in time, your machine contacted them. They may only check against the original database.



    You should also check you don't have the other payload someone noted on the forum about the .rserv file. In the terminal, type:



    ls -a ~/



    If you see a file called .rserv, you still have an executable contacting their servers. There will also be a launchagent called ~/Library/Launchagents/com.adobe.reader.plist, which is used to run it.
  • Reply 124 of 124
    pbpb Posts: 4,255member
    @ Marvin: Thank you for the input; thoughtful and focused as always.



    I understand that this is not a system scan but a simple database check, otherwise it would not ask the UUID.



    Also, I checked up everything you suggested, even for the ~/Library/Preferences/Preferences.dylib used by old versions of Flashback, just in case, and I came out clean. I checked even my Time Machine backups for older traces of .rserv etc, in case I forgot something, but nothing.



    I run Little Snitch and Java is disabled for at least 2 years now. The fact that Kaspersky's online tool flags my Mac as infected is still a big mystery to me. But considering what an AI user said here, probably it should be not.
Sign In or Register to comment.