Yevhen Sychov 0 Posted March 16, 2019 Share Posted March 16, 2019 Quite often I get a notification about blocking opening of a url that leads to redirector trojan, but in the logs, I can't find any other information about which app tries to perform this action. I am using Cyber Security Pro product(mac os), is it possible to get this app and remove it? Thanks! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted March 16, 2019 Administrators Share Posted March 16, 2019 It's typically a browser that opens a malicious or compromised website. Since I don't have a Mac computer at disposal at the moment, I can only show how it looks like under Windows where application is logged. I assume it should be like that on Mac too: Link to comment Share on other sites More sharing options...
Yevhen Sychov 0 Posted March 16, 2019 Author Share Posted March 16, 2019 (edited) Thanks for the reply, but on a mac log looks different: and in the fields list nothing related to an application Edited March 16, 2019 by Yevhen Sychov Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 16, 2019 Share Posted March 16, 2019 (edited) The HTTP filter detections shown in the Cyber Security Pro log are detections and mitigations when a web site attempts to run a malicious JavaScript. There is nothing to remove on your device since the malware is resident in the web page you accessed. In your case, the web page attempted to redirect the browser to another URL that was known to be malicious. Eset blocked the redirection attempt. Obviously in the future, you want to avoid browsing to the source web site where the redirection was attempted. Are you stating that these HTTP filter detections are occurring other than when a browser session is active? Edited March 16, 2019 by itman Link to comment Share on other sites More sharing options...
Yevhen Sychov 0 Posted March 16, 2019 Author Share Posted March 16, 2019 (edited) 4 hours ago, itman said: The HTTP filter detections shown in the Cyber Security Pro log are detections and mitigations when a web site attempts to run a malicious JavaScript. There is nothing to remove on your device since the malware is resident in the web page you accessed. In your case, the web page attempted to redirect the browser to another URL that was known to be malicious. Eset blocked the redirection attempt. Obviously in the future, you want to avoid browsing to the source web site where the redirection was attempted. Are you stating that these HTTP filter detections are occurring other than when a browser session is active? that is the point - I don't use a browser in a time of such alerts.. but I'll continue my observations, thanks for the answer. Edited March 16, 2019 by Yevhen Sychov Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 16, 2019 Share Posted March 16, 2019 21 minutes ago, Yevhen Sychov said: that is the point - I don't use a browser in a time of such alerts.. but I'll continue my observations, thanks for the answer. In the Windows ver. of Eset, there is an "Information" column in the Detected Threats log. This column if it exists in the Cyber Pro ver., will show what application was running when the threat was detected. Link to comment Share on other sites More sharing options...
Yevhen Sychov 0 Posted March 16, 2019 Author Share Posted March 16, 2019 2 minutes ago, itman said: In the Windows ver. of Eset, there is an "Information" column in the Detected Threats log. This column if it exists in the Cyber Pro ver., will show what application was running when the threat was detected. it empty in mine logs Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 16, 2019 Share Posted March 16, 2019 Also strange is all the detection hash values are different. Copy and post the first three hash values shown and I will see if I can find a match for them. Link to comment Share on other sites More sharing options...
Yevhen Sychov 0 Posted March 16, 2019 Author Share Posted March 16, 2019 2 minutes ago, itman said: Also strange is all the detection hash values are different. Copy and post the first three hash values shown and I will see if I can find a match for them. hxxp://ww1.bartzmovie.com/?sub1=7ff6acb0-47b3-11e9-b496-0f8abfda80ae 0D14BB0D32B4879D3C9FC52AD829D87674F2E559 hxxp://ww1.bartzmovie.com/?sub1=7ff6acb0-47b3-11e9-b496-0f8abfda80ae FDB03284DA239F29F63C8CC995770BD9D88F9067 hxxp://ww1.bartzmovie.com/?sub1=bfa05138-4667-11e9-b93f-11f91cb2fc4c FC7154DE4580C9C27B748765E5C6DF0858AA5AAB thanks Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 16, 2019 Share Posted March 16, 2019 (edited) The file hash search came up with nothing which is not surprising. Here a link to a discussion of the malware on the Apple forum: https://discussions.apple.com/thread/8410305 . I can't vouch for anything recommended there especially uninstalling Eset. I saw a couple of web postings that recommended opening up Applications on the Mac. Then searching for JS/Redirector and moving it to the Trash folder. This didn't make a lot of sense to me that the trojan would be listed by there by name. Then search for a liked named extension in whatever browser you are using and deleting it. You should probably open up a support ticket with Eset on the issue for assistance in malware removal. Almost everyone on the forum is knowledgeable in Windows PCs but not Macs. Note that Eset is currently blocking any outbound connections from the Trojan but it does need to be permanently removed. Have you run a full system drive scan with Eset to see if it detects and removes the malware? Edited March 16, 2019 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted March 16, 2019 Administrators Share Posted March 16, 2019 I assume you didn't intentionally open bartzmovie.com, did you? It seems to be a parked domain for sale. Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 16, 2019 Share Posted March 16, 2019 (edited) We're "shooting in the dark" on this one without being able to identify the source process for this activity. Edited March 16, 2019 by itman Link to comment Share on other sites More sharing options...
Yevhen Sychov 0 Posted March 16, 2019 Author Share Posted March 16, 2019 (edited) Seems I understood why it happens.. I don't know how it was added to the "Top hits" list(i suppose via js somehow), but it there and the top rated list is preloading by a browser(that explains random execution). The solution is to reset the "Top hits" list in the safari. Thanks to all for being participating. Edited March 16, 2019 by Yevhen Sychov Link to comment Share on other sites More sharing options...
Recommended Posts