Useful tips & info

Please check out our tec blog for tips and info. If you would like some advice or help please contact pstec with your questions...

How to check for and get rid of a Mac Flashback infection (from Ars Technica)

04/07/12 by | No Comments

Posted in: Computer Security, Fix it, Internet, Macintosh, News

Article from:
http://arstechnica.com/apple/news/2012/04/how-to-check-forand-get-rid-ofa-mac-flashback-infection.ars?old=mobile

How to check for—and get rid of—a Mac Flashback infection

By  | Published about 20 hours ago
flashback trojan 4f7f1d9 intro thumb 640xauto 32567 How to check for and get rid of a Mac Flashback infection (from Ars Technica)

Here’s hoping you get nothing but a series of “does not exist” responses!

So you’re a Mac user who has heard that more than half a million Macs have been infected by the recent Flashback malware. When the news began to spread about how the malware took advantage of a previously unpatched Java vulnerability on the Mac, the the horror stories began pouring in. “My dad heard about the Flashback malware and subsequently deleted his Java folder. Now his Mac won’t boot,” a friend told me.

Needless to say, this is not the way to properly nuke a possible Flashback infection or prevent yourself from catching one. Still, there is a reasonable level of concern out there. Maybe you haven’t been keeping up on your antivirus software (and let’s be honest, most Mac users don’t), or perhaps you simply have suspicions about your Mac acting funny. How do you check if you have Flashback, and if you do, how do you (properly) get rid of it?

Head to the Terminal to check for infection

These Terminal commands will give you an easy way to find out whether you have a possible Flashback infection.

First, launch Terminal from /Applications/Utilities on your Mac. Then individually type or paste these three lines into the Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

If the Terminal returns back to you lines that look like this:

The domain/default pair of (/Users/jacqui/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist

Then you’re home free and you’re not (yet) infected by Flashback. You can proceed to the “Run Software Update” section of this post. If they do return results, then it’s likely that you are infected. But worry not, as there are ways to get rid of the malware that will only hurt for a second.

How to get rid of Flashback

Here’s where things might get complicated. These removal instructions are from security research firm F-Secure’s removal page. Take us away, F-Secure! (Cue Keyboard Cat now.)

  1. Run the following command in Terminal:defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  2. Take note of the value, DYLD_INSERT_LIBRARIES
  3. Proceed to step 8 if you got the following error message: “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
  4. Otherwise, run the following command in Terminal:grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
  5. Take note of the value after “__ldpath__”
  6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):sudo defaults delete /Applications/Safari.app/Contents/InfoLSEnvironmentsudo chmod 644 /Applications/Safari.app/Contents/Info.plist
  7. Delete the files obtained in steps 2 and 5
  8. Run the following command in Terminal:defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following: “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
  10. Otherwise, run the following command in Terminal:grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
  11. Take note of the value after “__ldpath__”
  12. Run the following commands in Terminal:defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIESlaunchctl unsetenv DYLD_INSERT_LIBRARIES
  13. Finally, delete the files obtained in steps 9 and 11.
  14. Run the following command in Terminal:ls -lA ~/Library/LaunchAgents/
  15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
  16. Run the following command in Terminal:defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments
  17. Take note of the path. If the filename does not start with a “.”, then you might not be infected with this variant.
  18. Delete the files obtained in steps 15 and 17.

In addition to these steps, F-Secure recommends checking for another variant of Flashback, Flashback.K. The instructions can be found on another page on F-Secure’s website.

Run Software Update

java mac 4f7f151 intro How to check for and get rid of a Mac Flashback infection (from Ars Technica)

Apple has now released some Java updates that will patch the vulnerability targeted by the current variant of Flashback, so if you’re free from infection, you can apply the patch via Software Update. (It’s a mystery as to why Apple waited so long to patch Java for Mac OS X when Oracle released an update in February.) You can also manually download the update for Lion and Snow Leopard, respectively, from Apple’s support site.

Do you really need Java running in your browser anyway?

This raises an important question: do you even need Java running in Safari? Some people do—my parents, for example, play bridge on a website that requires a Java applet to run, and they will not switch to another service—but many of us don’t. If you don’t, it could be worth turning off just to keep yourself extra secure. You can do this in Safari by going to the Safari menu and then Preferences. Then click over to the “Security” tab:

java safari 4f7f25a intro How to check for and get rid of a Mac Flashback infection (from Ars Technica)
Unchecking Java in Safari will let you find out if you can live without it

Uncheck “Enable Java.” (You can always turn it back on if you have to.) If you can live your life without it, this will be an extra step to help protect you against similar attacks in the future.

Conclusion

Once you’ve performed these steps and updated your installation of Java, you’re inoculated against the current version of the Flashback malware, but that doesn’t mean the variant won’t change again sometime in the future to exploit a different vulnerability on your Mac. Stay vigilant! Keep your software up to date, don’t ignore strange files that appear from strange places, and if you can, be aware of odd network behavior coming from your Mac. You can do this by installing software like Little Snitch to monitor your Mac’s network activity. (And a side effect of having Little Snitch installed is that the latest variants of Flashback won’t install themselves if you already installed Little Snitch!)

The files don’t necessarily come from spammers, either—a Google Image Search might bring you to a malicious website, for example, that could try to execute the code once you visit the site for that cute cat picture. So it’s not just about avoiding file attachments in e-mail; malware can be found lurking in all corners of the Web.

As for whether the “half a million Macs” number is accurate, Dr. Web malware analyst Sorokin Ivan said onTwitter that “BackDoor.Flashback.39 uses Hardware UUID (IOPlatformUUID) to identify bots,” and Dr. Web’s statistics are based on that ID. Even if the numbers aren’t accurate, the latest scare is another wakeup call for Mac users who have been ignoring malware and virus threats up to this point. What steps are you taking to make sure your Mac is protected?

Online (“True”) UPS

04/07/12 by | No Comments

Posted in: General

Article from: http://www.pcguide.com/ref/power/ext/ups/typesOnLine-c.html
The online UPS, sometimes called a true UPS,  is the best type you can buy. Paradoxically, it is both very similar to, and totally opposite to, the least-expensive type, thestandby UPS. It is very similar to it in that it has the same two power sources, and a transfer switch that selects between them. It is the exact opposite from the standby UPS because it has reversed its sources: in the online UPS the primary power source is the UPS’s battery, and utility power is the secondary power source!

Online (True) UPS

Block schematic of an online (“true”) UPS. You will notice if you look at the schematic for
the standby UPS that it is identical, except that the primary and secondary power paths
have been exchanged, and here the battery is the primary power source.

Image © American Power Conversion Corp.
Image used with permission.

 

Of course, while seeming small, this change is a very significant one. Under normal operation the online UPS is always running off the battery, using its inverter, while the line power runs the battery charger. For this reason, this type of UPS is sometimes also called a double-conversion or double-conversion online UPS. This design means that there is no transfer time in the event of a power failure–if the power goes out, the inverter (and its load) keeps chugging along and only the battery charger fails. A computer powered by an online UPS responds to a power failure in the same way that a plugged-in laptop PC does: it keeps running without interruption, and all that happens is that the battery starts to run down because there is no line power to charge it.

You may ask yourself, why bother having the secondary power path (the dashed line in the diagram above) if you are always running off the battery anyway? The reason is that this provides backup in the event that the inverter fails or stutters due to some sort of internal problem. While unusual, this can happen, and if it does, the unit will switch to the filtered, surge-suppressed line power. In this event, the matter of transfer time comes into play again, just as it does when a standby UPS reacts to a power failure. Of course, power failures are much more common than inverter failures.

There is another key advantage to having the equipment running off the battery most of the time: the double-conversion process totally isolates the output power from the input power. Any nasty surprises coming from the wall affect only the battery charger, and not the output loads.

Even though it may appear from the schematic diagrams that the online UPS and standby UPS have the same components inside, this is not the case. The distinction is that there is a big difference between designing chargers and inverters that are normally sitting around doing nothing and only run say once a month for a few minutes, and designing ones that are running 24 hours a day for weeks on end. The additional engineering and the increased size and quality of the components combine to make online UPSes much more expensive than lesser designs. They are typically used only for large servers, and for backing up multiple pieces of equipment in data centers. They are available in sizes from about 5,000 VA up to hundreds of thousands of VA and even larger.

Aside from the cost, a disadvantage of the online UPS is its inefficiency. All the power going to the loads is converted from AC to DC and back to AC, which means much of the power is dissipated as heat. Furthermore, this is happening all the time, not just during a power failure, and while running equipment that draws a lot of power. To combat this shortcoming, a new design called a delta-conversion online UPS was created. “Delta” is the scientific term often used to refer to the differential between two quantities. In this design, the battery charger is replaced with a delta converter. Instead of providing all of the output from the battery under normal circumstances, some of it is provided directly by the delta converter from the input line power. In the event of a power failure, the delta converter stops operating and the unit acts like a regular double-conversion online UPS, since the inverter is also running off the battery all the time.

Online (True) UPS

Simplified block schematic of a delta-conversion online UPS. The converter and inverter both
handle DC and AC current, providing the two power sources of the UPS. Bypassing the battery
for part of the power during normal operation reduces power consumption.

Image © American Power Conversion Corp.
Image used with permission.

 

This is a new design and is also available only in large UPSes (over 5,000 VA). They can result in substantial energy savings costs for large units.

QR Codes

01/21/12 by | No Comments

Posted in: General, Internet

QR Example QR CodesA QR code (abbreviated from Quick Response code) is a type of matrix barcode (or two-dimensional code) first designed for the automotive industry. More recently, the system has become popular outside of the industry due to its fast readability and large storage capacity compared to traditional UPC barcodes. The code consists of black modules arranged in a square pattern on a white background. The information encoded can be made up of four standardized kinds (“modes”) of data (numeric, alphanumeric, byte/binary, Kanji), or by supported extensions virtually any kind of data.
Created by Toyota subsidiary Denso Wave in 1994 to track vehicles during the manufacturing process, the QR code is one of the most popular types of two-dimensional barcodes. It was designed to allow its contents to be decoded at high speed.
The technology has seen frequent use in the United Kingdom and the United States; QR usage is growing fastest in Canada and Hong Kong. (information from wikipedia)