Trojan Problem

Virgil · 04-06-2004, 04:53 PM

My friend launched a trojan on my computer with a program called "Underhand", and I discovered it using top and also pressing f9 (Exposé reveals the hidden window for this trojan server). What I need to know is how I go about fixing her little trick, as Little Snitch doesn't catch it and the ports are still open to the world, and I'm surprised the built-in firewall did not halt it. Any help is greatly appreciated.

Running: X.3.3

tonyo · 04-06-2004, 05:19 PM

Some friend. Not having installed this little devil, I can't tell you exactly what to do - but: this is a proxy app, so it starts a service when your machine boots. Look in System/Library/StartupItems for a folder named Underhand and toss it. If there's nothing there do a find on modified date for that folder with a best guess on when he installed it. Careful what you toss! Compare the find with a known good machine.
HTH,
T

MBHockey · 04-06-2004, 08:10 PM

Quote:

Originally Posted by tonyo


	Some friend.

yeah, that's pretty messed up.

Virgil · 04-07-2004, 12:15 PM

I know, my first draft of the message had "friend" in quotations, but I didn't want to convey the image of it being I who actually did it, which I didn't...

Anyway, there is no item in StartupItems named Underhand. As soon as I get home I'll check to see what is in there and enumerate them. Thank you!

yellow · 04-07-2004, 12:24 PM

See if MacScan finds it, if you please. Would be a nice litmus test to see if this app is actually worth anything at all (even a small bit).

Virgil · 04-07-2004, 01:24 PM

MacScan doesn't work anymore. It's been out of the loop for more than two months (?). Ok, under /System/Library/StartupItems I have the following:
Accounting
apache
appleshare
appservices
authserver
bind
configserver
coregraphics
crashreporter
cron
directoryservices
disks
ipservices
kerneleventagent
ladap
loginwindow
mdnsresponder
netinfo
network
networkextensions
networktime
nfs
nis
portmap
postfix
printingservices
samba
securityserver
snmp
systemlog
systemtuning

And under /library/startupitems I have LittleSnitch, which I like.

My box is a Tessera mail/webserver.

Ideas?
Cheers,

VY

tonyo · 04-07-2004, 03:43 PM

Hmm. Looks like you're going to have to catch it in the act at boot time to find out where it is. Fire up Console after booting and check out your system log. It should list the process start like this:

Code:

Apr  7 07:57:28 localhost /Applications/Bulldog/upsd: UPS daemon 'upsd' startup.

(thats a line from my system log for an app that controls the UPS on my machine). The path to the executable is listed as /Applications/Bulldog/upsd.
Good luck-

t

Virgil · 04-07-2004, 10:10 PM

Apr 7 21:48:53 Tessera configd[90]: updateAirportPersonality can't update Apple80211Monitor.plist: Lock required for this operation
Apr 7 21:48:57 Tessera kernel: arplookup 10.1.10.180 failed: host is not on local network
Apr 7 21:49:18 Tessera last message repeated 2 times
Apr 7 21:49:27 Tessera kernel: at_obdev_KUC: at_obdev_KUC_UserClient::setDebugEnabled(0)
Apr 7 21:49:27 Tessera kernel: at_obdev_KUC: at_obdev_KUC_UserClient::debug log disabled

Those are the first entries in the system.log via Console, "Tessera" being my computer's name. The trojan is user specific, because when I f9 from other users on my machine, the blue "Underhand 05a" window doesn't appear.

I've googled it quite much, the project site being www.cowfight.com/cf4/underhand/ . This is merely for information purposes (admins), as I do not condone nor advocate the use of any of the programs on cowfight.com. Keep the ideas coming! TIA

yellow · 04-07-2004, 10:14 PM

How about using ps or lsof & netstat?

MBHockey · 04-07-2004, 10:19 PM

MacScan will work if you download an old copy off of macupdate or versiontracker and set your clock back (to the time before it said it expires)

Virgil · 04-07-2004, 10:28 PM

The Underhand entries from the lsof resultant:
UnderHand 1553 vwy cwd VDIR 14,5 5888 2 / (/dev/disk0s5)
UnderHand 1553 vwy 0r VCHR 3,2 0t0 18900740 /dev/null
UnderHand 1553 vwy 1w VCHR 0,0 0t0 18901252 /dev/console
UnderHand 1553 vwy 2w VCHR 0,0 0t0 18901252 /dev/console
UnderHand 1553 vwy 3w VREG 14,5 85469 2587195 / (/dev/disk0s5)
UnderHand 1553 vwy 4r 0x020f9fb4 file struct, ty=0x3, op=0x30f300
UnderHand 1553 vwy 5r 0x020f8934 file struct, ty=0x3, op=0x30f300
UnderHand 1553 vwy 6u VREG 14,5 1669844 2559353 / (/dev/disk0s5)
UnderHand 1553 vwy 7r VREG 14,5 156864 1625314 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/HIToolbox.rsrc
UnderHand 1553 vwy 8r VREG 14,5 528477 1625297 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/English.lproj/Localized.rsrc
UnderHand 1553 vwy 9r VREG 14,5 3177 1625135 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/Resources/HIServices.rsrc
UnderHand 1553 vwy 10r VREG 14,5 65453 2076774 /System/Library/Frameworks/QuickTime.framework/Versions/A/Resources/QuickTime.rsrc
UnderHand 1553 vwy 11r VREG 14,5 54910 2076771 /System/Library/Frameworks/QuickTime.framework/Versions/A/Resources/English.lproj/Localized.rsrc
UnderHand 1553 vwy 12r VREG 14,5 5366807 2620260 /Users/vyanta/Library/Caches/ShapeShifter/Mods/108036400700009120/Extras0159.rsrc
UnderHand 1553 vwy 13r unix 0x011eba78 0t0 ->0x0239bed0
UnderHand 1553 vwy 14w unix 0x0239bed0 0t0 ->0x011eba78
UnderHand 1553 vwy 15u IPv4 0x026bffd0 0t0 TCP *:10567 (LISTEN)
UnderHand 1553 vwy 16u unix 0x01e8ed04 0t0 /var/tmp/SCDynam

It's all Swahili to me.

Thank you in advance

yellow · 04-07-2004, 10:33 PM

Nothing with:

Code:

ps -auxjww | grep Underhand

Virgil · 04-07-2004, 10:44 PM

How bloody lame.

Solution to the problem? I checked in the Accounts pane-->Startup Items and there is myriad items by the name of "Underhand Trojan Server...". Shift-selected all of the bastards, click the minus and voilá! No more trojan(s).

It would appear to the programmers were overestimated, or "misunderestimated" in their uncanny ability to make abstruseness out of simplicity.

However, I did notice something rather odd via the "top" command; there are around 16 "AppleSpell" processes active. What would cause that? Thank you all so very much for your generous advice; you're what separates the Mac community from its stolid Windoze counterpart.

yellow · 04-07-2004, 10:49 PM

You should still find the apps and make sure they are removed. Then kick your "friend" in the @$$.

Virgil · 04-07-2004, 10:56 PM

The bad thing is that she is quite attractive, and as Donne wrote "pulchritude weakens conviction".

I need a drink.

Mad Hatter · 04-08-2004, 05:41 AM

I would download a copy of HenWen 2.04 which is Snort 2.0 rules for a Network Intrustion Detection System (NIDS). I assume this is/was some kind of P2P?

I'm not sure about Panther's firewall, but in the past it wasn't robust in blocking outgoing, which is why Brickhouse or Firewalk X might be more useful.

yellow · 04-08-2004, 06:18 AM

Quote:

Originally Posted by Mad Hatter


	I would download a copy of HenWen 2.04 which is Snort 2.0 rules for a Network Intrustion Detection System (NIDS). I assume this is/was some kind of P2P? I'm not sure about Panther's firewall, but in the past it wasn't robust in blocking outgoing, which is why Brickhouse or Firewalk X might be more useful.

Snort doesn't block, it only detects. In this case it wouldn't have been useful since he already knew it was installed.
Brickhouse is a GUIfied frontend for ipfw, the packetfilter that comes as part of OS X. IMO, if properly configured, ipfw does a great job with outbound packets.

knowmad · 04-08-2004, 12:03 PM

Yellow,
You say if properly configured IPFW is great, so any suggestions on where to find tutorials or walk throughs or whanot on properly configuring IPFW?
knowmad

yellow · 04-08-2004, 12:13 PM

Start by learning ipfw via CLI. You should definitely read the man page.
Here is a good place to start to get it running on your computer (without using Apple's control pane):

http://www3.sympatico.ca/dccote/firewall.html

tlarkin · 04-08-2004, 03:28 PM

Is it perhaps related to this?

http://maccentral.macworld.com/news/2004/04/08/trojan/

04-06-2004, 04:53 PM	#1
Virgil Triple-A Player Join Date: Aug 2003 Location: Ibiza, España Posts: 82	Trojan Problem My friend launched a trojan on my computer with a program called "Underhand", and I discovered it using top and also pressing f9 (Exposé reveals the hidden window for this trojan server). What I need to know is how I go about fixing her little trick, as Little Snitch doesn't catch it and the ports are still open to the world, and I'm surprised the built-in firewall did not halt it. Any help is greatly appreciated. Running: X.3.3 __________________ Heard melodies are sweet, but those unheard are sweeter.

04-07-2004, 12:15 PM	#4
Virgil Triple-A Player Join Date: Aug 2003 Location: Ibiza, España Posts: 82	I know, my first draft of the message had "friend" in quotations, but I didn't want to convey the image of it being I who actually did it, which I didn't... Anyway, there is no item in StartupItems named Underhand. As soon as I get home I'll check to see what is in there and enumerate them. Thank you! __________________ Heard melodies are sweet, but those unheard are sweeter.

04-07-2004, 01:24 PM	#6
Virgil Triple-A Player Join Date: Aug 2003 Location: Ibiza, España Posts: 82	MacScan doesn't work anymore. It's been out of the loop for more than two months (?). Ok, under /System/Library/StartupItems I have the following: Accounting apache appleshare appservices authserver bind configserver coregraphics crashreporter cron directoryservices disks ipservices kerneleventagent ladap loginwindow mdnsresponder netinfo network networkextensions networktime nfs nis portmap postfix printingservices samba securityserver snmp systemlog systemtuning And under /library/startupitems I have LittleSnitch, which I like. My box is a Tessera mail/webserver. Ideas? Cheers, VY __________________ Heard melodies are sweet, but those unheard are sweeter.

04-07-2004, 03:43 PM	#7
tonyo Prospect Join Date: Jan 2002 Location: Reno, NV Posts: 48	Hmm. Looks like you're going to have to catch it in the act at boot time to find out where it is. Fire up Console after booting and check out your system log. It should list the process start like this: Code: Apr 7 07:57:28 localhost /Applications/Bulldog/upsd: UPS daemon 'upsd' startup. (thats a line from my system log for an app that controls the UPS on my machine). The path to the executable is listed as /Applications/Bulldog/upsd. Good luck- t

04-07-2004, 10:10 PM	#8
Virgil Triple-A Player Join Date: Aug 2003 Location: Ibiza, España Posts: 82	Apr 7 21:48:53 Tessera configd[90]: updateAirportPersonality can't update Apple80211Monitor.plist: Lock required for this operation Apr 7 21:48:57 Tessera kernel: arplookup 10.1.10.180 failed: host is not on local network Apr 7 21:49:18 Tessera last message repeated 2 times Apr 7 21:49:27 Tessera kernel: at_obdev_KUC: at_obdev_KUC_UserClient::setDebugEnabled(0) Apr 7 21:49:27 Tessera kernel: at_obdev_KUC: at_obdev_KUC_UserClient::debug log disabled Those are the first entries in the system.log via Console, "Tessera" being my computer's name. The trojan is user specific, because when I f9 from other users on my machine, the blue "Underhand 05a" window doesn't appear. I've googled it quite much, the project site being www.cowfight.com/cf4/underhand/ . This is merely for information purposes (admins), as I do not condone nor advocate the use of any of the programs on cowfight.com. Keep the ideas coming! TIA __________________ Heard melodies are sweet, but those unheard are sweeter.

04-06-2004, 05:19 PM	#2
tonyo Prospect Join Date: Jan 2002 Location: Reno, NV Posts: 48	Some friend. Not having installed this little devil, I can't tell you exactly what to do - but: this is a proxy app, so it starts a service when your machine boots. Look in System/Library/StartupItems for a folder named Underhand and toss it. If there's nothing there do a find on modified date for that folder with a best guess on when he installed it. Careful what you toss! Compare the find with a known good machine. HTH, T

04-07-2004, 12:24 PM	#5
yellow Moderator Join Date: Jan 2002 Posts: 10,666	See if MacScan finds it, if you please. Would be a nice litmus test to see if this app is actually worth anything at all (even a small bit).

04-07-2004, 10:14 PM	#9
yellow Moderator Join Date: Jan 2002 Posts: 10,666	How about using ps or lsof & netstat?

04-07-2004, 10:19 PM	#10
MBHockey MVP Join Date: Sep 2003 Location: New York Posts: 2,211	MacScan will work if you download an old copy off of macupdate or versiontracker and set your clock back (to the time before it said it expires)

04-07-2004, 10:28 PM	#11
Virgil Triple-A Player Join Date: Aug 2003 Location: Ibiza, España Posts: 82	The Underhand entries from the lsof resultant: UnderHand 1553 vwy cwd VDIR 14,5 5888 2 / (/dev/disk0s5) UnderHand 1553 vwy 0r VCHR 3,2 0t0 18900740 /dev/null UnderHand 1553 vwy 1w VCHR 0,0 0t0 18901252 /dev/console UnderHand 1553 vwy 2w VCHR 0,0 0t0 18901252 /dev/console UnderHand 1553 vwy 3w VREG 14,5 85469 2587195 / (/dev/disk0s5) UnderHand 1553 vwy 4r 0x020f9fb4 file struct, ty=0x3, op=0x30f300 UnderHand 1553 vwy 5r 0x020f8934 file struct, ty=0x3, op=0x30f300 UnderHand 1553 vwy 6u VREG 14,5 1669844 2559353 / (/dev/disk0s5) UnderHand 1553 vwy 7r VREG 14,5 156864 1625314 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/HIToolbox.rsrc UnderHand 1553 vwy 8r VREG 14,5 528477 1625297 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/English.lproj/Localized.rsrc UnderHand 1553 vwy 9r VREG 14,5 3177 1625135 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/Resources/HIServices.rsrc UnderHand 1553 vwy 10r VREG 14,5 65453 2076774 /System/Library/Frameworks/QuickTime.framework/Versions/A/Resources/QuickTime.rsrc UnderHand 1553 vwy 11r VREG 14,5 54910 2076771 /System/Library/Frameworks/QuickTime.framework/Versions/A/Resources/English.lproj/Localized.rsrc UnderHand 1553 vwy 12r VREG 14,5 5366807 2620260 /Users/vyanta/Library/Caches/ShapeShifter/Mods/108036400700009120/Extras0159.rsrc UnderHand 1553 vwy 13r unix 0x011eba78 0t0 ->0x0239bed0 UnderHand 1553 vwy 14w unix 0x0239bed0 0t0 ->0x011eba78 UnderHand 1553 vwy 15u IPv4 0x026bffd0 0t0 TCP *:10567 (LISTEN) UnderHand 1553 vwy 16u unix 0x01e8ed04 0t0 /var/tmp/SCDynam It's all Swahili to me. Thank you in advance __________________ Heard melodies are sweet, but those unheard are sweeter.

04-07-2004, 10:33 PM	#12
yellow Moderator Join Date: Jan 2002 Posts: 10,666	Nothing with: Code: ps -auxjww \| grep Underhand Last edited by yellow; 04-07-2004 at 10:36 PM.

04-07-2004, 10:44 PM	#13
Virgil Triple-A Player Join Date: Aug 2003 Location: Ibiza, España Posts: 82	How bloody lame. Solution to the problem? I checked in the Accounts pane-->Startup Items and there is myriad items by the name of "Underhand Trojan Server...". Shift-selected all of the bastards, click the minus and voilá! No more trojan(s). It would appear to the programmers were overestimated, or "misunderestimated" in their uncanny ability to make abstruseness out of simplicity. However, I did notice something rather odd via the "top" command; there are around 16 "AppleSpell" processes active. What would cause that? Thank you all so very much for your generous advice; you're what separates the Mac community from its stolid Windoze counterpart. __________________ Heard melodies are sweet, but those unheard are sweeter.

04-07-2004, 10:49 PM	#14
yellow Moderator Join Date: Jan 2002 Posts: 10,666	You should still find the apps and make sure they are removed. Then kick your "friend" in the @$$.

04-07-2004, 10:56 PM	#15
Virgil Triple-A Player Join Date: Aug 2003 Location: Ibiza, España Posts: 82	The bad thing is that she is quite attractive, and as Donne wrote "pulchritude weakens conviction". I need a drink. __________________ Heard melodies are sweet, but those unheard are sweeter.

04-08-2004, 05:41 AM	#16
Mad Hatter Prospect Join Date: Mar 2002 Posts: 25	I would download a copy of HenWen 2.04 which is Snort 2.0 rules for a Network Intrustion Detection System (NIDS). I assume this is/was some kind of P2P? I'm not sure about Panther's firewall, but in the past it wasn't robust in blocking outgoing, which is why Brickhouse or Firewalk X might be more useful.

04-08-2004, 12:03 PM	#18
knowmad Major Leaguer Join Date: Apr 2003 Location: NY Posts: 259	Ipfw Yellow, You say if properly configured IPFW is great, so any suggestions on where to find tutorials or walk throughs or whanot on properly configuring IPFW? knowmad

04-08-2004, 12:13 PM	#19
yellow Moderator Join Date: Jan 2002 Posts: 10,666	Start by learning ipfw via CLI. You should definitely read the man page. Here is a good place to start to get it running on your computer (without using Apple's control pane): http://www3.sympatico.ca/dccote/firewall.html

04-08-2004, 03:28 PM	#20
tlarkin League Commissioner Join Date: Mar 2003 Location: Kansas City Posts: 10,581	Is it perhaps related to this? http://maccentral.macworld.com/news/2004/04/08/trojan/ __________________ sudo make me a sammich http://www.tlarkin.com "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." -Benjamin Franklin

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: