GPSFileDepot.com
 

GPSFileDepot forums may have helped spread Mac virus/trojan

Started by Boyd, April 06, 2012, 06:43:18 AM

Previous topic - Next topic

Boyd

OK - don't panic, everything is probably fine, but if you're on a Mac it's worth checking this out. I posted about it here, but most people probably won't make the connection: http://forums.gpsfiledepot.com/index.php?topic=2771.msg16548#new

When GPSFileDepot was recently hacked, it appeared pretty innocuous and only resulted in users being redirected to some harmless looking sites. Now I have learned that these sites are included in the ones which have been spreading a Mac virus/trojan that's been getting a lot of publicity: http://news.yahoo.com/more-600-000-macs-infected-flashback-malware-report-091608469.html

To check if your Mac is infected, open the Terminal program (found in the Utilities folder inside the Applications folder). Paste the following command into terminal

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Hit the return key and now paste this command into Terminal

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get a response saying that the domain/pair does not exist for each of these, you are not infected. The strange thing is that if you have Microsoft Office 2008, Office 2011 or Skype on your Mac, evidently the virus won't get installed. Maybe that's why I'm clean?

Apple has issued a software update to close this vulnerability. If I understand correctly, it should also remove the virus if present. The same virus also affects Windows machines and has been around for awhile, so hopefully you will be OK there if your antivirus software is up to date.

-Oz-

Yea, that is a lot of infected mac computers.  Those sites did look familiar.

[stickied]
Dan Blomberg
Administrator - GPSFileDepot
GPS Units: Garmin Dakota 20, Garmin GPSMap 60csx, Nuvi 255W, Nuvi 250W, ForeRunner 110, Fenix 2, Tactix Bravo, Foretrex 401
See/Download My Maps!

Boyd

It should also be stressed that none of the GPSFileDepot maps or downloads are infected with viruses. The only way you could have been exposed to this issue is if you went to one of the the other websites that the hack was directing you to.

Seldom

For all those Nervous Nellies with PC's, this is a Mac Only problem, right?

Boyd

Actually, NO. This same virus has been around on Windows for a year or so. I would assume that means all the Windows anti-virus programs are able to defend against it as long as you stay up to date.

The surprise was that it also affects Macs.

Seldom

But couldn't lots of Java scripts be written to do bad stuff cross platform, and mess with Macs and PCs both? 

Boyd

I don't follow this stuff too closely, but since Mac's are running BSD unix "under the hood", a virus would normally need root privileges (superuser) to install any software on your machine. And this would trigger a dialog box asking if you wanted to install and requiring you to authenticate with your admin password. What I gather was different here is that the bad guys found some way to get around authenticating by using a Java program running under Safari (the web browser).

For me, the irony is that more often that not I use my Windows machine on the web. But when GPSFileDepot was hacked, I switched to my Mac to check it out since I thought it would be safer than a PC. If you look in that other thread you'll see I was posting screenshots from Safari that showed the embedded URL's of those infected sites. So instead of playing it safe, I was actually exposing my Mac to a potential threat!  ???

But nobody should think that GPSfileDepot was a big factor in this, according to the article that first broke this story (http://news.drweb.com/show/?i=2341&lng=en&c=14)

QuoteAccording to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March.

That's a lot of links to infected sites. At least this answers the question I had before about the purpose of the hack. It didn't seem to do anything bad, but just redirected you to another website. The reason for this seems to have been to turn your computer into a "bot" through a trojan/virus on the redirected site.