Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Lisp Users: Due to the holiday next Monday, there will be no garbage collection.


aus+uk / uk.comp.sys.mac / Re: Suspected malware

SubjectAuthor
* Suspected malwareD.M. Procida
+- Suspected malwareAlan B
+- Suspected malwareDavid Brooks
+* Suspected malwareWolffan
|`* Suspected malwareD.M. Procida
| `- Suspected malwareWolffan
`* Suspected malwareGraham J
 `* Suspected malwareD.M. Procida
  `- Suspected malwareTimS

1
Suspected malware

<j554g8Fdkf8U1@mid.individual.net>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=5748&group=uk.comp.sys.mac#5748

 copy link   Newsgroups: uk.comp.sys.mac
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!lilly.ping.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: daniele-...@invalid.com (D.M. Procida)
Newsgroups: uk.comp.sys.mac
Subject: Suspected malware
Date: 23 Jan 2022 13:45:44 GMT
Lines: 10
Message-ID: <j554g8Fdkf8U1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
X-Trace: individual.net 4RtJys0KVB2nzyY6wnrXEAvi7Zm+IeZM7/8CgMP0Oyr/LptNNs
Cancel-Lock: sha1:qVo3cvVEvvE7CZ7ZJv7/vJJfkOM=
User-Agent: Usenapp/1.17/l for MacOS - Full License
 by: D.M. Procida - Sun, 23 Jan 2022 13:45 UTC

A friend asked me to look at her son's MacBook, which is in quite a state.

I only had a chance for a quick look, but as soon as it starts up, it
announces that it's low on memory, even with no applications launched. In the
Activity Monitor, I see processes named "EarthwormJim1" and "Quicken2015",
which look highly suspicious to me.

Anything else to look out for?

Daniele

Re: Suspected malware

<ssjn2f$r0p$1@alanrichardbarker.eternal-september.org>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=5749&group=uk.comp.sys.mac#5749

 copy link   Newsgroups: uk.comp.sys.mac
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!alanrichardbarker.eternal-september.org!.POSTED!not-for-mail
From: alanrich...@nospamgmail.com.here (Alan B)
Newsgroups: uk.comp.sys.mac
Subject: Re: Suspected malware
Date: Sun, 23 Jan 2022 14:00:47 -0000 (UTC)
Organization: Grumpy Old Men
Lines: 17
Message-ID: <ssjn2f$r0p$1@alanrichardbarker.eternal-september.org>
References: <j554g8Fdkf8U1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 23 Jan 2022 14:00:47 -0000 (UTC)
Injection-Info: alanrichardbarker.eternal-september.org; posting-host="77714b4f897736f73457b46c26123f9b";
logging-data="27673"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19TjYgPa2VfIcgqYVAipPs8vN+P/+QkK6U7L4q5Hq4vGA=="
User-Agent: NewsTap/5.5 (iPad)
Cancel-Lock: sha1:VUSP9OT8cRX7DBIYHl3flsCBBW8=
sha1:NsIrJiv069N5HoYzXUvI7RQvqHI=
X-No-Archive: Yes
X-Face: nG6>hdjT^mn!;GSJ^^\ZQOl<Y6ji0*21Sj'u?{'0H""UaDnLW|{</uR5Zkg0\93OsFI.LLS |,nz@w%Vezf1l7MmVVy/J+Z=Dl#quuPgB5)T2awRzA]X\2Sd(RZbxg{3{!mkZr%@@x'[U&VxyY4]sR 0Cwoj."gM#,0AR}|Lx[bvku-1o<yHzB.M`yRkH(,?Ed3&33O@_#B-+<g[3:X45}X)<NZfI+R"2rL3( w6edB|\DO7wks0SKvSp!tC3nmcONA8x
 by: Alan B - Sun, 23 Jan 2022 14:00 UTC

D.M. Procida <daniele-at-vurt-dot-org@invalid.com> wrote:
> A friend asked me to look at her son's MacBook, which is in quite a state.
>
> I only had a chance for a quick look, but as soon as it starts up, it
> announces that it's low on memory, even with no applications launched. In the
> Activity Monitor, I see processes named "EarthwormJim1" and "Quicken2015",
> which look highly suspicious to me.
>
> Anything else to look out for?

MalwareBytes or DetectX Swift might sort it out. I thought Quicken was an
established macos product? As for earthworm …..

<https://discussions.apple.com/thread/251885760>

--
Cheers, Alan

Re: Suspected malware

<1GdHJ.95666$ASha.6527@fx06.ams1>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=5751&group=uk.comp.sys.mac#5751

 copy link   Newsgroups: uk.comp.sys.mac
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!newsreader4.netcologne.de!news.netcologne.de!npeer.as286.net!npeer-ng0.as286.net!peer03.ams1!peer.ams1.xlned.com!news.xlned.com!fx06.ams1.POSTED!not-for-mail
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
Gecko/20100101 Thunderbird/91.5.0
Subject: Re: Suspected malware
Content-Language: en-GB
Newsgroups: uk.comp.sys.mac
References: <j554g8Fdkf8U1@mid.individual.net>
From: Dav...@invalid.invalid (David Brooks)
In-Reply-To: <j554g8Fdkf8U1@mid.individual.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 15
Message-ID: <1GdHJ.95666$ASha.6527@fx06.ams1>
X-Complaints-To: abuse@blocknews.net
NNTP-Posting-Date: Sun, 23 Jan 2022 14:32:29 UTC
Organization: blocknews - www.blocknews.net
Date: Sun, 23 Jan 2022 14:32:29 +0000
X-Received-Bytes: 1249
 by: David Brooks - Sun, 23 Jan 2022 14:32 UTC

On 23/01/2022 13:45, D.M. Procida wrote:
> A friend asked me to look at her son's MacBook, which is in quite a state.
>
> I only had a chance for a quick look, but as soon as it starts up, it
> announces that it's low on memory, even with no applications launched. In the
> Activity Monitor, I see processes named "EarthwormJim1" and "Quicken2015",
> which look highly suspicious to me.
>
> Anything else to look out for?
>
> Daniele

I suggest you run Malwarebytes (Free)

https://www.malwarebytes.com/mac

Re: Suspected malware

<0001HW.279DBEA805BDDFC370000F04F38F@news.supernews.com>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=5752&group=uk.comp.sys.mac#5752

 copy link   Newsgroups: uk.comp.sys.mac
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!border2.nntp.dca1.giganews.com!nntp.giganews.com!buffer2.nntp.dca1.giganews.com!nntp.supernews.com!news.supernews.com.POSTED!not-for-mail
NNTP-Posting-Date: Sun, 23 Jan 2022 10:49:35 -0600
Date: Sun, 23 Jan 2022 11:49:44 -0500
From: akwolf...@zoho.com (Wolffan)
Organization: The Pack
Mime-Version: 1.0
User-Agent: Hogwasher/5.24
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Message-ID: <0001HW.279DBEA805BDDFC370000F04F38F@news.supernews.com>
Subject: Re: Suspected malware
Newsgroups: uk.comp.sys.mac
References: <j554g8Fdkf8U1@mid.individual.net>
Lines: 29
X-Trace: sv3-aGQVXTRuCRlLZ3244pBw6mjeXrQDOg3hoLM0AsdJrT9tETW/f3gVeIiOADY75LGy+76eL/sMxnF8eXa!4yrlI5JONfJc/inplL/JLLXYvrmmT0qbRaJjn/akQyBuMTlUx7kDT/kJnKJXVdW7O/2fK/JQgPPx!nMgOCLtBEc12FHUIae951QM8
X-Complaints-To: www.supernews.com/docs/abuse.html
X-DMCA-Complaints-To: www.supernews.com/docs/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
X-Original-Bytes: 2194
 by: Wolffan - Sun, 23 Jan 2022 16:49 UTC

On 2022 Jan 23, D.M. Procida wrote
(in article <j554g8Fdkf8U1@mid.individual.net>):

> A friend asked me to look at her son's MacBook, which is in quite a state.
>
> I only had a chance for a quick look, but as soon as it starts up, it
> announces that it's low on memory, even with no applications launched. In the
> Activity Monitor, I see processes named "EarthwormJim1"

Earthworm Jim is a game... but I’m pretty sure that it was never ported to
Macs. Is there a VM running with a Windows or some other system installed?
> and "Quicken2015",

Quicken 2015 for Mac exists, but there’s a problem. Older versions insisted
on connecting to Intuit, and as Quicken 2015 is no longer an Intuit product,
those servers no longer exist. Updating it to a newer version will point it
to the current servers. And, yes, Quicken could be the source of the memory
problems.
>
> which look highly suspicious to me.
>
> Anything else to look out for?
>
> Daniele

Sophos, Clam, or Malware Bytes should help determine if there are problems.
Sophos is free, there’s a free version of MWB, and Clam has a free trial
version.

Re: Suspected malware

<j55nolFh8ukU1@mid.individual.net>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=5753&group=uk.comp.sys.mac#5753

 copy link   Newsgroups: uk.comp.sys.mac
Path: i2pn2.org!i2pn.org!aioe.org!news.uzoreto.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: daniele-...@invalid.com (D.M. Procida)
Newsgroups: uk.comp.sys.mac
Subject: Re: Suspected malware
Date: 23 Jan 2022 19:14:29 GMT
Lines: 36
Message-ID: <j55nolFh8ukU1@mid.individual.net>
References: <j554g8Fdkf8U1@mid.individual.net> <0001HW.279DBEA805BDDFC370000F04F38F@news.supernews.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
X-Trace: individual.net CQWdOuUtly801QZJcQGdHgu1rMo/ujs2T763SFd34j3JCoMoeQ
Cancel-Lock: sha1:l1lvHlB/YfcRyJj/ATrFo8MzoIY=
User-Agent: Usenapp/1.17/l for MacOS - Full License
 by: D.M. Procida - Sun, 23 Jan 2022 19:14 UTC

On 23 Jan 2022 at 16:49:44 GMT, "Wolffan" <akwolffan@zoho.com> wrote:

> On 2022 Jan 23, D.M. Procida wrote
> (in article <j554g8Fdkf8U1@mid.individual.net>):
>
>> A friend asked me to look at her son's MacBook, which is in quite a state.
>>
>> I only had a chance for a quick look, but as soon as it starts up, it
>> announces that it's low on memory, even with no applications launched. In the
>> Activity Monitor, I see processes named "EarthwormJim1"
>
> Earthworm Jim is a game... but I’m pretty sure that it was never ported to
> Macs. Is there a VM running with a Windows or some other system installed?
>> and "Quicken2015",
>
> Quicken 2015 for Mac exists, but there’s a problem. Older versions insisted
> on connecting to Intuit, and as Quicken 2015 is no longer an Intuit product,
> those servers no longer exist. Updating it to a newer version will point it
> to the current servers. And, yes, Quicken could be the source of the memory
> problems.

Quicken has never been installed on this machine. I am pretty certain that
"Quicken2015" is a bogus name for a hostile process (same for
"EarthwormJim1").

There are plenty of other signs, such as fishy-looking and broken
notifications.

<time passes>

Malware Bytes has removed them, along withg a shedload of others.

There was also some species of Chrome extension or somesuch installed, that
was was hijacking searches. Eugh.

Daniele

Re: Suspected malware

<0001HW.279DE3B705C68F5570000F04F38F@news.supernews.com>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=5754&group=uk.comp.sys.mac#5754

 copy link   Newsgroups: uk.comp.sys.mac
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!border2.nntp.dca1.giganews.com!nntp.giganews.com!buffer2.nntp.dca1.giganews.com!nntp.supernews.com!news.supernews.com.POSTED!not-for-mail
NNTP-Posting-Date: Sun, 23 Jan 2022 13:27:47 -0600
Date: Sun, 23 Jan 2022 14:27:51 -0500
From: akwolf...@zoho.com (Wolffan)
Organization: The Pack
Mime-Version: 1.0
User-Agent: Hogwasher/5.24
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Message-ID: <0001HW.279DE3B705C68F5570000F04F38F@news.supernews.com>
Subject: Re: Suspected malware
Newsgroups: uk.comp.sys.mac
References: <j554g8Fdkf8U1@mid.individual.net> <0001HW.279DBEA805BDDFC370000F04F38F@news.supernews.com> <j55nolFh8ukU1@mid.individual.net>
Lines: 57
X-Trace: sv3-4crM4v/HV5tlxGOs3vLmeyBCCZHAYPdjjl7EK0klt8ykPkdxX/xmQpX8lXxW/S2yDArDA9NN6973xBH!/woeHXSoVjKrO5/Ta6zcPCsV4QRMuQf5mhz27YhjAxi+Idgi8lL7pJfrZ5WOO+9e9xwfQh1LHZ81!M74/2CViSntR9WpoqdnRPRXx
X-Complaints-To: www.supernews.com/docs/abuse.html
X-DMCA-Complaints-To: www.supernews.com/docs/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
X-Original-Bytes: 3406
 by: Wolffan - Sun, 23 Jan 2022 19:27 UTC

On 2022 Jan 23, D.M. Procida wrote
(in article <j55nolFh8ukU1@mid.individual.net>):

> On 23 Jan 2022 at 16:49:44 GMT, "Wolffan"<akwolffan@zoho.com> wrote:
>
> > On 2022 Jan 23, D.M. Procida wrote
> > (in article <j554g8Fdkf8U1@mid.individual.net>):
> >
> > > A friend asked me to look at her son's MacBook, which is in quite a state.
> > >
> > > I only had a chance for a quick look, but as soon as it starts up, it
> > > announces that it's low on memory, even with no applications launched. In
> > > the
> > > Activity Monitor, I see processes named "EarthwormJim1"
> >
> > Earthworm Jim is a game... but I’m pretty sure that it was never ported to
> > Macs. Is there a VM running with a Windows or some other system installed?
> > > and "Quicken2015",
> >
> > Quicken 2015 for Mac exists, but there’s a problem. Older versions
> > insisted
> > on connecting to Intuit, and as Quicken 2015 is no longer an Intuit product,
> > those servers no longer exist. Updating it to a newer version will point it
> > to the current servers. And, yes, Quicken could be the source of the memory
> > problems.
>
> Quicken has never been installed on this machine. I am pretty certain that
> "Quicken2015" is a bogus name for a hostile process (same for
> "EarthwormJim1").

if quicken was never installed, then yes i’d say that there’s something
hostile about that process. and earthworm jim is just not a mac app.

>
>
> There are plenty of other signs, such as fishy-looking and broken
> notifications.
>
> <time passes>
>
> Malware Bytes has removed them, along withg a shedload of others.

i’d fire up clam or sophos and run a check to see if they catch something
MWB missed. paranoia is good when it’s clear that someone’s out to get
you, and multiple hostile apps shows that someone is out to get the user. MWB
and sophos both spot more than 90%, up to maybe 95%, depending on how you
count, of attack apps, they just spot a different 90+%. using both should
clean house thoroughly. note that sophos isn’t the fastest app around.
it’s faster than clam, though.
>
>
> There was also some species of Chrome extension or somesuch installed, that
> was was hijacking searches. Eugh.
>
> Daniele

Re: Suspected malware

<sskgeb$88d$2@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=5755&group=uk.comp.sys.mac#5755

 copy link   Newsgroups: uk.comp.sys.mac
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: nob...@nowhere.co.uk (Graham J)
Newsgroups: uk.comp.sys.mac
Subject: Re: Suspected malware
Date: Sun, 23 Jan 2022 21:13:46 +0000
Organization: A noiseless patient Spider
Lines: 16
Message-ID: <sskgeb$88d$2@dont-email.me>
References: <j554g8Fdkf8U1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 23 Jan 2022 21:13:47 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="3010603ee115bd7412608ac0054e4a50";
logging-data="8461"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19SYCdOifi5iuNwVbdrudEr"
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101
Firefox/68.0 SeaMonkey/2.53.10.1
Cancel-Lock: sha1:KkN2OerFNB10kCEElNCIEXCgdMI=
In-Reply-To: <j554g8Fdkf8U1@mid.individual.net>
X-Antivirus-Status: Clean
X-Antivirus: AVG (VPS 220123-4, 23/1/2022), Outbound message
 by: Graham J - Sun, 23 Jan 2022 21:13 UTC

D.M. Procida wrote:
> A friend asked me to look at her son's MacBook, which is in quite a state.
>
> I only had a chance for a quick look, but as soon as it starts up, it
> announces that it's low on memory, even with no applications launched. In the
> Activity Monitor, I see processes named "EarthwormJim1" and "Quicken2015",
> which look highly suspicious to me.

I've dealt with many PCs that have similar bad performance - they give
computers a bad name! But I thought Macs were supposed to be immune to
such problems?

--
Graham J

Re: Suspected malware

<j560rbFiv32U1@mid.individual.net>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=5756&group=uk.comp.sys.mac#5756

 copy link   Newsgroups: uk.comp.sys.mac
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!lilly.ping.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: daniele-...@invalid.com (D.M. Procida)
Newsgroups: uk.comp.sys.mac
Subject: Re: Suspected malware
Date: 23 Jan 2022 21:49:31 GMT
Lines: 32
Message-ID: <j560rbFiv32U1@mid.individual.net>
References: <j554g8Fdkf8U1@mid.individual.net> <sskgeb$88d$2@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
X-Trace: individual.net azsTGRMk04RF8n/jC81etARLpaiRmIsK1BOdDi8DmSdZj0nPBd
Cancel-Lock: sha1:mSGeBGJhz7bB5NrGbAn3D7XpjUs=
User-Agent: Usenapp/1.17/l for MacOS - Full License
 by: D.M. Procida - Sun, 23 Jan 2022 21:49 UTC

On 23 Jan 2022 at 21:13:46 GMT, "Graham J" <nobody@nowhere.co.uk> wrote:

> D.M. Procida wrote:
>> A friend asked me to look at her son's MacBook, which is in quite a state.
>>
>> I only had a chance for a quick look, but as soon as it starts up, it
>> announces that it's low on memory, even with no applications launched. In the
>> Activity Monitor, I see processes named "EarthwormJim1" and "Quicken2015",
>> which look highly suspicious to me.
>
>
> I've dealt with many PCs that have similar bad performance - they give
> computers a bad name! But I thought Macs were supposed to be immune to
> such problems?

Times have changed. Macs were never immune though.

Even though they were not as vulnerable as Windows was simply from a technical
point of view, we also had the advantage of being a less readily-available
target.

What no system can really prevent is user-installed malware, which is what was
the case here.

A naive or vulnerable user can easily be induced to click on the wrong thing,
and will fail to notice suspicious behaviours.

Google Chrome is a vulnerability in the hands of such a user, it's far too
easy to end up with a raft of extensions or bogus search engines without
realising what's happening, or seeing how to get rid of them.

Daniele

Re: Suspected malware

<j5633rFjcm3U1@mid.individual.net>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=5757&group=uk.comp.sys.mac#5757

 copy link   Newsgroups: uk.comp.sys.mac
Path: i2pn2.org!i2pn.org!news.samoylyk.net!news.freedyn.de!news1.tnib.de!feed.news.tnib.de!news.tnib.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: timstrea...@greenbee.net (TimS)
Newsgroups: uk.comp.sys.mac
Subject: Re: Suspected malware
Date: 23 Jan 2022 22:28:11 GMT
Lines: 15
Message-ID: <j5633rFjcm3U1@mid.individual.net>
References: <j554g8Fdkf8U1@mid.individual.net> <sskgeb$88d$2@dont-email.me> <j560rbFiv32U1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
X-Trace: individual.net u8njiUnadnlx5iL19iK9/wt3RVagyXcMj7tAzUscmewXdLma8e
Cancel-Lock: sha1:wZGQbi6g3M7ZFaa1OsHYBYdYnto=
X-No-Archive: Yes
User-Agent: Usenapp/1.17/l for MacOS - Full License
 by: TimS - Sun, 23 Jan 2022 22:28 UTC

On 23 Jan 2022 at 21:49:31 GMT, D.M. Procida
<daniele-at-vurt-dot-org@invalid.com> wrote:

> What no system can really prevent is user-installed malware, which is what was
> the case here.
>
> A naive or vulnerable user can easily be induced to click on the wrong thing,
> and will fail to notice suspicious behaviours.

It can also happen simply because one is in a hurry.

--
"If you're not able to ask questions and deal with the answers without feeling that someone has called your intelligence or competence into question, don't ask questions on Usenet where the answers won't be carefully tailored to avoid tripping your hair-trigger insecurities."

D M Procida, UCSM

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor