Keylogger.Aobo.r for Mac

  • 8 March 2018
  • 4 replies
  • 56 views

Userlevel 3
Badge +11
Today, Webroot found a threat in a backup. It is a Info.plist file. 
 
VolumesTime Machine-sikkerhetskopierBackups.backupdbUser MacBook Air2015-12-13-144330Macintosh HDApplicationsMicrosoft Office 2011OfficeShared ApplicationsProofing ToolsDutch Hyphenato
 
When I see in GSM, it shows MD5 00000000000000000000000000000000. I wonder what does it mean? I am going to check that backup soon, but wonder if anyone sees this keylog before and can share any experience?

4 replies

Userlevel 5
Badge +9
@ wrote:
Hi @
Locked file, you mean it's running at the time of scanning? I highly doubt that, because that threat was in a backup device - Apple Time Machine.
Hi @,
I'm not so familiar with Macs, but the principal that the scanner is being prevented from opening the file would be relevanbt. I think a CRC32 for an empty file produced a 0 value, I can't remember if an MD5 did and don't have an MD5 utility handy. And yeah. it could be a bugt.
 
Always remember though, computers have no respect for theory 🙂
Userlevel 3
Badge +11
Hi @
Locked file, you mean it's running at the time of scanning? I highly doubt that, because that threat was in a backup device - Apple Time Machine.
Userlevel 5
Badge +9
Hi @
I haven't tried with an MD5 utility, but typically for hashing functions a locked file will result in a zero value hash.
 
Cheers,
 
Randy
I have had the same result for the MD5 value of many PUA's on Mac.
 
My bet is that the command they use is not accurately pulling the MD5 and is reporting all 0's.
You can browse to the file in terminal and run "openssl md5 [filename]" to get the MD5.
Then verify on Virustotal.com

Reply