PDA

View Full Version : macaccess installer / install.pkg / OSX.JAHLAV.A



DefUnct
9th December 2008, 11:29 PM
Hi All

I just had a brush with what i think was a Trojan today..and this site was the only one i found with a topic regarding it. The original topic is here from THIS forum:

http://forums.mactalk.com.au/13/62205-normal-help-new-mac-possible-trojan.html

Sorry for bringing it up again but it was locked...i just wanted to ask:

I have looked around at all the info from F-Secure / Trend Micro e.t.c but none seem to mention if this package requires an admin password to install. Some info here:

Can Apple Keep Malware Away? - TrendLabs Malware Blog - Chris Mosby at myITforum.com (http://myitforum.com/cs2/blogs/cmosby/archive/2008/12/08/can-apple-keep-malware-away-trendlabs-malware-blog.aspx)

Here's my story, was browsing the net and clicked on a download link for an exe (needed it for my windows box) and as it was downloading lo and behold the naem changed from exe to .dmg.

So, in my download folder i had a disk image, in which was "install.pkg" which launched.

Now already i was sure this was going to be no good...so as the installer asked me to "agree to terms" i declined, quit, deleted it. It did not go through the install process (got to the bit where you are supposed to click install...but quit the installed and trashed it..did not press install), it did not require and nor did i give it my admin password (yeah...like i would!) and it should now be gone from my system bar from any web-cache where is stored.

I have checked locations where the "trojan" is supposed to be which is the internet-plugins folder and i have searched with locate in terminal and not found any traces of it or components.

So..now that ive probably done all the right things (no i dont have anti-virus..yes i know i should..yes youre right ill sort some out or something) the paranoia has set in.

My question is - am i safe? I have little snitch running and installed and nothing came up (this app supposedly calls home), the install did not complete..i did not click on "install"

What do you think? All good to carry on like no problem or should i be re-installing (yes i have backups but i prefer doing clean installs then copying over what i need...major headache)?

Thanks for any replies :-) Especially looking to hear from the person in the original post who actually went through the whole installation? did you need to put password in?

Cheers

dev_enter
9th December 2008, 11:41 PM
Should be ok.

Sounds like this: Intego Security Memo (http://www.intego.com/news/ism0705.asp)
More info: First Look: Trojan Horse warning: What you need to know | Macworld (http://www.macworld.com/article/60823/2007/10/trojanhorse.html)
Yet more: How xkcd Nearly Hacked My Mac (http://adam.shand.net/iki/2008/how_xkcd_nearly_hacked_my_mac/)

DefUnct
10th December 2008, 12:07 AM
Cool thanks...most of those are all variants of the same thing.

I did check all thats listed in the articles...which is much the same as an anti-virus app would do. My main concern is there is something going on that ive missed or some variant that has got a little cleverer.

For example my own user on my mac is allowed to admin the comp - so a disk image that Safari mounts can begin installing without requiring the admin password? (if its localised to my user..not the whole system). Hence wanting to hear from the person here who had it before.

Also - presumably to change crontab for user or system you should have to authenticate? sudo? or will it let me do it without?

Anyway - cheched my crontab (none for root or for my user), checked all internet plugin folders (main and home directory library) and nothing in there seems suspicious...checked my DNS settings and all seems perfect.

So basically checked everything i could..and all good :-) ...i think.

Anyone please got anymore ideas what i can do to be sure? Check? or can i just let it go now?

(i have some spare macs at home - this eve im going to run it on a clean isloated (no network) system and see what it does..im curious now..)

DefUnct
10th December 2008, 02:56 AM
Ok - For me this is closed now.


After testing at home, i can confirm that the macworld article posted above is accurate. The only difference i noticed with my variant during testing was that there was no change to the DNS table as far as i could see. I had fseventer running to monitor all file system changes during download and install.

Installed items were 2 - AdobeFlash and Mozillaplug.plugin installed in /Library/Interent Plugins directory.

crontab entry was present for root and pointing to AdobeFlash. no entry for other users.

Install DID require user / admin password. Install fails and leaves system untouched if little snitch is used to block initial internet connection during install (or it did for me).

Comments - Little Snitch is your friend :) . It really wont install by itself, you do need to actively do it yourself, so think :)

So on my main system im convinced now that my intial rejection of the installation stopped any potential damage :cool:. My test box is now going through a nice re-install :D

Hope this helps someone and also hope its not repeating.

I can send my test procedure and screenshots from fseventer.