9 comments

[ 4.3 ms ] story [ 33.5 ms ] thread
I've never even heard of drweb....I dont see any other security companies reporting on this.
Hmm. I've never heard of drweb.com before, and there's no instructions on how to detect the worm, but they want to sell me anti-virus software.

This might be legit, but I'll wait and see if this appears anywhere else before I trust it as being valid.

Many independent reports of this, but I haven't seen any instruction for detecting or fixing

http://www.tuaw.com/2014/10/03/thousands-of-macs-infected-wi...

At least for detection (from the article): "During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically."
Has there ever been a company that covertly creates a virus and releases it into the wild, and then "catches" it and sells an anti-virus remedy?
To see if you haven't got it:

In terminal run:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

You should get this error:

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

Then run:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

You should get this error:

The domain/default pair of (/Users/YOURUSER/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

If you do you are clean of this variant!

If this doesn't happen go to http://www.f-secure.com/v-descs/trojan-downloader_osx_flashb... to fix it

That is for the Flashback trojan, but this is a new trojan, according to the post.
It's hard to believe, the claim is that is uses Reddit's search functionality to find connection addresses. I've never been able to find anything using Reddit's search.