Author Topic: Xorddos on Mac  (Read 3230 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Xorddos on Mac
« on: July 04, 2016, 10:06:43 AM »
Hello

Our Mac server (10.6.8) has been infected by a virus that writes two .bin files to the root and a file named F**k (without the stars!). If you remove the files they return within 24 hours

Avast Webshield is reporting that it has blocked a threat

Infection:ELF:Xorddos-E
URL: http://149.xx.xx.xx//6000.bin (x's change with threat reports)
Process/usr/bin/curl

Can this virus be removed?

Google only turns up results for Linux and and a search for Xorddos here brings back no results. Thanks in advance for any help.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Xorddos on Mac
« Reply #1 on: July 04, 2016, 10:27:17 AM »
It is not a virus but a trojan with rootkit technology.

ELF = Executable and Linkable Format

http://bartblaze.blogspot.nl/2015/09/notes-on-linuxxorddos.html

REDACTED

  • Guest
Re: Xorddos on Mac
« Reply #2 on: July 04, 2016, 10:38:20 AM »
Thanks Eddy

I saw that page and to be honest It's a bit beyond my technical expertise but I will review it. However you've sort of confirmed my fears that there is not automatic virus removal tool that could do the job.

Paul

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Xorddos on Mac
« Reply #3 on: July 04, 2016, 10:45:08 AM »
I'm not a MAC tech.
It can be there is a tool for it, but I don't know one for MAC

Offline TED123

  • Newbie
  • *
  • Posts: 18
Re: Xorddos on Mac
« Reply #4 on: July 04, 2016, 04:47:43 PM »
Run all or most of these programs and they may let you track down the file infection. Please come back and tell us is you cleaned it by using these programs. Most of these programs get updated so you need to check for the latest if you use them later.

https://objective-see.com/products.html

.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Xorddos on Mac
« Reply #5 on: July 04, 2016, 06:25:27 PM »
ELF:Xorddos-E [trj] Alias >  Linux.Xorddos (symantec)

Info here  >>  https://www.symantec.com/security_response/writeup.jsp?docid=2015-010823-3741-99&tabid=2

Quote
The Trojan may perform the following actions:
Execute files
Download files
Remove services
Install modules
Update itself
Launch distributed denial of service (DDoS) attacks

Some vendors use the name DDoS flood, so should indicate what it may do