Re: [Fed-Talk] Head up: Spearphishing with Mac trojans
Re: [Fed-Talk] Head up: Spearphishing with Mac trojans
- Subject: Re: [Fed-Talk] Head up: Spearphishing with Mac trojans
- From: Paul Nelson <email@hidden>
- Date: Fri, 13 May 2011 15:51:14 -0500
This trojan is using www.bostanlik.com(204.12.197.80) to control what it does, downloading Mac binaries from there and executing them.
If you actually opened the "Survey", you can disable the virus by removing:
Library/LaunchAgents/checkvir
Library/LaunchAgents/checkvir.plist
It downloads a binary to /tmp/CurlUpload. It appears to query the web server to see what to do next.
www.bostanlik.com is controlled by some Chinese company. Imagine that!
Paul Nelson
Thursby Software Systems, Inc.
On May 13, 2011, at 1:53 PM, Joel Esler wrote:
> Or can you get me a copy?
>
> --
> Sent from my iPhone
> Forgive my misspellings and briefness
>
> On May 13, 2011, at 2:44 PM, Carl Ketterling <email@hidden> wrote:
>
>> Do you know what the known trojan package is?
>>
>> Carl
>>
>>
>> In response to this text from Miller, Timothy J. (email@hidden)
>> sent on Friday, May 13, 2011 at 8:16 AM (-0400):
>>
>>> Allcon--
>>>
>>> Be aware that a spearphishing campaign, probably sourced from fed-talk
>>> data, is ongoing. The phish purports to be a "Customer Satisfaction
>>> Survey" from known Apple employees. The attached ZIP contains an app
>>> that has a Finder icon made to look like a document. The app deploys a
>>> known Mac trojan.
>>>
>>> My copy claimed to be from Shawn Geddis, and promised me a smartcard
>>> reader for participating. :)
>>>
>>> -- T _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden