[lr1000t]

I am a college student and relative new-Mac user. Our school runs some kind of check on our computers when we connect to the network. The check determines if we have a current anti-virus and looks for viruses. The school provides a copy of Norton.

Today I received an e-mail and a phone call from the school that my computer, a 1GHz Tibook, was sending out massive amounts of traffic and had the Korgo/Sasser virus. They told me to run some removal tools (all for Windows) and to call them back. I checked Symantec's website and from what I read, the Korgo/Sasser viruses only affect Windows machines, and only newer Windows OSs. Regardless, I ran a Norton fulldisk scan and it found a Trojan variant of a virus. I looked up this virus on Symantec's website and it was also a Windows only virus.

Basically, I am trying to figure out what could have happened to cause my computer to alert the school network. I have a pretty basic set-up; MS Office, browsers, etc. I have owned the computer for about 1 1/2 years and use it for school and internet. I tried to find info on Mac viruses, but there just aren't a lot out there. And finding removal tools is even harder?

Does anyone have any ideas? I have not upgraded to the newest version of OS X because I am waiting for my new iMac first. I want to make sure everything is backed-up there before I start over on this one. I want to do a full install instead of an upgrade. Thanks in advance.

[msuper69]

It's possible that the virus was saved as an email attachment or possible contained in an email message (as an attachment) saved on your Mac.

It cannot do your Mac any harm as it is not possible to execute any of the code on a Mac but I suppose a network scan might detect that it is saved on your hard drive.

You should get a Mac ant-virus program (Norton AV is not bad actually). If you have a .mac account McAfee Virex will find and eliminate any Windows virii or trojans that happen to find their way onto your hard drive.

[lr1000t]

What do you think might have caused my computer to "creat[e] massive amounst of network traffic" as the school noted? They track it by MAC number and I am pretty sure it is right. I have three wireless cards at home; one for the Mac, one for my old Dell, and one for my brother's Dell. I have not taken my Dell to school and I doubt my brother took his, so of the three I have listed, one matched the school's report, so it is likely (probably definitely) the Mac.

That's the part I don't understand. I don't think I have a virus and I really don't think I was sending out any traffic, so I wonder what it was seeing? For a second I thought it could be iTunes sharing, but I don't have that turned on. It just seems weird.

I am only on campus a couple days a week, but maybe they will give me a more specific time frame and I can remember where I was or what I was doing at that exact time. Thank you very much for your reply.

[utidjian]

Originally posted by lr1000t:

I am only on campus a couple days a week, but maybe they will give me a more specific time frame and I can remember where I was or what I was doing at that exact time.

Indeed this seems very strange. Your network admins logs should be able to track the problem by MAC address AND network drop (the actual port on the switch) AND the exact time of day. It is possible to spoof a MAC address with some network cards. It is very unlikely that MAC address, network drop and time of day were all spoofed.

Ask them what time of day precisely that the event occured and where on their network it was coming from. If you and your Mac weren't anywhere near that location or weren't even on campus at that time of day then they have a different problem and it isn't your Mac.

It is a lot more difficult to prove it was your Mac than it is to prove it wasn't your Mac.

[Xeo]

Install Little Snitch and/or MenuMeters to find out if your Mac is sending out any data. Little Snitch is your best bet because all outgoing connections will create a popup asking if you want it to proceed (under it's strictest settings). MenuMeters will just let you see if massive amounts of traffic are going out (or in) your Mac.

I doubt the traffic is really originating from your Mac. Do you know the MAC address of the supposedly affected machine? Does it match your Mac?

[Gavin]

I'm guessing the "massive amounts of network traffic" part is just the standard reply they send to anyone whose scanner software reports a virus. Ignore it.

Also, there is no need for a 'removal tool'. On windows when a virus runs it put hidden code in several places that tells the computer to run the virus on start up. Some viruses can even put the code back after you have removed it because it is still secretly running in the background. So there are tools to do the several steps it takes to really get rid of it. Only applies to computers that have been infected, not to computers with a virus sitting harmlessly as an attachment in the spam folder. Just delete the email.

As a mac guy I find it hard to relate to the seriousness that windows network guys give to the whole virus / spyware thing. And I'm surprised at their ignorance of how nonexistent the problem is for mac users. You won't change their minds and can't teach them anything new, they're 'experts'. So I just nod my head and smile while they do their little lecture thing, and when they leave I laugh at them with pity.

[Millennium]

Do not listen the "viruses are not a problem on the Mac" spiel. It is true that there are no known viruses for OSX in the wild, but people have been getting this attitude that we're invincible, which is not only false but outright absurd. Sooner or later, the Mac community is going to get caught with its metaphorical pants down. Windows users take it seriously because the problem is serious. Back before Melissa (the first Microsoft e-mail worm), they didn't take it seriously any more than we do now, and look at what happened because of that.

That said, although it is possible for Korgo/Sasser to reside on a Mac hard drive, it shouldn't be possible for it to actually infect the machine. Are you by some chance running Virtual PC or another PC emulator? If so, it's possible that your emulated environment could have become infected; it is running Windows, after all.

Other than that, are you running any servers on your Mac? I don't know of any servers which could be easily mistaken for viruses, but it's possible that they detected a server's network traffic and assumed the worst. That's a hallmark of incompetent network staff, but unfortunately they are the network staff, and so dealing with them becomes a necessary evil.

[lr1000t]

Thank you everyone for your replies. I will install the suggested programs and watch and see what happens today and even while I am at home. I have wireless there, so it should be similar.

The school probably has all the information necessary to track when and where it occured, but all I received was the e-mail connecting my Mac's wireless MAC address to my e-mail. It didn't give any other details.

I'll see what happens watching myself and also see if the school contacts me again. Oh, I am not running Virtual PC. I would dare say that 99.9% of the time I am using iTunes, Word, Safari, and Entourage. That's it. I don't have any server type software running that I am aware of. Oh, I use Entourage because I was having some problems with Mail when I was bombarding (probably a bad word) recruiting coordinators last year trying to find a job. However, I found a job in February and the last time I sent out resumes was back around Christmas, so that shouldn't even be a problem. Furthermore, I think the only e-mail I send in an average day is correspondence with my wife.

Thank you again. I spent a good chunk of yesterday trying to figure it out, then finally remembered the Forum and came here for suggestions. I am very happy with my Mac, but it seems like the school is becoming less Mac friendly. Actually, becoming unfriendly to anything non-Dell. It has been interesting watching all the other brands dwindle in numbers. Thanks again.

[TETENAL]

Originally posted by lr1000t:
I am very happy with my Mac, but it seems like the school is becoming less Mac friendly. Actually, becoming unfriendly to anything non-Dell. It has been interesting watching all the other brands dwindle in numbers.

Normal.

That's because mono-culture is the best protection against viruses. You'll learn that in biology class eventually. *)

It's impossible that you catched the Sasser virus. It executes on Windows only. Maybe they mistook Rendezvous traffic for virus activity.

[lr1000t]

Originally posted by TETENAL:
That's because mono-culture is the best protection against viruses. You'll learn that in biology class eventually. *)

That seems counter-intuitive. If it is a mono-culture, it would seem that a single virus that breaks through would destroy everything. I can see that it would be easier to set up a single defense, but then if the defense fails the entire system goes down. No independent redundancy.

However, that is what they are doing. The school provides an enterprise copy of Norton to all students that updates automatically. Then Dell has pretty much replaced everything, even though the bookstore still carries other brands. The only good deals, which we always like, are for the Dells. When I started you could buy a Dell, an IBM, or opt out. I opted out and used my old Dell, then bought the TiBook when Apple started to clean them out.

Now to the two apps. Both are installed and running. The Menu Meter is watching network traffic, but how much is too much? All that should be happening is checking and sending simple e-mails and surfing. No attachments.

Little Snitch notified me of Adobe and Entourage trying to connect. I did the "once only" button a few times on Entourage to make sure what it was doing, and "denied until quit" on Adobe. It is just Adobe reader and it doesn't need to go out. But I have a concern. I have two e-mail accounts and at first Little Snitch was prompting me for both accounts individually. However, when I clicked "allow until quit" on the first one, it did not prompt me on the second one. Therefore, if something were using Entourage to send out traffic, Little Snitch will now allow it through and I will just have to watch the menu meter. Is that correct?

Hope that was clear. So far, over the past 1/2 hour or so, the network meter has hardly moved. I set it to ignore less than 1KB since the little stuff didn't seem to be much and doesn't fit my definition of "massive netowrk traffic."

Thanks again.

[Xeo]

Originally posted by lr1000t:
That seems counter-intuitive. If it is a mono-culture, it would seem that a single virus that breaks through would destroy everything. I can see that it would be easier to set up a single defense, but then if the defense fails the entire system goes down. No independent redundancy.

However, that is what they are doing. The school provides an enterprise copy of Norton to all students that updates automatically. Then Dell has pretty much replaced everything, even though the bookstore still carries other brands. The only good deals, which we always like, are for the Dells. When I started you could buy a Dell, an IBM, or opt out. I opted out and used my old Dell, then bought the TiBook when Apple started to clean them out.

Now to the two apps. Both are installed and running. The Menu Meter is watching network traffic, but how much is too much? All that should be happening is checking and sending simple e-mails and surfing. No attachments.

Little Snitch notified me of Adobe and Entourage trying to connect. I did the "once only" button a few times on Entourage to make sure what it was doing, and "denied until quit" on Adobe. It is just Adobe reader and it doesn't need to go out. But I have a concern. I have two e-mail accounts and at first Little Snitch was prompting me for both accounts individually. However, when I clicked "allow until quit" on the first one, it did not prompt me on the second one. Therefore, if something were using Entourage to send out traffic, Little Snitch will now allow it through and I will just have to watch the menu meter. Is that correct?

Hope that was clear. So far, over the past 1/2 hour or so, the network meter has hardly moved. I set it to ignore less than 1KB since the little stuff didn't seem to be much and doesn't fit my definition of "massive netowrk traffic."

Thanks again.

Well, pretty much all Adobe apps call home to check for updates and cross-check for piracy (I think). There is no harm in disallowing them from connecting. You can set up Little Snitch to specifically allow connections to specific servers that you know to be correct. After all, your mail client only connects to a handful (maybe only one if you have only one address) so it would be easy to configure that. Then, should it try to send anything else anywhere else, you'd know about it. But if Entourage somehow is infected by something no one else has heard of, it would probably just end up sending e-mails through your normal server anyway, and wouldn't generate a massive amount of traffic that would cause problems. It'd just be propagating itself.

For your network admins to be concerned with the traffic you generate, it would most likely be MB of data flying around on the local network, or a large percentage of the outgoing bandwidth going out from your machine. But those can be caused by file transfers and/or personal servers on your machine. For your uses, it should be quite clear that if you get hundreds of outgoing KB per second without you manually sending something somewhere, then there is concern.

But it really doesn't sound like there is anything wrong with your machine.

[lr1000t]

Thanks again. The most traffic I have seen is a peak of 19 KB/sec and that was on the receiving end. I think the transmit peaked at 7, but for the most part it is zero. I'll watch for the hundreds of MB range and get concerned then. But for now I'll just wait.

I just became very concerned when I was contacted because I don't have the time to deal with problems right now. I need a smooth flowing semester to get me out of here. I am almost finished and the school is really cracking down on network infractions, unauthorized use, etc. I know I am not doing anything, but I don't want to take the blame for anyone else either.

[TETENAL]

Originally posted by lr1000t:
That seems counter-intuitive.

I was being sarcastic.

But you are very right. Don't fight the system. It's more important to finish the semester successfully.

[mitchell_pgh]

I got the same phone call once... some software application view things like rendezvous as a virus. Anything that's not on port 80 or 25...

[mitchell_pgh]

P.S. I would get your own router if you can... it will clean things up from their end.

[lr1000t]

Originally posted by mitchell_pgh:
I got the same phone call once... some software application view things like rendezvous as a virus. Anything that's not on port 80 or 25...

I have a cable modem and router at home, so I am only connected wirelessly at the school. We do have carrels to plug-in also, but I only use it when my wireless isn't working. So I don't think a router is an option.

However, what is Rendezvous doing that would alert the school system? Am I using Rendezvous for anything right now? Is there a way to turn it off? I have heard/read about Rendezvous, but I didn't think I was using it. Isn't it for printers and such? Thanks.

[Link]

Yes, actually you can turn off rendezvous, all you have to do is use Directory Access (/Applications/Utilities), click the lock to change the stuff, enter your user/pass, then uncheckmark rendezvous.

[moodymonster]

I know people have suggested other specialist tools previously, but Activity Monitor (Apps/Utilities/Activity Monitor) will let you see network traffic both in and out and the quantity/speed. Also you can get the CPU option to show all processes so if something was running you'd be able to find out (unless they circumvented the list).

[Gavin]

I'm still guessing the tons of traffic thing is just not true. They sent you a cookie cutter email.

[Graymalkin]

I'm betting since your Mac didn't mesh entirely with their generalized system scan your account got flagged and you got the e-mail you mentioned. The short and skinny of viruses on Macs is such; we're not susceptible to viruses that target Windows or any other operating systems that run on PC hardware. We're by no means immune to malicious attacks but we're in a better situation than Windows users. We can however house Windows viruses on our systems even if they don't affect us, in order to be good network citizens it is a nice idea to run an anti-virus scanner when dealing with a lot of data transfered from Windows PCs. We might not be affected by some virus or worm but if we send an infecting e-mail or a viral file we can infect a Windows using recipient.

From a technical aspect OSX is very difficult to infect with worms or viruses simply due to its design. Adding a period and three latters to the end of a filename won't make it executable by the system. OSX also doesn't arbitrarily listen to and trust network traffic as some default Windows services do. It is indeed possible to write malicious and dangerous code that can cause an OSX user all sorts of hurt but it is orders of magnitude more difficult for such programs to propogate among OSX users.

What you need to do is inform your ResNet admins that you've got a Mac and it is extremely unlikely that your system was indeed causing the sort of trouble they're suggesting it was. If you do have a virus file it is likely something you got in an e-mail or through a file transfer from a Windows user.

[Telusman]

It's possible the "huge" amount of network traffic they're seeing is Rondevous polling the network for resources to connect to. If your just connecting, or just waking up, or switching network connections it scans the local network as far as it can reach and waits for replies from machines, etc. Not 100% sure, but just a thought, i know my system throws off a fair amount of traffic when it's polling the network.

It could be mistaking the multicast packets of the mdnsresponder as viral activitiy.

- Telusman

[PER3]

Originally posted by TETENAL:
I was being sarcastic.

But you are very right. Don't fight the system. It's more important to finish the semester successfully.

Actually, you were being ironic.

Sarcasm, according to the OED is "A sharp, bitter, or cutting expression or remark; a bitter gibe or taunt."

It's used by PC users to address Mac users.