Viruses, Trojans, Malware - and other aspects of Internet Security

Version 2
Last Modified: Apr 19, 2012 11:06 AM

DON’T PANIC! But be aware that the Internet is riddled with potential threats to the security and well-being of your Mac or iOS device. The following (which you are welcome to print out and retain for future reference) seeks to offer some guidance on the main security threats and how to avoid them. If you have further questions please post in the forum appropriate to your particular hardware or operating system.

 

VIRUSES

 

No viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions.

 

It is possible, however, to pass on a Windows virus to a Windows user, for example through an email attachment. To prevent this all you need is the free anti-virus utility ClamXav, which you can download from:

 

For Tiger:  http://www.clamxav.com/download.php#tiger

 

and for Leopard, Snow Leopard and Lion from here:  http://www.clamxav.com/

 

(I have ClamXav set to scan incoming emails, but nothing else.)

 

If you are already using ClamXav: please ensure that you have installed all recent  Apple Security Updates  and that your version of ClamXav is the latest available.

 

Do not install Norton Anti-Virus on a Mac as it can seriously damage your operating system. Norton Anti-Virus is not compatible with Apple OS X.

 

FAKE ANTI-VIRUS SOFTWARE and associated MALWARE (The expression ‘malware’ is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software.)

 

Do not be tricked by 'scareware' that tempts computer users to download fake anti-virus software that may itself be malware.

 

Fake anti-virus software that infect PCs with malicious code are a growing threat, according to a study by Google. Its analysis of 240m web pages over 13 months showed that fake anti-virus programs accounted for 15% of all malicious software.

 

Scammers trick people into downloading programs by convincing them that their PC is infected with a virus.

Once installed, the software may steal data or force people to make a payment to register the fake product.  Examples include MacKeeper and iAntivirus, but there are others. Also, beware of MacSweeper and MACDefender* (also goes under the name of MacProtector, MacGuard, MacSecurity or MacShield): These are malware that mislead users by exaggerating reports about spyware, adware or viruses on their computer in an attempt to obtain payment for an application that does nothing that free utilities do not also offer, and in many cases will also mess up your system.

Malicious software dubbed MACDefender*  takes aim at users of the Mac OS X operating system by automatically downloading a file through JavaScript. But users must also agree to install the software, leaving the potential threat limited.

 

MACDefender* malware was first noted on April 30, 2011 by users of the Apple Support Communities, and was highlighted by antivirus company Intego. If the right settings are enabled in Apple's Safari browser, MACDefender can be downloaded to a system after a user clicks a link while searching the Internet.

 

"When a user clicks a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file," Intego said. "In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open 'safe' files after downloading in Safari, for example), will open."

 

However, users must still agree to install the malware after it downloads. After the ZIP file is extracted, users are presented with the "MACDefender Setup Installer," at which point they must agree to continue and provide an administrator password.

 

Because of the fact that users must agree to install the software and provide a password, Intego categorized the threat with MACDefender as "low."

 

Users on Apple's support forums advise killing active processes from the application using the Mac OS X Activity Monitor. MACDefender* can then be deleted from the Applications folder by dragging it into the trash.

 

*(This malware is not to be confused with MacDefender, the maker of geocaching software including GCStatistic and DTmatrix. The company noted on its site it is not affiliated with the malware.)

Malware spreads through search engines like Google via a method known as "SEO poisoning." The sites are designed to game search engine algorithms and show up when users search for certain topics.

 

A current threat to the Mac OS is the Weyland-Yutani BOT, which is described as a DIY crimewave kit that supports web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow.  'Form grabbing' is a way of collecting passwords:  http://www.csis.dk/en/csis/blog/3195/

 

 

Beware of PDF files from unknown sources. A security firm announced that by its counting, malicious Reader documents made up 80% of all exploits at the end of 2009.:

 

http://www.computerworld.com/s/article/9157438/in which Rogue_PDFs_account_for_80_of_all_exploits_says_researcher

 

TROJANS and RE-DIRECTION TO FAKE WEBSITES

 

The appearance of Trojans and other malware that can possibly infect a Mac seems to be growing, but is a completely different issue to viruses.

 

If you allow a Trojan to be installed, the user's DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's  (that's you!)  DNS records stay modified on a minute-by-minute basis. The most serious current threat is the ‘Flashback Trojan’, described in detail below.

 

Few malicious trojans actually exist for Mac OS X, and those that do rely almost entirely upon duping users to install software that pretends to be legitimate. However, a serious threat , in the form of the FLASHBACK TROJAN, deserves a special mention, and the following should be carefully noted:

 

The ‘Flashback Trojan’:

A version of an existing Trojan Horse posing as a legitimate Flash Player installer (named “Flashback.A” by a security firm) is designed to disable updates to the default Mac OS X anti-malware protection system, potentially leaving the system open to the manual installation of other malware without any system warnings. The most recent versions bypass any user action and automatically installs itself after an affected website is visited.

 

http://www.appleinsider.com/articles/11/10/19/fake_adobe_flash_malware_seeks_to_ disable_mac_os_x_anti_malware_protection.html

 

(Adobe is aware of malware posing as its Flash Player and warns users to ignore any updates that didn't originate on its own servers. "Do not download Flash Player from a site other than adobe.com," said David Lenoe, Adobe's product security program manager, in an entry on Adobe Product Security Incident Response Team's PSIRT blog. "This goes for any piece of software (Reader, Windows Media Player, QuickTime, etc). If you get a notice to update, it's not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious.")

 

Flashback Trojan - Prevention of infection:

In order to prevent a potential infection with “Flashback” Trojans, Mac users should always obtain their copy of Adobe Flash Player directly from Adobe’s official website and to disable the "Open 'safe' files after downloading" option in Safari Preferences/General to avoid automatically running files downloaded from the Internet. Also, do not turn on Java in Safari Preferences/Security. Few websites use Java. Javascript is something entirely different and should be left active.

 

The Flashback Trojan does not affect PPC (non-Intel) Macs, nor has it been noted to affect users running Tiger OS 10.4.11 or Leopard OS 10.5.8.

 

Last, but by no means least, using Open DNS is the simplest way of preventing infection in the first place. Open DNS also protects against phishing attacks, re-directs, speeds up your internet connection, and works for all users of OS X from Tiger upwards:

 

http://blog.opendns.com/2012/04/09/worried-about-mac-malware-just-set-up-opendns /

 

How to get it:

 

https://store.opendns.com/get/home-free

 

Flashback Trojan - Detection and Removal

Users with Intel Macs running Snow Leopard OS 10.6 or Lion OS 10.7 should ensure that they have downloaded all the recent Java updates from Apple, which are designed to prevent infection and also remove any infection already present.

New Macs running Lion do not have either Flash Player nor Java installed. If you running Lion and have not already downloaded and installed Java, you should download the ‘Flashback malware removal tool’ from Apple:  http://support.apple.com/kb/HT5246  (356KB) which includes the same code as the Java update that plugged a security hole which allowed the malware to automatically install itself without admin authorization.

 

You can also use this to check whether you have been infected (for Intel Macs only) and remove it if required:

 

http://www.macupdate.com/app/mac/42571/anti-flashback-trojan

 

 

Flashback Trojan - Detection, and how to remove (with caution) if you are running other browsers than Safari:

 

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

 

 

+++ OTHER ISSUES +++

 

You can check here if you have been infected with DNS Changer malware:  http://www.dns-ok.us/

The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.

 

SecureMac provides a Trojan Detection Tool for Mac OS X.  It's available here:

 

http://macscan.securemac.com/

 

 

First update the MacScan malware definitions before scanning. You can also contact their support team for any additional support - macsec@securemac.com

 

(Note that a 30 day trial version of MacScan can be downloaded free of charge from:

 

http://macscan.securemac.com/buy/

 

and this can perform a complete scan of your entire hard disk. After 30 days free trial the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)

 

You can keep up to date, particularly about malware present in some downloadable pirated software, at the Securemac site:

 

http://www.securemac.com/

 

HOW TO AVOID RE-DIRECTION

 

Adding Open DNS codes to your Network Preferences, should give good results in terms of added security (phishing attacks, re-direction etc) as well as speed-up of your internet connection:

 

Open System Preferences/Network. Double click on your connection type, or select it in the drop-down menu, and in the box marked 'DNS Servers' add the following two numbers:

 

208.67.222.222

208.67.220.220

 

(You can also enter them if you click on Advanced and then DNS)

 

Sometimes reversing the order of the DNS numbers can be beneficial in cases where there is a long delay before web pages start to load, and then suddenly load at normal speed:

 

http://support.apple.com/kb/TS2296

 

There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac, and alternatives will probably appear in the future. In the meantime the advice is: be careful where you go on the web and what you download!

 

WHAT TO DO IF YOU THINK YOUR MAC HAS BECOME 'INFECTED' BY A TROJAN

 

If you think you may have acquired a Trojan, and you know its name, you can also locate it via the Terminal:

 

http://theappleblog.com/2009/04/24/mac-botnet-how-to-ensure-you-are-not-part-of- the-problem/

 

GENERAL ADVICE ON HOW TO AVOID INFECTION IN THE FIRST PLACE:

1. Avoid going to suspect and untrusted Web sites, especially p'orn'ography sites.

 

2. Check out what you are downloading. Mac OS X asks you for you administrator password to install applications for a reason! Only download media and applications from well-known and trusted Web sites, i.e. the developers’ own web sites or the Apple App Store.  If you think you may have downloaded suspicious files, read the installer packages and make sure they are legit. If you cannot determine if the program you downloaded is infected, do a quick Internet search and see if any other users reported issues after installing a particular program.

 

3. Use an antivirus program like ClamXav. If you are in the habit of downloading a lot of media and other files, it may be well worth your while to run those files through this AV application.

 

4. Use Mac OS X's built-in Firewalls and other security features.

 

5.  Avoid Peer-to-peer sharing applications. Download torrents (such as the now defunct LimeWire) supplying pirated software, movies etc are hotbeds of potential software issues waiting to happen to your Mac. Everything from changing permissions to downloading trojans and other malicious software can be acquired from using these applications. Similar risks apply to using Facebook, Twitter, MySpace, YouTube and similar sites which are prone to malicious hacking:  http://news.bbc.co.uk/1/hi/technology/8420233.stm

It has been estimated that one in six links posted on Facebook pages are connected to malicious software.

http://www.bbc.co.uk/news/technology-12967254

When a Facebook user clicks on a link that leads to a page with a poor reputation rating given by the WOT community, the user will receive a warning message. Typically, the sites with a poor reputation are known for phishing, untrustworthy content, fraudulent services or other scams."

http://www.macworld.co.uk/news/index.cfm?olo=email&NewsID=3279603

 

6. As stated, resist the temptation to download pirated software. They can contain Botnet Trojans.  Has your Mac been infected by a Botnet? Go here    (removed by ds store, site changed/compromised) (do not enter any information) and it will tell you.

 

SecureMac offer a simple and free tool for the removal of the iBotNet Trojan available here:

 

http://macscan.securemac.com/files/iServicesTrojanRemovalTool.dmg

 

YOUR PRIVACY ON THE INTERNET and the latest risks to look out for:

 

There is the potential for having your entire email contact list stolen for use for spamming:

 

http://www.nytimes.com/2009/06/20/technology/internet/20shortcuts.html?_r=1

 

And if you are using iPhone Apps you are also at risk of losing all privacy:

 

http://www.engadget.com/2010/10/03/hacker-claims-third-party-iphone-apps-can-tra nsmit-udid-pose-se/

 

The advent of HTML5  may also be a future threat to internet privacy:

 

http://www.nytimes.com/2010/10/11/business/media/11privacy.html?_r=1&hp

 

Security of OS X generally:

 

http://www.apple.com/macosx/what-is/security.html

 

http://www.nsa.gov/ia/_files/os/applemac/I731-007R-2007.pdf

 

Security Configuration for Version 10.5 Leopard:

 

http://manuals.info.apple.com/en_US/Leopard_Security_Config_2nd_Ed.pdf

 

This Blog entry is also worth a read:

 

http://blog.damballa.com/?p=1055

 

NOTE: Apple's Snow Leopard and Lion operating systems silently update the malware protection built into Mac OS X to protect against a backdoor Trojan horse that can allow hackers to gain remote control over your treasured iMac or MacBook: Macs running Snow Leopard or Lion now check for new malware definitions daily, allowing Apple to quickly deploy protection from threats before they have a chance to spread. http://www.sophos.com/blogs/gc/g/2010/06/18/apple-secretly-updates

However, if you are running Lion Server:

 

Apple's new server operating system -- OS X Lion -- is said by Stamos to be inherently insecure , and they recommend keeping it off the network altogether and using Macs only as standalone machines connected to IP or Windows networks, not those designed for Macs.

The Mac Server's networking protocols -- especially DHX User Authentication -- are designed for ease of use, not security. It is trivial, Stamos said, for hackers to set up a Mac user to download a file that will overflow the buffer protecting the heap segment of the server's memory, allowing the file's malicious payload to run uncontrolled in the server's memory and give itself whatever access rights it wants.

http://www.macworld.co.uk/mac/news/index.cfm?newsid=3301796&olo=email

 

+++++ MORE POTENTIAL ISSUES +++++

 

PHISHING AND POTENTIAL IDENTITY THEFT:

If you discover that emails are being received by your entire address list which you didn’t send, it is possible that you have been infected by a Botnet. To check whether this is the case, go here http://botnetchecker.com/  (do not enter any information) and it will tell you.

Malware distributors have recently launched a new wave of attacks aimed at taking over unpatched PCs and Macs. They look like routine messages from a bank or a social network, but instead of phishing for passwords, they’re serving up malware:

http://www.zdnet.com/blog/bott/new-wave-of-phishing-attacks-serves-malware-to-pc s-and-macs/4648

HOW SAFE IS YOUR SMARTPHONE?

Another source of malware, apart from sites like Facebook and Hotmail, is the Android Marketplace:

More than 50 applications available via the official Android Marketplace were initially found to contain a virus.

Analysis suggests that the booby-trapped apps may have been downloaded up to 200,000 times. The apps are also known to be available on unofficial Android stores too. Once a booby-trapped application is installed and run, the virus lurking within, known as DroidDream, sends sensitive data, such as a phone's unique ID number, to a remote server. It also checks to see if a phone has already been infected and, if not, uses known exploits to bypass security controls and give its creator access to the handset. This bestows the ability to install any code on a phone or steal any information from it.

Remote removal of the booby-trapped apps may not solve all the security problems they pose. The remote kill switch will not remove any other code that may have been dropped onto the device as a result of the initial infection.

Moreover, more than 99% of Android phones are potentially leaking data that, if stolen, could be used to get the information they store online.

http://www.bbc.co.uk/news/technology-13422308

The data being leaked is typically used to get at web-based services such as Google Calendar.

The open nature of the Android platform was a boon and a danger, and as Facebook have already discovered it is also a very attractive criminal playground.

http://www.bbc.co.uk/news/technology-12633923

Smartphones and social networking sites are becoming the next big target for cyber criminals, according to a security industry report.

Symantec's annual threat analysis warns that the technologies are increasingly being used to spread malicious code.

Users of Facebook, Twitter and Google's mobile operating system, Android, are said to be particularly vulnerable.

In several cases, the security holes were exploited and used to install harmful software on Android handsets - suggesting that criminals now view smartphone hacking as a potentially lucrative area, and Android is still in the firing line:

http://www.bbc.co.uk/news/uk-15600697

Juniper found a 400% increase in Android malware from 2009 to the summer of 2010. The number of malware samples identified in September increased by 28% over the number of the known Android malware samples. October showed a 110% increase in malware sample collection over the previous month and a striking 171% increase from what had been collected up to July 2011.

http://globalthreatcenter.com/?p=2492

 

Several pieces of malware were also found on iPhones, however only devices that had been "jailbroken" to bypass Apple's security were affected.

The company's process of pre-vetting all new applications is believed to have spared its devices from a major attack.

Additional reading:

"Antivirus Software On Your Mac: Yes or No?"

http://gigaom.com/apple/antivirus-software-on-your-mac-yes-or-no/