iMac accused of attempting to gain access to another computer
in [Mac Systems]
|
Prev: Adding print drivers in OSX Server (10.6)
Next: 618038 Reserch anything, nerw content up to date all sites 62
From: Brian Crawford on 23 Mar 2010 11:46 In article <crawford.bd-604105.18531122032010@[74.223.185.199.nw.nuvox.net]>, Brian Crawford <crawford.bd(a)geemale.com> wrote: > I recently received an email from my iSP (Telus) saying that I had been > using my account to "scan, flood or attempt to gain unauthorized access > to another computer". I wouldn't even know how to begin to do this even > it I wanted to and was shocked at this email. They said that my IP > address and modem hardware address pointed directly at me and that they > would be suspending or cancelling my service if it happens again. > Apparently there was only one incident of my computer doing this. They > did suggest that the problem could be caused by a virus, but I did not > think that there were any Mac viruses out there that could cause this > problem. I scanned for viruses using ClamXav and nothing was detected. > My Intel iMac's (Snow Leopard) firewall was on. I connect to the > Internet directly with a modem. No other computers use the connection > and no one other than my wife (definitely innocent) uses the computer. > And, I wasn't even home at the time the incident supposedly happened. I > also use Little Snitch. Any ideas as to what may be going on? > > Brian I just read the Telus email again, and there is more info that I probably should have mentioned. They said that the "unique physical address" identifies the network adapter or router connected to my ADSL modem. I have no "network adapter" or router connected to my modem. Indeed the unique identifier (MAC no.?) is not the MAC of my modem. Here's the clincher. It seems they narrowed it down to a Windows spyware program, Sinowal. Quoting from the email: "Sinowal is a sophisticated, configurable spyware program that is designed to steal personal information and credentials from online banking sites and other sites. Once this infection gathers enough information it sends this data to the attacker. Sinowal is often packaged with a rootkit known as Mebroot to hide its presence on the system making it difficult to detect and remove. This means antivirus software installed on an infected computer may not detect this infection and advise no infection has been detected. Because of this, we recommend scanning with a reputable online virus scanner - links have been included in this email. Affected Platforms and Versions Sinowal affects the following systems: Windows 2003 Windows XP Windows 2000 Windows NT Malicious Code Aliases Trojan.Anserin (Symantec Corp.) Win32/PSW.Sinowal (Microsoft Corp.) Trojan.Spy.Sinowal (ClamAV) Sinowal (Microsoft Corp.) TSPY_SINOWAL (Trend Micro Inc.) Trojan.Pws.Sinowal (Bitdefender) Trojan-PSW.Win32.Sinowal (Kaspersky Lab Inc. ) Troj/Torpig-Gen (Sophos Plc.) Detected Infection: Trojan.Sinowal Variants" Time of Detection: 2010-03-21 04:57:36 GMT Timestamp at your location: Sat Mar 20 2010 10:57 PM" As stated earlier in other postings, we did not find anything on my computer after using ClamXav or the rootkit checker. Brian
From: Jeffrey Goldberg on 23 Mar 2010 12:04 On 2010-03-23 10:46 AM, Brian Crawford wrote: > I just read the Telus email again, and there is more info that I > probably should have mentioned. > They said that the "unique physical address" identifies the network > adapter or router connected to my ADSL modem. I have no "network > adapter" or router connected to my modem. Indeed the unique identifier > (MAC no.?) is not the MAC of my modem. And presumably it isn't the MAC address of your Mac. (You can check under About This Mac -> More info -> Network -> Built in Ethernet) > Here's the clincher. It seems they narrowed it down to a Windows spyware > program, Sinowal. Quoting from the email: Yep. That settles it. This simply doesn't run on Macs. > As stated earlier in other postings, we did not find anything on my > computer after using ClamXav or the rootkit checker. And Sinowal would have been spotted by ClamXav. OK, you are completely in the clear. I'm sorry if I gave you a fright with my earlier pessimism. And about your BitTorrent question. Just make sure that you keep your BitTorrent client up to date. And don't use LimeWire. I like Transmission, but again always make sure that you have the latest version with all security fixes. From what you've already said about your security practices, I'm confident that you are doing that, but I thought I would state it for the record. Cheers, -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid
From: Brian Crawford on 23 Mar 2010 12:24 In article <80s74cF9jlU1(a)mid.individual.net>, Jeffrey Goldberg <nobody(a)goldmark.org> wrote: > On 2010-03-23 10:46 AM, Brian Crawford wrote: > > > I just read the Telus email again, and there is more info that I > > probably should have mentioned. > > > They said that the "unique physical address" identifies the network > > adapter or router connected to my ADSL modem. I have no "network > > adapter" or router connected to my modem. Indeed the unique identifier > > (MAC no.?) is not the MAC of my modem. > Correction here. While checking my computer's MAC address I noticed my Hardware (MAC) address, and it is indeed the same as the MAC address they identified me with (yikes!). For some reason the number on the back of my modem is different from the number in (About this Mac -> Network -> Locations -> Ethernet). Not sure whether this changes anything. Brian
From: Jeffrey Goldberg on 23 Mar 2010 13:46 On 2010-03-23 11:24 AM, Brian Crawford wrote: > Correction here. While checking my computer's MAC address I noticed my > Hardware (MAC) address, and it is indeed the same as the MAC address > they identified me with (yikes!). For some reason the number on the back > of my modem is different from the number in (About this Mac -> Network > -> Locations -> Ethernet). Not sure whether this changes anything. This is getting peculiar. There is no way that your iMac could have been infected with Sinowal (unless there is a Mac version that nobody knows about). And we have all of the other evidence suggesting that it isn't from your machine (eg, Little Snitch should have thrown a fit if your machine was doing what is claimed). Yet Telus did get your MAC address. MAC address are easily spoofed, but I would be very surprised if Sinowal were able to do that under most circumstances. (Spoofing MAC addresses on the infected machine would be easy, but if people have a router, it would need to spoof the MAC address on that). So while I no longer am absolutely convinced that you are in the clear, I think that what we have is an anomaly in Telus' records. That would explain why there was just a single burst of activity. If another Telus customer connecting through the same CO as you was spewing Sinowal stuff, it's possible that a few packets got mislogged as from your address. Cheers, -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid
From: Richard Maine on 23 Mar 2010 14:27
Jeffrey Goldberg <nobody(a)goldmark.org> wrote: > This is getting peculiar. There is no way that your iMac could have > been infected with Sinowal (unless there is a Mac version that nobody > knows about). Or unless he was running Windows in one of the several ways that can be done on that Mac. Windows running via BootCamp or one of the virtual machine emulators definitely *CAN* get infected. I might have missed it, but I don't recall mention of whether the OP might have been running such a thing. There is a misunderstanding among some people that just because WIndows is running on a Mac, that somehow means it is invulnerable to Windows viruses. Tain't so. A possibility I'm less sure of is Wine (in any of its variants). That's something that can be installed as part of some apps in a way that might not be quite as memorable to the user. That is, I can imagine a user thinking Wine had never been installed, not realizing it came as part of some app. I don't recall whether Wine's emulation is "good enough" to make it vulnerable. Seems to me that last time I read up on it, Wine wasn't yet good enough at emulating Windows to pick up most malware, but that was long enough ago that things might have changed. I'm not at all sure what is really going on here. Jeffrey mentioned several possibilities. But I didn't notice the ones above as being brought up. -- Richard Maine | Good judgment comes from experience; email: last name at domain . net | experience comes from bad judgment. domain: summertriangle | -- Mark Twain |