Keylogger.Aobo.r for Mac


Userlevel 1
Badge +10
Today, Webroot found a threat in a backup. It is a Info.plist file. 
 
VolumesTime Machine-sikkerhetskopierBackups.backupdbUser MacBook Air2015-12-13-144330Macintosh HDApplicationsMicrosoft Office 2011OfficeShared ApplicationsProofing ToolsDutch Hyphenato
 
When I see in GSM, it shows MD5 00000000000000000000000000000000. I wonder what does it mean? I am going to check that backup soon, but wonder if anyone sees this keylog before and can share any experience?

4 replies

I have had the same result for the MD5 value of many PUA's on Mac.
 
My bet is that the command they use is not accurately pulling the MD5 and is reporting all 0's.
You can browse to the file in terminal and run "openssl md5 [filename]" to get the MD5.
Then verify on Virustotal.com
Userlevel 5
Badge +9
Hi @hungpham
I haven't tried with an MD5 utility, but typically for hashing functions a locked file will result in a zero value hash.
 
Cheers,
 
Randy
Userlevel 1
Badge +10
Hi @Randy
Locked file, you mean it's running at the time of scanning? I highly doubt that, because that threat was in a backup device - Apple Time Machine.
Userlevel 5
Badge +9

@hungpham wrote:
Hi @Randy
Locked file, you mean it's running at the time of scanning? I highly doubt that, because that threat was in a backup device - Apple Time Machine.

Hi @hungpham,
I'm not so familiar with Macs, but the principal that the scanner is being prevented from opening the file would be relevanbt. I think a CRC32 for an empty file produced a 0 value, I can't remember if an MD5 did and don't have an MD5 utility handy. And yeah. it could be a bugt.
 
Always remember though, computers have no respect for theory :-)

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings