

New Mac OS X botnet discovered - Deinos
http://news.drweb.com/show/?i=5976&lng=en

======
spectres_
To see if you haven't got it:

In terminal run:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

You should get this error:

The domain/default pair of (/Applications/Safari.app/Contents/Info,
LSEnvironment) does not exist

Then run:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

You should get this error:

The domain/default pair of (/Users/YOURUSER/.MacOSX/environment,
DYLD_INSERT_LIBRARIES) does not exist

If you do you are clean of this variant!

If this doesn't happen go to [http://www.f-secure.com/v-descs/trojan-
downloader_osx_flashb...](http://www.f-secure.com/v-descs/trojan-
downloader_osx_flashback_i.shtml) to fix it

~~~
cpncrunch
That is for the Flashback trojan, but this is a new trojan, according to the
post.

------
bane
It's hard to believe, the claim is that is uses Reddit's search functionality
to find connection addresses. I've never been able to find anything using
Reddit's search.

------
scottdeto
Many independent reports of this, but I haven't seen any instruction for
detecting or fixing

[http://www.tuaw.com/2014/10/03/thousands-of-macs-infected-
wi...](http://www.tuaw.com/2014/10/03/thousands-of-macs-infected-with-os-x-
botnet-malware-controlled-v/)

~~~
pjl
At least for detection (from the article): "During installation it is
extracted into /Library/Application Support/JavaW, after which the dropper
generates a p-list file so that the backdoor is launched automatically."

------
milesf
Hmm. I've never heard of drweb.com before, and there's no instructions on how
to detect the worm, but they want to sell me anti-virus software.

This might be legit, but I'll wait and see if this appears anywhere else
before I trust it as being valid.

~~~
cpncrunch
Yes, I was a little suspicious myself, although looking at their wikipedia
page it does seem to be a genuine company.

[https://en.wikipedia.org/wiki/Dr._Web](https://en.wikipedia.org/wiki/Dr._Web)

Also, more info here seems to support the fact that they are the real deal:

[https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback](https://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback)

(as usual with wikipedia, you should check the original sources to verify).

------
eyeJam
Has there ever been a company that covertly creates a virus and releases it
into the wild, and then "catches" it and sells an anti-virus remedy?

------
jason_slack
I've never even heard of drweb....I dont see any other security companies
reporting on this.

