apparently i have a trojan horse and its called hacktoo.underhand. norton antivirus detected it but says it cant repair. i read somewhere that it affects ms office. anyone know anything about this or how to fix it? its a pain in the ass i keep having to restart my computer and its running real slow.
something called hacktool.underhand?
- Thread starter unclefutz
- Start date
Andrew Adamson
Got root? Sudoes.
One can presume that if unclefutz is posting to a forum on MacOSX.com, he is talking about an event on a Mac. Label me insane.Zammy-Sam said:
Unclefutz, I did a search on Google and found a Japanese posting about this same Norton report, also on a Mac. He wasn't able to track down an answer either. Not much help there.
There is, however, a Mac hacking group called CowFight that produces a tunnelling tool called "underhand". It allows a user to connect to a remote system through a Mac -- the advantage being that the hacker can do all sorts of nefarious no-goodness on, say, a government server without ever exposing his IP. So the Secret Service comes to YOUR door, not his. This tool needs to be installed by a user -- but it is possible that it piggy-backed on some other installation that you did. Their instructions for uninstalling the trojan (that IS what they call it) are:
I have NO idea if this is what you have, but the technique is sound. If the process doesn't show up on 'top', try 'ps auxww | grep underhand -i'. That should definitely peg it if it is there.
If you did not knowingly install this, it may mean that other processes are running that would allow a user to find your machine and possibly do other nasty stuff as well. Please check your sharing settings in the System Preferences panel and shut down all services that you KNOW you don't use. When you are done, hit the 'lock' icon at the bottom of the window. That will require you to enter the system password if you ever want to change a setting here. If you aren't sure what a listed service does and if you are on a home computer (not on a University network, for example), you almost certainly shouldn't have it running. I am not 100% sure here, but I believe that this window is just as good as monkeying around directly with ipfw, the firewall service.
After locking down your firewall, it might be a good idea to track down services that are running locally. You may want to post a copy of your running processes here, for other, more knowledgable Mac users to peruse. It would be best to reboot your Mac so that no other programs are running in the back ground, open a terminal (in the Utilities folder) and enter 'ps auxww'. That will spit out everything you are running. Copy and paste it into a new thread. Perhaps: "Is this a trojan?" or something like that.
You can also see if anyone is presently connected to your computer by running 'netstat' in a terminal window. The top part of the listing describes all incoming and outgoing connections on the Internet. If you recently checked your email or looked at some web pages, those connection will be there. It's best to shut down all programs that access the Internet, wait a few minutes and then run netstat. Many processes are completely legit, but if you have an unwelcome guest, he'll show up there.
I'm going to go out on a limb here and say I am getting alarmed at the number of people who think that because there are no known VIRUSES for Mac at present that there are no TROJANS, either. I am a recent refugee to Mac from Windows, but I've been working in Linux for a few years and I know for sure trojans are a risk for any machine. Well, maybe not the Vic-20. That machine was as safe as houses.
Zammy-Sam
Desertchild
Macosx.com is a community of mac users. This doesn't include we may not discuss windows or linux problems, which - as the matter of fact - happened quite often in here.Andrew Adamson said:
However, your findings are interesting. Can you post a link to the site you found over google?
Andrew Adamson
Got root? Sudoes.
Sorry, Zammy-Sam. I was curt in my reply to you. I'm a bit of a jerk at the moment. It's just that unclefutz just joined (it was his first post), presumably to post his question. Also, as I said here, and elsewhere, I am honestly worried that everyone thinks that Mac is bulletproof. This stuff just kills me.
Please don't link directly to a hacking group. You can get to their page by searching Google with the words cowfight underhand. Right now, they are the second link down. More information on their tool is available from there, too.
Please don't link directly to a hacking group. You can get to their page by searching Google with the words cowfight underhand. Right now, they are the second link down. More information on their tool is available from there, too.
Andrew Adamson
Got root? Sudoes.
In the event that unclefutz ever comes back, a similar problem has been encountered by another forum user. The solution appears to be Symantec's virus definition file. The thread can be found here: http://www.macosx.com/forums/showthread.php?p=371446
Symantec has confirmed that this is a "false positive", wich in plain english means "false alarm". Nothing to worry about, just download a new virus definition file.
You can read what Symantec has to say about it here:
http://service1.symantec.com/SUPPORT/num.nsf/pfdocs/2005050417004611?Open
You can read what Symantec has to say about it here:
http://service1.symantec.com/SUPPORT/num.nsf/pfdocs/2005050417004611?Open
I've had the Hacktool.Underhand problem too. I downloaded the virus update that symantec have issued in response and it didn't solve my problem. In fact, although the Underhad message has stopped coming up, my mac keeps freezing and I can no longer run Safari. Also, I can't open more than one thing at a time otherwise it freezes. I've taken Norton off my compuetr now and it's still the same. There are four Norton files I am finding impossible to remove. When I try to send them to trash a message says "Operation couldn't be completed because this item is owned by root"
I don't know what this means or what to do to sort my machine out. I've tried everything. Can anyone out there help me?
I don't know what this means or what to do to sort my machine out. I've tried everything. Can anyone out there help me?
Andrew Adamson
Got root? Sudoes.
I suppose it could be that you actually have the underhand proxy trojan on your machine. If the process has not been renamed, you can find out fast enough by opening a terminal window (in the Utilities folder of your hard drive) and entering:
As for completely uninstalling Norton from a Mac... go through the leeennnghthy instructions offered at Symantec: http://service1.symantec.com/SUPPORT/num.nsf/pfdocs/2002020713322311. Symantec gets a lot of flak about how hard it is to uninstall their products, but one reason they have done this is to make it difficult for a virus to actually uninstall the program. Doesn't make it any easier knowing that, I know.
If you run this, you will probably see one line that says 'grep underhand -i'. That is expected. If you see another line, it is a pretty sure indication that you have this trojan. At this point, I would be extremely surprised if you did.
As for completely uninstalling Norton from a Mac... go through the leeennnghthy instructions offered at Symantec: http://service1.symantec.com/SUPPORT/num.nsf/pfdocs/2002020713322311. Symantec gets a lot of flak about how hard it is to uninstall their products, but one reason they have done this is to make it difficult for a virus to actually uninstall the program. Doesn't make it any easier knowing that, I know.
Thanks for the advice,
this is what came up on terminal when I typed what you said in:
katenort 383 0.0 0.2 1372 252 std R+ 4:46PM 0:00.00 grep underhand -i
I think that means the trojan is not there. Am I right? I'm so confused... any suggestions are welcome. will try the NAV link you gave me now.
this is what came up on terminal when I typed what you said in:
katenort 383 0.0 0.2 1372 252 std R+ 4:46PM 0:00.00 grep underhand -i
I think that means the trojan is not there. Am I right? I'm so confused... any suggestions are welcome. will try the NAV link you gave me now.
Andrew Adamson
Got root? Sudoes.
That's correct. The one listing you found means that there is a process running that has 'underhand' in its title, but that process is the command you yourself ran. If there had been TWO entries, it would have been a sign of trouble.
It is generally a good idea to run the following commands from time to time to check for unauthorized entries:
ps auxww will tell you what processes you have running on your machine. If a cracker has commandeered your box, his programs will be there. Quite probably, most entries will be Greek to you if you don't have lots of command line experience. But because script kiddies like to give their programs funny names, the most obvious ones will stand out.
w will show you who is presently logged on to your machine and what command was last issued by that user.
last will show you a list of the last users to log in. An attacker can clear this list (and usually does immediately after logging on), so an EMPTY or SHORTENED list is as much an incriminating sign as anything else. Every time you open a terminal window, a new entry is added to the top of the list -- so seeing LOTS of entries for a single day here is not unusual.
For complete documentation on these, type 'man w' or 'man ps' at a command prompt.
Finally, in /var/log there are a variety of log files you should check out. Entering 'more /var/log/netinfo.log' will allow you to see the contents of netinfo.log. 'more' is a file viewer that lets you view a text stream one page at a time. You can also use 'less' or 'cat' instead of 'more'. If you want to see a protected file, you have to put 'sudo' in front of it. For example, 'sudo more /var/log/secure.log' lets you see the secure log. (It WON'T make the file 'more secure').
It is generally a good idea to run the following commands from time to time to check for unauthorized entries:
ps auxww will tell you what processes you have running on your machine. If a cracker has commandeered your box, his programs will be there. Quite probably, most entries will be Greek to you if you don't have lots of command line experience. But because script kiddies like to give their programs funny names, the most obvious ones will stand out.
w will show you who is presently logged on to your machine and what command was last issued by that user.
last will show you a list of the last users to log in. An attacker can clear this list (and usually does immediately after logging on), so an EMPTY or SHORTENED list is as much an incriminating sign as anything else. Every time you open a terminal window, a new entry is added to the top of the list -- so seeing LOTS of entries for a single day here is not unusual.
For complete documentation on these, type 'man w' or 'man ps' at a command prompt.
Finally, in /var/log there are a variety of log files you should check out. Entering 'more /var/log/netinfo.log' will allow you to see the contents of netinfo.log. 'more' is a file viewer that lets you view a text stream one page at a time. You can also use 'less' or 'cat' instead of 'more'. If you want to see a protected file, you have to put 'sudo' in front of it. For example, 'sudo more /var/log/secure.log' lets you see the secure log. (It WON'T make the file 'more secure').
aliciaperusse
Registered
Andrew Adamson said:
I had this problem, deleted swapfile, then updated virus definitions. I'm still experienceing major application instability and can't even get Safari to load my homepage before it quits. All software has been updated after reinstallation. Suspiscious of Java...Help! I put up another post on a different thread that explains more clearly what happened but I'm not sure how to link y'all to it.
also
Last login: Sun Jun 5 13:21:01 on ttyp1
Welcome to Darwin!
adsl-64-170-117-160:~ aliciaperusse$ java -version
HotSpot not at correct virtual address. Sharing disabled.
java version "1.4.2_05"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-141.4)
Java HotSpot(TM) Client VM (build 1.4.2-38, mixed mode)
adsl-64-170-117-160:~ aliciaperusse$
is what my Terminal said
and
Mac OS X Version 10.3.9 (Build 7W98)
2005-06-05 11:26:03 -0700
2005-06-05 11:26:15.319 Personal Firewall Agent[357] Norton Personal Firewall Agent (357) launched.
dyld: /Users/aliciaperusse/Desktop/Safari.app/Contents/MacOS/Safari Undefined symbols:
WebCore undefined reference to __ZN3KJS32convertUTF16OffsetsToUTF8OffsetsEPKcPii expected to be defined in JavaScriptCore
HotSpot not at correct virtual address. Sharing disabled.
HotSpot not at correct virtual address. Sharing disabled.
2005-06-05 12:36:46.531 Norton Personal Firewall[554] Unknown class `NPFRangeAddressViewController' in nib file, using `NSObject' instead.
dyld: /Users/aliciaperusse/Desktop/Safari.app/Contents/MacOS/Safari Undefined symbols:
WebCore undefined reference to __ZN3KJS32convertUTF16OffsetsToUTF8OffsetsEPKcPii expected to be defined in JavaScriptCore
is what my Console said....can anyone tell me it this is the problem and if it is what I need to do??