eerder topic   volgend topic
  
Trojan JS Serber
21 mei 2017 - 16:52   
geplaatst door: Tekenaar
Vanochtend kreeg ik een melding van F-secure (onderdeel van het pakket diensten van XS4all) dat er een Trojan-downloader:Js/Cerber10090bbd35!Online is gevonden en dat F-secure de toegang heeft geblokkeerd. Het pad naar het gewraakte bestand is:
/Volumes/BU Macintosh HD/System/Library/Intelligent Suggestions/Assets.suggestionsassets/Contents/Resources/ReverseTemplateJS/64d9fa29fdb4c02d026953a3dc45bf2e.js

Superduper, dat bezig was geweest met het maken van een BU van de HD gaf de melding 'Failed to copy files from Macintosh HD to BU macintosh HD: de backup die het programma vannacht aan het bijwerken was is mislukt (Gelukkig heb ik ook een TimeMachine backup).

Het bestand 64d9fa29fdb4etc. betreft een een Javascript- textbestand, ik kan het niet weggooien, dan komt de melding dat het voor OSX vereist is.

Het script luidt:
new ReverseTemplateList([new ReverseTemplate("opodo.com-hotel-cancellation-en",function(e){return/^Your booking at/.test(e.subject)},function(e){if(/^Your booking at/.test(e.subject)&&/Your reservation has been cancelled/.test(e.plain)){var o="en_US",r={};r.information="Reservation summary",r.namePrefix="Dear",r.guestNamePrefix="Guest Name",r.cancellationMessage=/Your reservation has been cancell?ed./,r.hotelNamePrefix="Property name",r.bookingNumberPrefix="Booking number",r.guestEmailAddressPrefix="Your email",r.hotelAddressPrefix="Address",r.hotelTelephonePrefix="Phone",r.checkInTimePrefix="Check-in",r.checkOutTimePrefix="Check-out";return loadHelper("opodo.com-hotel-cancel-change-skeleton.js")(e,o,r)}},"0/1/2/3/4/5/966/1124/1141","SG4cc897e3"),new ReverseTemplate("opodo.com-hotel-change-en",function(e){return/^Your booking at/.test(e.subject)},function(e){if(/^Your booking at/.test(e.subject)&&/Reservation modification/.test(e.plain)){var o="en_US",r={};r.modificationMessage=/modified/i,r.information="Reservation summary",r.namePrefix="Dear",r.guestNamePrefix="Guest Name",r.hotelNamePrefix="Property name",r.bookingNumberPrefix="Booking number",r.guestEmailAddressPrefix="Your email",r.hotelAddressPrefix="Address",r.hotelTelephonePrefix="Phone",r.checkInTimePrefix="Check-in",r.checkOutTimePrefix="Check-out",r.cancellationUrlPrefix="Cancel your booking",r.reservationUrlPrefix="Want to view, cancel or change your booking?";return loadHelper("opodo.com-hotel-cancel-change-skeleton.js")(e,o,r)}},"0/1/2/3/4/5/966/1124/1144","SGdf9c062f"),new ReverseTemplate("opodo.com-hotel-confirmation-en",function(e){return/^Your booking at/.test(e.subject)},function(e){if(/^Your booking at/.test(e.subject)){var o="en_US",r={};r.confirmationMessage="Booking confirmation",r.namePrefix="Dear",r.hotelNamePrefix="Hotel",r.bookingNumberPrefix="Booking number",r.guestEmailAddressPrefix="Your email",r.checkInTimePrefix="Check-in",r.checkOutTimePrefix="Check-out",r.pricePrefix="Total price",r.hotelAddressPrefix="Address",r.hotelTelephonePrefix="Phone",r.reservationUrlPrefix="Want to view, cancel or change your booking?",r.guestNamePrefix="Guest Name",r.cancellationUrlPrefix="Cancel your booking";return loadHelper("opodo.com-hotel-confirmation-skeleton.js")(e,o,r)}},"0/1/2/3/4/5/966/1124/1147","SGf18e305c")]);

Iemand een idee wat er aan de hand is en wat er gedaan moet worden?
(Macbook Pro retina 15 inch 2015 Mac os x 10.11.6)

(Bewerkt door Tekenaar om 16:53, 21-05-2017)

Trojan JS Serber
21 mei 2017 - 16:56    reactie #1
geplaatst door: MacFrankie
Zou je een EtreCheck rapport kunnen plaatsen?
Op mijn werk heb ik al Windows, thuis wil ik geen systeembeheerder meer zijn!
Trojan JS Serber
21 mei 2017 - 17:11    reactie #2
geplaatst door: Tekenaar
Zie hieronder:

EtreCheck version: 2.9.3 (253)
Report generated 2017-05-21 17:09:37
Download EtreCheck from http://etrecheck.com
Runtime 1:46
Performance: Excellent

Click the [Support] links for help with non-Apple products.
Click the [Details] links for more information about that line.
Click the [Check files] link for help with unknown files.

Problem: No problem - just checking

Hardware Information: ⓘ
   MacBook Pro (Retina, 15-inch, Mid 2014)
   [Technical Specifications] - [User Guide] - [Warranty & Service]
   MacBook Pro - model: MacBookPro11,2
   1 2,2 GHz Intel Core i7 CPU: 4-core
   16 GB RAM Not upgradeable
       BANK 0/DIMM0
           8 GB DDR3 1600 MHz ok
       BANK 1/DIMM0
           8 GB DDR3 1600 MHz ok
   Bluetooth: Good - Handoff/Airdrop2 supported
   Wireless:  en0: 802.11 a/b/g/n/ac
   Battery: Health = Normal - Cycle count = 146 - SN = C01439202UBF9CRA7

Video Information: ⓘ
   Intel Iris Pro
       Thunderbolt Display 2560 x 1440

System Software: ⓘ
   OS X El Capitan 10.11.6 (15G1421) - Time since boot: about one day

Disk Information: ⓘ
   APPLE SSD SM0256F disk0 : (251 GB) (Solid State - TRIM: Yes)
       EFI (disk0s1) <not mounted> : 210 MB
       Recovery HD (disk0s3) <not mounted>  [Recovery]: 650 MB
       Macintosh HD (disk1) / : 249.77 GB (150.84 GB free)
           Core Storage: disk0s2 250.14 GB Online

USB Information: &#9432;
   Apple Card Reader 128,58 GB
       Nifty HD (disk2s1) /Volumes/Nifty HD : 128.56 GB (68.92 GB free)
   Apple Inc. Apple Internal Keyboard / Trackpad
   Apple Inc. BRCM20702 Hub
       Apple Inc. Bluetooth USB Host Controller
   NEC Corporation USB2.0 Hub Controller
       Apple, Inc. Keyboard Hub
           Apple, Inc Apple Keyboard
       Tablet PTZ-630
   Apple Inc. FaceTime HD Camera (Display)
   Apple Inc. Apple Thunderbolt Display
   Apple Inc. Display Audio

Thunderbolt Information: &#9432;
   Apple Inc. thunderbolt_bus
       Apple Inc. Thunderbolt Display

Gatekeeper: &#9432;
   Mac App Store and identified developers

Unknown Files: &#9432;
   /Library/LaunchDaemons/com.f-secure.fscsafeadmind.plist
   /Library/LaunchDaemons/com.f-secure.urlexceptiond.plist
   2 unknown files found. [Check files]

Kernel Extensions: &#9432;
       /Applications/Toast 8 Titanium/Toast Titanium.app
   [not loaded]    com.roxio.TDIXController (1.6) [Support]

       /Library/Extensions
   [loaded]    com.f-secure.kext.fsauth (1.0.0d1 - SDK 10.9) [Support]

       /System/Library/Extensions
   [not loaded]    com.LaCie.ScsiType00 (1.2.13 - SDK 10.5) [Support]
   [not loaded]    com.elgato.driver.DontMatchAfaTech (1.1) [Support]
   [not loaded]    com.elgato.driver.DontMatchCinergy450 (1.1) [Support]
   [not loaded]    com.elgato.driver.DontMatchCinergyXS (1.1) [Support]
   [not loaded]    com.elgato.driver.DontMatchEmpia (1.1) [Support]
   [not loaded]    com.elgato.eyetv.ClassicNotSeizeDriver (1.1.2) [Support]
   [not loaded]    com.eltima.ElmediaPlayer.kext (1.58 - SDK 10.5) [Support]
   [not loaded]    com.jmicron.driver.jmPeripheralDevice (2.0.4) [Support]
   [not loaded]    com.lacie.driver.LaCie_RemoteComms (1.0.1 - SDK 10.5) [Support]
   [not loaded]    com.oxsemi.driver.OxsemiDeviceType00 (1.28.13 - SDK 10.5) [Support]
   [not loaded]    com.roxio.BluRaySupport (1.1.3) [Support]
   [not loaded]    com.wacom.kext.wacomtablet (6.3.9 - SDK 10.9) [Support]

System Launch Agents: &#9432;
   [loaded]    159 Apple tasks
   [running]    80 Apple tasks

System Launch Daemons: &#9432;
   [failed]    org.postfix.master.plist [Details]
   [loaded]    193 Apple tasks
   [running]    96 Apple tasks

Launch Agents: &#9432;
   [loaded]    com.adobe.AAM.Updater-1.0.plist [Support]
   [loaded]    com.adobe.CS4ServiceManager.plist [Support]
   [loaded]    com.f-secure.relauncher.plist [Support]
   [loaded]    com.f-secure.trasher.plist [Support]
   [loaded]    com.google.keystone.agent.plist [Support]
   [loaded]    com.intego.backupassistant.agent.plist [Support]
   [loaded]    com.lacie.eventsactions.launcher.agent.plist [Support]
   [running]    com.wacom.wacomtablet.plist [Support]

Launch Daemons: &#9432;
   [loaded]    com.adobe.SwitchBoard.plist [Support]
   [running]    com.adobe.agsservice.plist [Support]
   [loaded]    com.adobe.fpsaud.plist [Support]
   [loaded]    com.adobe.versioncueCS4.plist [Support]
   [loaded]    com.f-secure.fsavd-suppressor.plist [Support]
   [loaded]    com.f-secure.fsavd.dbhelper.plist [Support]
   [running]    com.f-secure.fsavd.plist [Support]
   [loaded]    com.f-secure.fscsafeadmind.plist [Support]
   [loaded]    com.f-secure.fsmac.firewall.plist [Support]
   [loaded]    com.f-secure.fsmac.fsupdated_guts2.plist [Support]
   [loaded]    com.f-secure.fsmac.guts2downloader.plist [Support]
   [loaded]    com.f-secure.fsmac.licensetool.plist [Support]
   [running]    com.f-secure.orspclient.plist [Support]
   [running]    com.f-secure.urlexceptiond.plist [Support]
   [loaded]    com.google.keystone.daemon.plist [Support]
   [failed]    com.intego.BackupAssistant.daemon.plist [Support]
   [failed]    com.lacie.desktopmanager.service.plist [Support] [Details]
   [loaded]    com.malwarebytes.MBAMHelperTool.plist [Support]

User Launch Agents: &#9432;
   [loaded]    com.adobe.ARM.[...].plist [Support]
   [loaded]    com.spotify.webhelper.plist [Support]

User Login Items: &#9432;
   iTunesHelper    Programma  (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)
   Spotify    UNKNOWN Hidden (missing value)
   F-Secure SAFE by XS4ALL    Programma  (/Applications/F-Secure/F-Secure Mac Protection.app)

Other Apps: &#9432;
   [loaded]    com.adobe.Photoshop.48992
   [running]    com.etresoft.EtreCheck.56992
   [running]    com.f-secure.fsmac.gui.539552
   [failed]    com.hp.devicemonitor
   [running]    com.wacom.TabletDriver.112992
   [running]    com.wacom.WacomTouchDriver.112672

Internet Plug-ins: &#9432;
   JavaAppletPlugin: Version: 15.0.1 - SDK 10.7 Check version
   Google Earth Web Plug-in: Version: 7.1 [Support]
   Default Browser: Version: 601 - SDK 10.11
   Flip4Mac WMV Plugin: Version: 2.2.1.11  [Support]
   NP2020Player: Version: 5.0.4.0 [Support]
   WacomTabletPlugin: Version: WacomTabletPlugin 2.1.0.6 - SDK 10.9 [Support]
   AdobePDFViewerNPAPI: Version: 10.1.13 [Support]
   FlashPlayer-10.6: Version: 25.0.0.171 - SDK 10.9 [Support]
   QuickTime Plugin: Version: 7.7.3
   Flash Player: Version: 25.0.0.171 - SDK 10.9 [Support]
   iPhotoPhotocast: Version: 7.0
   PepperFlashPlayer: Version: 25.0.0.171 - SDK 10.9 [Support]
   AdobePDFViewer: Version: 10.1.13 [Support]
   CANONiMAGEGATEWAYDL: Version: 2.1.0.1 [Support]
   CANONiMAGEGATEWAYLI: Version: 2.1.0.1 [Support]
   DirectorShockwave: Version: 12.1.4r154 - SDK 10.6 [Support]

User internet Plug-ins: &#9432;
   Google Earth Web Plug-in: Version: 7.1 [Support]

Safari Extensions: &#9432;
   uBlock
   Ghostery
   Browsing protection
   DirectLinks
   Ixquick HTTPS
   DuckDuckGo
   AdBlock

Audio Plug-ins: &#9432;
   DVCPROHDAudio: Version: 1.0

3rd Party Preference Panes: &#9432;
   Adobe Version Cue CS4  [Support]
   Safe Anywhere Mac Settings  [Support]
   Flash Player  [Support]
   Flip4Mac WMV  [Support]
   FUSE for OS X (OSXFUSE)  [Support]
   iMate
   WacomTablet  [Support]

Time Machine: &#9432;
   Skip System Files: NO
   Mobile backups: ON
   Auto backup: YES
   Volumes being backed up:
       Nifty HD: Disk size: 128.56 GB Disk used: 59.64 GB
       Macintosh HD: Disk size: 249.77 GB Disk used: 98.93 GB
   Destinations:
       Naamloos 2 [Local]
       Total size: 699.94 GB
       Total number of backups: 87
       Oldest backup: 15-11-14 15:28
       Last backup: 21-05-17 16:37
       Size of backup disk: Adequate
           Backup size 699.94 GB > (Disk used 158.57 GB X 3)

Top Processes by CPU: &#9432;
        5%    WindowServer
        2%    fontd
        1%    kernel_task
        0%    launchd
        0%    fsavd(7)

Top Processes by Memory: &#9432;
   1.25 GB    com.apple.WebKit.WebContent(6)
   1.23 GB    kernel_task
   819 MB    Finder
   557 MB    Safari
   475 MB    softwareupdated

Virtual Memory Information: &#9432;
   2.93 GB    Free RAM
   13.00 GB    Used RAM (5.20 GB Cached)
   0 B    Swap Used

Diagnostics Information: &#9432;
   May 20, 2017, 04:47:20 PM    /Library/Logs/DiagnosticReports/kextcache_2017-05-20-164720_[redacted].crash
       /usr/sbin/kextcache
   May 20, 2017, 04:40:47 PM    /Library/Logs/DiagnosticReports/kextcache_2017-05-20-164047_[redacted].crash
   May 20, 2017, 04:16:33 PM    Self test - passed

Trojan JS Serber
21 mei 2017 - 17:56    reactie #3
geplaatst door: Pieterr
"One experiment is worth a thousand expert opinions."
Trojan JS Serber
22 mei 2017 - 00:03    reactie #4
geplaatst door: Tekenaar
Dank je Pieterr.
Ik ga de links bestuderen.
Trojan JS Serber
22 mei 2017 - 13:50    reactie #5
geplaatst door: cyrano

Citaat
Pieterr om 17:56, 21-05-2017
Dat kan goed een "false positive" zijn.
https://community.f-secure.com/t5/F-Secure-SAFE/How-can-I-remove-a-Trojan/td-p/94249

Is die link veranderd?

Al wat ik lees is "neem eerst een abbo en stuur dan mail naar support..."

Citaat
Cerber is (zo te zien) Windows malware.
https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/

Er zou een Mac versie kunnen van zijn. Andere footprint en waarschijnlijk ook andere naam. Het is een groot ongemak, dat niet alle AV makers dezelfde benaming gebruiken. Breng de "average user" maar eens in de war!

Op 't zelfde moment is nl. KeRanger opgedoken. Mogelijk noemt F-Secure dit Cerber?

Keranger had heel weinig verspreiding. Van Cerber zijn al een aantal generaties.

Misschien eens de melding doorsturen naar F-secure?

I'd tell you a UDP joke but you might not get it.
Trojan JS Serber
22 mei 2017 - 17:06    reactie #6
geplaatst door: Tekenaar
Melding is doorgestuurd naar F-secure, maar nog geen reactie.
Tevergeefs gepoogd via hun site en de chat-optie met ze in contact te komen.

Nieuwe poging gedaan om de backup af te maken. Gevolg: dezelfde griezelige melding van F-secure, en Superduper stopte het backup-proces: 'Failed to copy files from Macintosh HD to BU macintosh HD'.

Toen ik hierna F-secure handmatig de schijf liet scannen werd er geen probleem gevonden...

Ben ervan uitgegaan dat het wellicht een false-positive betrof, en heb geprobeerd via Superduper de onderbroken backupsessie af te maken, maar van tevoren F-secure uitgezet. Is helemaal gelukt.

Daarna F-secure 'aangezet', en opnieuw een scan gedaan. F-secure ziet geen enkel probleem, Mac loopt als een zonnetje...

  
eerder topic   volgend topic