[DM-MUG] Finder Issue (Trojan)

Mon Nov 30 13:09:02 CST 2009

My gut instinct is that it is NOT a virus, however, I wanted to eliminate
that as a possibility, which Alan has done. This behavior is a normal
behavior of Wide Area Bonjour, which is regulated by your DNS server. I have
intentionally configured DNS servers to do this exact thing. However, I have
yet to figure out how exactly it is populating the dynamic bookmarks without
your prior knowledge, which is what I believe it is doing.

-- 
Jon Thompson
Evolve
www.dmevolve.com

On Mon, Nov 30, 2009 at 10:34 AM, AB <anastasia_prittee at yahoo.com> wrote:

> My gut instinctively pegged it for a virus/trojan.... but I've never had
> one on a Mac. I'd still send a report to the URLs popping up, because it's
> bad for their reputation, assuming they are a legitimate business. If it's
> the same URL popping up in the Shared Devices list in the Sidebar, there's
> the FBI Internet Crimes website you can file a report at in full detail. I
> did that after I got phishing emails from banks I don't even bank at.
>
> Can you use Time Machine to restore it to an earlier date?
>
>
> --- On *Mon, 11/30/09, Alan Maupin <alan.maupin at gmail.com>* wrote:
>
> From: Alan Maupin <alan.maupin at gmail.com>
> Subject: Re: [DM-MUG] Finder Issue
> To: "Des Moines Mac Users Group" <dmmug at dmmug.org>
> Date: Monday, November 30, 2009, 9:23 AM
>
> Yes still there.
>
> On Nov 30, 2009, at 10:13 AM, Jon Thompson wrote:
>
> I wasn't concerned with the trojan being on your computer as so much as the
> trojan modifying your DNS settings, which are tied with the mDNS that you
> see in the Shared list.
> Am I correct in you saying that the items are still there?
> --
> Jon Thompson
> Evolve
> www.dmevolve.com
>
>
> On Mon, Nov 30, 2009 at 10:02 AM, Alan Maupin <alan.maupin at gmail.com<http://mc/compose?to=alan.maupin@gmail.com>
> > wrote:
>
>> Jon here is a newer article that mentions the trojan spoke of in the
>> previous article you sent, with an updated look at Snow Leopards defense:
>> http://blogs.zdnet.com/security/?p=4139
>>
>> On Nov 30, 2009, at 8:51 AM, Jon Thompson wrote:
>>
>> Alan,
>>
>> Try running the commands in this article, as these types of things could
>> appear if you are using a DNS server that is not one given to you by your
>> ISP.
>>
>> http://www.macworld.com/article/60823/2007/10/trojanhorse.html
>>
>> I'm giving you this as a precaution, as well as to eliminate it as a
>> possibility.
>> --
>> Jon Thompson
>> Evolve
>> www.dmevolve.com
>>
>>
>> On Mon, Nov 30, 2009 at 2:13 AM, Alan Maupin <alan.maupin at gmail.com<http://mc/compose?to=alan.maupin@gmail.com>
>> > wrote:
>>
>>> AB thank you very much for this information.  You are quite the internet
>>> sleuth!
>>>
>>>
>>> On Nov 29, 2009, at 7:21 PM, AB wrote:
>>>
>>> When typing in wildfire.gigya.com I got a "directory not listed"
>>> message, see screenshot.
>>> I went to the gigya.com website. It is a social media and content
>>> management internet based company with offices in CA, NY, and Israel.
>>>
>>> Perhaps they can investigate their own security on their servers since
>>> the discussion thread mentioned it was a leak in the respective company's
>>> network servers.
>>>
>>> here's the contact info for them.
>>>
>>> Whether you have a comment, a bug to report,
>>> or a press or business inquiry, please use the following contact
>>> information.
>>> We will get back to you as soon as possible.
>>>
>>>  Liza Hausman, Gigya
>>> 650.353.4178 Office
>>>
>>> Mark Naples, WIT
>>> 215.893.0581 Direct
>>> 646.265.7372 Cell
>>>  Customer Support and Product Feedback Inquiries: support at gigya-inc.com<http://mc/compose?to=support@gigya-inc.com>
>>>  Sales related inquiries: sales at gigya-inc.com<http://mc/compose?to=sales@gigya-inc.com>
>>>  Partner and Business Development Inquiries: bizdev at gigya-inc.com<http://mc/compose?to=bizdev@gigya-inc.com>
>>> Questions Relating to Terms of Use and/or our Privacy Policy:
>>> privacy at gigya-inc.com <http://mc/compose?to=privacy@gigya-inc.com>
>>>   Our offices Palo Alto Office (Corporate Headquarters)
>>> 855 El Camino Real
>>> Building 4, Suite 290
>>> Palo Alto, CA 94301
>>> 650.353.7230
>>>  New York Office. 817 Broadway, 10th Floor
>>> New York, NY 10003-4709
>>> 646.722.8137
>>>  Tel Aviv Office
>>> 132 Begin road
>>> Azrieli round tower (13 floor)
>>> Tel Aviv, Israel 67021
>>> +972.73.7852400
>>>
>>> --- On *Sun, 11/29/09, Victoria L. Herring <vlh at herringlaw.com<http://mc/compose?to=vlh@herringlaw.com>
>>> >* wrote:
>>>
>>> From: Victoria L. Herring <vlh at herringlaw.com<http://mc/compose?to=vlh@herringlaw.com>
>>> >
>>> Subject: Re: [DM-MUG] Finder Issue
>>> To: "Des Moines Mac Users Group" <dmmug at dmmug.org<http://mc/compose?to=dmmug@dmmug.org>
>>> >
>>> Cc: alan.maupin at gmail.com <http://mc/compose?to=alan.maupin@gmail.com>
>>> Date: Sunday, November 29, 2009, 5:57 PM
>>>
>>> you can go to Apple.com and set up a phone support call and explain the
>>> whole problem in the message so the person you speak to has an idea of the
>>> reason for the support call.  Seems easier than going out to the Apple Store
>>> - maybe a first step.
>>>
>>> I certainly don't know but if you are having things show up in the finder
>>> window you might go to the Prefs for Finder and check on what is listed as
>>> contents on sidebar =- I don't know what Neighborhood would be other than
>>> perhaps you have Bluetooth or Bonjour enabled???  And they/it are picking up
>>> signals??
>>>
>>> On Thu, Nov 26, 2009 at 3:33 PM, Alan Maupin <alan.maupin at gmail.com>wrote:
>>> The problem is located in Finder application, on the Shared menu, under
>>> the submenu All:   random named URL's are showing up and are listed as
>>> Neighborhood.
>>>
>>> The most recent URL to show up is "wildfire.gigya.com"
>>>
>>> It does not go away with a reboot.
>>>
>>> Does anyone know what causes this issue?  Is it a security issue?
>>>
>>>
>>> Thanks in advance,
>>> Alan
>>>
>>> <Screen shot 2009-11-29 at 6.11.32 PM.png>
>>> _______________________________________________
>>>
>>> DMMUG mailing list
>>> Use this Address to send mail to the list:
>>> DMMUG at dmmug.org <http://mc/compose?to=DMMUG@dmmug.org>
>>> Use this page to modify subscription options:
>>> http://cialug.org/mailman/listinfo/dmmug
>>>
>>>
>>>
>>> _______________________________________________
>>> DMMUG mailing list
>>> Use this Address to send mail to the list:
>>> DMMUG at dmmug.org <http://mc/compose?to=DMMUG@dmmug.org>
>>> Use this page to modify subscription options:
>>> http://cialug.org/mailman/listinfo/dmmug
>>>
>>
>> _______________________________________________
>> DMMUG mailing list
>> Use this Address to send mail to the list:
>> DMMUG at dmmug.org <http://mc/compose?to=DMMUG@dmmug.org>
>> Use this page to modify subscription options:
>> http://cialug.org/mailman/listinfo/dmmug
>>
>>
>>
>> _______________________________________________
>> DMMUG mailing list
>> Use this Address to send mail to the list:
>> DMMUG at dmmug.org <http://mc/compose?to=DMMUG@dmmug.org>
>> Use this page to modify subscription options:
>> http://cialug.org/mailman/listinfo/dmmug
>>
>
> _______________________________________________
> DMMUG mailing list
> Use this Address to send mail to the list:
> DMMUG at dmmug.org <http://mc/compose?to=DMMUG@dmmug.org>
> Use this page to modify subscription options:
> http://cialug.org/mailman/listinfo/dmmug
>
>
> -----Inline Attachment Follows-----
>
> _______________________________________________
> DMMUG mailing list
> Use this Address to send mail to the list:
> DMMUG at dmmug.org <http://mc/compose?to=DMMUG@dmmug.org>
> Use this page to modify subscription options:
> http://cialug.org/mailman/listinfo/dmmug
>
>
> _______________________________________________
> DMMUG mailing list
> Use this Address to send mail to the list:
> DMMUG at dmmug.org
> Use this page to modify subscription options:
> http://cialug.org/mailman/listinfo/dmmug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/dmmug/attachments/20091130/b0ea441d/attachment.htm 