01-22-2013, 09:37 PM
|
#1 |
|
Prospect
Join Date: Jan 2013
Posts: 3
|
Help with Virus
Hi All
I'm new here, and would like to seek some help from the experts here. I've recently received a video file from an unknown person, and the person later mentioned that there were some metadata hidden in the video. The person was able to retrieve my social network details. I've tried running anti virus scans on my Mac but nothing has come out. I have already deleted the video file. How do I clear the virus? |
|
|
|
01-23-2013, 02:51 AM
|
#2 |
|
League Commissioner
Join Date: Aug 2006
Posts: 5,039
|
First of all: you're in regular communication with an "unknown person", from whom you receive video files? That doesn't sound very wise for starters.
It's not clear from what your describe what the vector for the malware is. "Metadata" is literally "data about data", i.e. stuff which is secondary to main data content. If this was a QuickTime video, I'm not sure how double-clicking on it would cause a malicious payload to execute and trawl your computer for your social networking details. I have not heard about any such vulnerability in QuickTime, though that's not to say that one doesn't exist. Did the video actually run? The other possibility is that the file looked like a video, but was in fact a program, so that double-clicking launched it. It's quite possible that this person may be lying about the virus, given that they are completely untrustworthy. When you say "social media details", do you mean passwords, or simply "stuff you've put on FaceBook"? If he knows your name, it is possible to retrieve a reasonable amount of information about you without having to use malware. Assuming you used up-to-date AV software, which found nothing, then it may well be that there is nothing on your system. (Actually, this is not the first time here we've had someone claiming to have put malware on someone else's computer and providing evidence, which seems a pretty foolish admission, unless it is a strategy in itself.) However, at this point, you have a computer system whose integrity cannot be guaranteed. You need to reinstall the OS and then restore your user data. Of course, you need to ensure that restoring your user data doesn't re-infect the system. Ideally, you should backup to a Time Machine snapshot from before you received the "video". Last edited by benwiggy; 01-23-2013 at 02:59 AM. |
|
|
|
|
01-23-2013, 08:33 AM
|
#3 |
|
Prospect
Join Date: Jan 2013
Posts: 3
|
Hi benwiggy
your comments have been very helpful. It was a video file that ran, and I was using VLC player to run it. I do not know what exploit was made to the system, however the unknown person was able to retrieve details of my social network log ins; I suspect it might be a key logger? I have since reinstalled the OS, but not sure if the malware has spread to the network that I have? The rest of the computers within the network are Windows based. |
|
|
|
|
01-23-2013, 09:30 AM
|
#4 |
|
League Commissioner
Join Date: Aug 2006
Posts: 5,039
|
It is unlikely that such a piece of code would work on both Windows and OS X ( unless it was running in Java or Flash or other cross-platform environment).
It's worth saying that there are NO known viruses for OS X -- that is: software that can spread itself silently across a network from one machine to the next. There are Trojans, where users are fooled into installing something that is not what it appears to be: Yes. Are you sure that he didn't have physical access to the machine? It's quite hard to install software on OS X without requiring authorisation (i.e. requesting admin user name and password). It's very hard to install stuff remotely. It is quite unlikely that something could just launch itself from within a video and install a key logger silently. There are some utilities that specifically check for key loggers; you might want to try one. You also may want to check your network settings to see that a Proxy server or a rogue DNS server is not being used. (This would pass all your internet data through a middle-man, allowing collection there.) If you have the emails where this guy admits to installing malware on your computer and where he offers proof of personal info retrieved by it: then I would call the police. My suspicion, based on what you have said, is that he is either lying about the malware and has obtained your login credentials by other means; or he is lying about the method by which he got malware on board. Pointing to the video may be a distraction from the real method. Can I ask: as part of what conversation did he mention the malware and your login details? Was it merely boasting? Was it to extort money? If it needs saying, I would not have any further contact with this guy. Last edited by benwiggy; 01-23-2013 at 10:14 AM. |
|
|
|
|
01-24-2013, 03:34 AM
|
#5 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
MVP
Join Date: Aug 2009
Posts: 1,119
|
There have been many recently. And I can't exactly call Apple quick when it comes to patching these issues.
It's worth noting that a Quicktime movie with exploit build-in can be considered a trojan.
Actually, it's not. It's damn easy in fact. Depending on the bug it's possible to inject your own code in the process. Once that's active the code can do pretty much everything the user can. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
01-24-2013, 03:54 AM
|
#6 |
|
League Commissioner
Join Date: Aug 2006
Posts: 5,039
|
Fair points all, though the critical word I used was "silently". Installing a key logger (or other software that started on reboot or had other defensive measures) would likely require authorisation, no?
The advice is still to reinstall the OS, of course, as before. I'll admit I may have been thinking out loud. The motives of the hacker are not clear to me and I don't think we can take what he says at face value. Such exploits are technically feasible, but unless this guy has built the malware himself, he'll have taken it from some "off-the-peg" script kiddie site, meaning that the vulnerability and exploit would likely be well-publicised. While there are plenty of vulnerabilities, exploits mostly remain theoretical or require physical access or other special circumstances. I admit I'm not a security expert, though I do try to keep up. Of course, it is possible to write any code that can do anything -- that's the whole point of computers. Apple haven't been the fastest at security patches, though they have clearly been raising their game in the last year or two. But still -- why admit it? It would make more sense to me to say it was the video, when in fact there is another vector at work (thus giving the OP a false sense of security). Last edited by benwiggy; 01-24-2013 at 04:17 AM. |
|
|
|
|
01-24-2013, 04:43 AM
|
#7 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
MVP
Join Date: Aug 2009
Posts: 1,119
|
Not necessarily.
Fully agree with this.
Things like Metasploit make creating custom exploits relatively simple. At least for someone that knows what he's doing.
It certainly did, however there is still a lot more room for improvement.
Also possible. Another popular way is to use 'custom' codecs and trying to entice a user to install it. The codec doesn't decode anything though, it's just plain malware. And it's not at all strange to see an authentication popup when installing a codec, most people would simply accept it. Last edited by SirDice; 01-24-2013 at 04:47 AM. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
01-24-2013, 06:22 AM
|
#8 |
|
Prospect
Join Date: Jan 2013
Posts: 3
|
Thanks for the replies thus far.
I have reformatted the hard disk and installed a fresh copy of the Mac OSX, which hopefully clears whatever that was inside before. Could the malware be somehow residing on any external hard disks that were connected to the Mac before I did the reformat? I have not connected the hard disk back. To stop outbound communication, can I use programs like Little Snitch to block outgoing communication, in case there is any? |
|
|
|
|
01-24-2013, 04:35 PM
|
#9 | ||||||||||||||||||||||||||||||||||||||||||||||
|
Moderator
Join Date: Jun 2003
Location: Boulder, CO USA
Posts: 19,549
|
Malware can reside anywhere. The problems from malware happen when it is actually run, not just because code exists. If the code is stored somewhere but never executed, it doesn't have any effect. So the question becomes, "is there a mechanism for executing code on an external hard drive, after the operating system has been wiped and reinstalled from known-good discs?" And the answer is, yes there might be, and if so the mechanism is you. If you have applications on your external hard drive that you run, they need to be wiped and reinstalled from known-good discs, just like your operating system was. If there are files on your external hard drive that you consume in some way (like watching videos, reading .pdfs, etc.), and those videos/pdfs/whatever have some exploit code in them that executes because of vulnerabilities in the code that runs them (i.e. vulnerabilities in Quicktime, or Acrobat, or whatever application is used to view the file), then those files have to be erased and redownloaded from known-good sources.
Little Snitch can be used to block outgoing communication out of your computer, yes. But I'm not sure if that's what you are asking, as your question is tacked on immediately after asking about an external hard drive. Little Snitch is not related to communication between your internal hard drive and your external hard drive, if that's what you are asking about. The external hard drive is still considered a part of your computer system, Little Snitch does not have any effect one way or the other on communication to your external hard drive. Trevor
__________________
How to ask questions the smart way |
||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
 |
| Thread Tools | |
| Display Modes | Rate This Thread |
|
|
Linear Mode
