Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 1990 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Eblaster software removal and other issues

RolandSC

Anyone got experience of how to remove Eblaster and bolt ons from Mac system? It was installed by someone checking up on the users and was thus a "permitted" install. I don't believe the software provider when they say it is remotely removed, plus they have been getting text messages off of the Iphone when it connects to the Mac which wasn't a feature of the software. FInal thought the mail reports, now seen, do not look like the ones in the web advertising.

I suspect then that a version that is much more aggressive has been installed and is still running. Is it right to be worried? How can I manually check for this or any other threats come to that? WIll Sophos product find it and kill it? DO Trojans like this spread across a Mac network as easily as they do in the Windows world?

Questions questions.

:1003133


This thread was automatically locked due to age.
  • 0

    Eblaster is not currently detected by Sophos -- however, if it is truly a trojan version, we would appreciate receiving a sample of the installer for analysis.

    As far as manual analysis goes, I suggest you check your processes in Activity Monitor, and download Lingon to check and see if any background processes are being triggered.

    Another useful step would be to install Little Snitch to watch/block network access on a per-process basis.  You could also use FSEventer to watch what processes are accessing what files on the system; this will definitively show you any odd activity that might still be happening, and what files are implicated.

    To answer your last question, Trojans don't spread across networks; that is left mostly to worms.  Worms tend to do this by exploiting a security hole -- the software you're talking about does all of its work with the administrator's permission.

    :1003139
  • 0

    Thanks for the reply. It seems though that there is a growing trend for spyware/malaware to attack Mac platforms. Most worrying is the ease with which they appear to be able to install onto a remote machine by attaching code to otherwise innocuous and credible files within emails. Does Sophos have the ability to defend against that kind of attack? It is very worrying given that so many people think Macs are immune and as such the potential for this sort of hack/attack to spread rapidly is considerable?

    :1003161
  • 0

    It's not quite as dire as all that; these aren't being "installed" on a remote machine via email -- they're purely being "received" via email, at which point Sophos detects the malicious files and blocks it from access.  Safari is a bit more dangerous, as a zipped pkg file will automatically run on download, and Safari can be set to autodownload the zip.  This means that as soon as a security hole is found in one of the filetypes that get automatically run, there will be a problem, but so far pretty much everything in the wild needs the human element to actually run anything malicious.

    The potential is definitely there though, now that the FakeAV affiliate gangs are turning to OS X for revenue.  They're currently using 6-year-old attack techniques, but as the malware authors gain competency on par with where they are on Windows, OS X will have the exact same issues, even if the volume of unique attacks is smaller.

    :1003171