[DM-MUG] Finder Issue (Trojan)

Alan Maupin alan.maupin at gmail.com
Tue Dec 1 16:18:31 CST 2009 

Thanks - I'll check out the Airport settings again.

On Dec 1, 2009, at 3:43 PM, Jon Thompson wrote:

> Yeah, I gathered that. The airport express is what is causing the items to show up on your network. Most likely, there is a "ghee whiz" feature that you checked and forgot about. I don't use Airport Devices for anything other than wireless gateways, so I probably missed the setting.
> 
> -- 
> Jon Thompson
> Evolve
> www.dmevolve.com
> 
> 
> On Tue, Dec 1, 2009 at 1:37 PM, Alan Maupin <alan.maupin at gmail.com> wrote:
> Also - at home I have an Airport Express connected to a DSL modem., but not at this location Internet is provided with Qwest Motorola 3347 DSL Modem/Wireless & Ethernet 4 port Router.
> 
> On Dec 1, 2009, at 11:38 AM, Jon Thompson wrote:
> 
>> Your airport extreme has the ability to show dynamic bookmarks, which is what these are. I would look in there to see what settings related to bonjour you have turned on.
>> -- 
>> Jon Thompson
>> Evolve
>> www.dmevolve.com
>> 
>> 
>> On Tue, Dec 1, 2009 at 9:59 AM, Alan Maupin <alan.maupin at gmail.com> wrote:
>> I moved my Mac to a new location across town and connected to a completely different wireless access point with the same Qwest DSL service (may be a different point of presence).   There is nothing in the Share items now.  At my home the Mac Air, MacBook and MacPro would display as they are all setup for sharing, plus the random URLs.  
>> 
>> 
>> On Nov 30, 2009, at 10:14 PM, AB wrote:
>> 
>>> It's a gremlin!. . .  Or maybe H1N1, bird, swine, west nile flu. Seriously, it'd probably drive me nuts. 
>>> 
>>> Alan, Is there an off chance a third party thing in your System Preferences panel is the culprit?
>>> Does it appear in all the user accounts? Can you make a new user account, and see if it appears? 
>>> 
>>> -A.
>>> 
>>> --- On Mon, 11/30/09, Jon Thompson <jthompson-lists at dmevolve.com> wrote:
>>> 
>>> From: Jon Thompson <jthompson-lists at dmevolve.com>
>>> Subject: Re: [DM-MUG] Finder Issue (Trojan)
>>> To: "Des Moines Mac Users Group" <dmmug at dmmug.org>
>>> Date: Monday, November 30, 2009, 12:09 PM
>>> 
>>> My gut instinct is that it is NOT a virus, however, I wanted to eliminate that as a possibility, which Alan has done. This behavior is a normal behavior of Wide Area Bonjour, which is regulated by your DNS server. I have intentionally configured DNS servers to do this exact thing. However, I have yet to figure out how exactly it is populating the dynamic bookmarks without your prior knowledge, which is what I believe it is doing.
>>> 
>>> -- 
>>> Jon Thompson
>>> Evolve
>>> www.dmevolve.com
>>> 
>>> 
>>> On Mon, Nov 30, 2009 at 10:34 AM, AB <anastasia_prittee at yahoo.com> wrote:
>>> My gut instinctively pegged it for a virus/trojan.... but I've never had one on a Mac. I'd still send a report to the URLs popping up, because it's bad for their reputation, assuming they are a legitimate business. If it's the same URL popping up in the Shared Devices list in the Sidebar, there's the FBI Internet Crimes website you can file a report at in full detail. I did that after I got phishing emails from banks I don't even bank at.
>>> 
>>> Can you use Time Machine to restore it to an earlier date?
>>> 
>>> 
>>> --- On Mon, 11/30/09, Alan Maupin <alan.maupin at gmail.com> wrote:
>>> 
>>> From: Alan Maupin <alan.maupin at gmail.com>
>>> Subject: Re: [DM-MUG] Finder Issue
>>> To: "Des Moines Mac Users Group" <dmmug at dmmug.org>
>>> Date: Monday, November 30, 2009, 9:23 AM
>>> 
>>> Yes still there.
>>> 
>>> On Nov 30, 2009, at 10:13 AM, Jon Thompson wrote:
>>> 
>>> I wasn't concerned with the trojan being on your computer as so much as the trojan modifying your DNS settings, which are tied with the mDNS that you see in the Shared list.
>>> Am I correct in you saying that the items are still there?
>>> -- 
>>> Jon Thompson
>>> Evolve
>>> www.dmevolve.com
>>> 
>>> 
>>> On Mon, Nov 30, 2009 at 10:02 AM, Alan Maupin <alan.maupin at gmail.com> wrote:
>>> Jon here is a newer article that mentions the trojan spoke of in the previous article you sent, with an updated look at Snow Leopards defense: http://blogs.zdnet.com/security/?p=4139
>>> 
>>> On Nov 30, 2009, at 8:51 AM, Jon Thompson wrote:
>>> 
>>>> Alan,
>>>> 
>>>> Try running the commands in this article, as these types of things could appear if you are using a DNS server that is not one given to you by your ISP.
>>>> 
>>>> http://www.macworld.com/article/60823/2007/10/trojanhorse.html
>>>> 
>>>> I'm giving you this as a precaution, as well as to eliminate it as a possibility.
>>>> -- 
>>>> Jon Thompson
>>>> Evolve
>>>> www.dmevolve.com
>>>> 
>>>> 
>>>> On Mon, Nov 30, 2009 at 2:13 AM, Alan Maupin <alan.maupin at gmail.com> wrote:
>>>> AB thank you very much for this information.  You are quite the internet sleuth!
>>>> 
>>>> 
>>>> On Nov 29, 2009, at 7:21 PM, AB wrote:
>>>> 
>>> When typing in wildfire.gigya.com I got a "directory not listed" message, see screenshot.
>>> I went to the gigya.com website. It is a social media and content management internet based company with offices in CA, NY, and Israel. 
>>> 
>>> Perhaps they can investigate their own security on their servers since the discussion thread mentioned it was a leak in the respective company's network servers.
>>> 
>>> here's the contact info for them. 
>>> 
>>> Whether you have a comment, a bug to report,
>>> or a press or business inquiry, please use the following contact information. 
>>> We will get back to you as soon as possible.
>>> 
>>> Liza Hausman, Gigya 
>>> 650.353.4178 Office 
>>> 
>>> Mark Naples, WIT 
>>> 215.893.0581 Direct
>>> 646.265.7372 Cell
>>> Customer Support and Product Feedback Inquiries: support at gigya-inc.com
>>> 
>>> Sales related inquiries: sales at gigya-inc.com
>>> 
>>> Partner and Business Development Inquiries: bizdev at gigya-inc.com
>>> 
>>> Questions Relating to Terms of Use and/or our Privacy Policy: privacy at gigya-inc.com
>>> Our offices
>>> 
>>> Palo Alto Office (Corporate Headquarters)
>>> 
>>> 855 El Camino Real
>>> Building 4, Suite 290
>>> Palo Alto, CA 94301
>>> 650.353.7230
>>> New York Office.
>>> 
>>> 817 Broadway, 10th Floor
>>> New York, NY 10003-4709
>>> 646.722.8137
>>> Tel Aviv Office
>>> 
>>> 132 Begin road
>>> Azrieli round tower (13 floor)
>>> Tel Aviv, Israel 67021
>>> +972.73.7852400
>>> 
>>> --- On Sun, 11/29/09, Victoria L. Herring <vlh at herringlaw.com> wrote:
>>> 
>>> From: Victoria L. Herring <vlh at herringlaw.com>
>>> Subject: Re: [DM-MUG] Finder Issue
>>> To: "Des Moines Mac Users Group" <dmmug at dmmug.org>
>>> Cc: alan.maupin at gmail.com
>>> Date: Sunday, November 29, 2009, 5:57 PM
>>> 
>>> you can go to Apple.com and set up a phone support call and explain the whole problem in the message so the person you speak to has an idea of the reason for the support call.  Seems easier than going out to the Apple Store - maybe a first step. 
>>> I certainly don't know but if you are having things show up in the finder window you might go to the Prefs for Finder and check on what is listed as contents on sidebar =- I don't know what Neighborhood would be other than perhaps you have Bluetooth or Bonjour enabled???  And they/it are picking up signals??
>>> 
>>> On Thu, Nov 26, 2009 at 3:33 PM, Alan Maupin <alan.maupin at gmail.com> wrote:
>>> The problem is located in Finder application, on the Shared menu, under the submenu All:   random named URL's are showing up and are listed as Neighborhood.
>>> 
>>> The most recent URL to show up is "wildfire.gigya.com"
>>> 
>>> It does not go away with a reboot.
>>> 
>>> Does anyone know what causes this issue?  Is it a security issue?
>>> 
>>> 
>>> Thanks in advance,
>>> Alan
>>> 
>>> <Screen shot 2009-11-29 at 6.11.32 PM.png>_______________________________________________
>>> 
>>> _______________________________________________
>>> DMMUG mailing list
>>> Use this Address to send mail to the list:
>>> DMMUG at dmmug.org
>>> Use this page to modify subscription options:
>>> http://cialug.org/mailman/listinfo/dmmug
>> 
>> 
>> _______________________________________________
>> DMMUG mailing list
>> Use this Address to send mail to the list:
>> DMMUG at dmmug.org
>> Use this page to modify subscription options:
>> http://cialug.org/mailman/listinfo/dmmug
>> 
>> _______________________________________________
>> DMMUG mailing list
>> Use this Address to send mail to the list:
>> DMMUG at dmmug.org
>> Use this page to modify subscription options:
>> http://cialug.org/mailman/listinfo/dmmug
> 
> 
> _______________________________________________
> DMMUG mailing list
> Use this Address to send mail to the list:
> DMMUG at dmmug.org
> Use this page to modify subscription options:
> http://cialug.org/mailman/listinfo/dmmug
> 
> _______________________________________________
> DMMUG mailing list
> Use this Address to send mail to the list:
> DMMUG at dmmug.org
> Use this page to modify subscription options:
> http://cialug.org/mailman/listinfo/dmmug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/dmmug/attachments/20091201/3dab3039/attachment-0001.htm

More information about the DMMUG mailing list