Showing results for 
Search instead for 
Do you mean 
Reply
Occasional Collector
StRoibard
Posts: 3
Registered: ‎11-08-2012
0
Accepted Solution

2 hour long threat cleaning???

This morning, Sophos popped open a window (capture below) with a message that a threat had been detected (Troj~ObfJS-BK). I went to the Sophos site and followed directions (on page http://www.sophos.com/en-us/support/knowledgebase/118117.aspx) for removing the threat. I followed the instructions for cleaning a Mac exactly. 

After over two hours, the sub-window inside the Quarantine Manager window was STILL going (horizontal barber pole running). I force quit the program (only way I could stop it), reopened Sophos, and followed the same steps as before, hoping the program had just gotten hung up before… well, two hours later and the cleaning is again, STILL going.

 

is this to be expected? is this a normal time to remove this threat? should I do something differently?

Occasional Collector
StRoibard
Posts: 3
Registered: ‎11-08-2012
0

Re: 2 hour long threat cleaning???

Now I got a notice that the threat could not be cleaned! is this some mistake or a supervirus? I did note that the virus is listed as a Windows virus, so I hope my Mac is safe from it ...

screen cap of the latest msg:

error msg

Employee
Agile
Posts: 1,195
Registered: ‎11-02-2010
0

Re: 2 hour long threat cleaning???

Don't worry... Troj/ObfJS-BK is a malicious javascript injected into web pages, which silently redirects visitors to the webpage to a Blackhole exploit site.  As such, the file was probably detected in your browser cache, which was cleared before cleanup completed, causing an error in the cleanup.  If you look in the quarantine again, you'll likely find that the threat has vanished.

 

However, Blackhole, while mainly targeting Windows machines, can be (and has been) used by malware authors to drop malware for OS X as well.  Because of this, I'd highly recommend you check to see if any dodgy plist files are in your /Library/LaunchAgents, /Library/LaunchDaemons/ etc. folders, or unexpected login items are associated with your user account.  You may also want to check for unusual network activity (I know, easier said than done).

 

The main thing you can do to protect yourself in the future is to run your browser with JavaScript in a limited mode -- Firefox with NoScript, for example.

-
Andrew
Threat Researcher
SophosLabs


For our other self-service and peer-to-peer online support systems:


Occasional Collector
StRoibard
Posts: 3
Registered: ‎11-08-2012
0

Re: 2 hour long threat cleaning???

Thank you Agile! That eases my worried mind. Now, if I can figure out the other stuff you said. Clearly you know LOTS more about this than I do. part of the reason I went Mac was because I couldn't figure out how to program and do stull like that on PCs. Guess the easy ride is over. 

One thing: you said "run your browser with JavaScript in a limited mode" and suggested Firefox. FF doesn't work for me for a number of reasons. Can I do the same thing with Safari?

 

thanks again!

Employee
Agile
Posts: 1,195
Registered: ‎11-02-2010
0

Re: 2 hour long threat cleaning???

[ Edited ]

In Safari, you can install the JavaScript Blocker and Ghostery extensions, which will accomplish a limited amount of what NoScript does, although not all.  They *would* have stopped this javascript from triggering.

 

http://extensions.apple.com/#security-extensions

-
Andrew
Threat Researcher
SophosLabs


For our other self-service and peer-to-peer online support systems: