Skip navigation

MacDefender trojan

28306 Views 137 Replies Latest reply: Dec 4, 2011 2:41 PM by thomas_r. RSS
1 2 3 ... 10 Previous Next
Linc Davis Level 10 Level 10 (107,375 points)
Currently Being Moderated
May 1, 2011 6:36 PM

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to

 

macdefendertrojan@mailinator.net

 

and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.

 

Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.

 

If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)
  • thomas_r. Level 7 Level 7 (26,920 points)
    Currently Being Moderated
    May 1, 2011 7:00 PM (in response to Linc Davis)

    I'd also appreciate hearing anything anyone might know, for inclusion in my Mac Virus Guide.  My contact information can be obtained through a link on that page.

     

    Linc, if you'll send me a real e-mail privately, I'll send you anything that comes to me, and will hope that you'll do the same in return.

  • etresoft Level 7 Level 7 (23,860 points)
    Currently Being Moderated
    May 1, 2011 8:04 PM (in response to Linc Davis)

    I have given up looking for it. Here are some instructions from someone who may have actually seen it: https://discussions.apple.com/message/15113320

     

    Apparently it just installs itself as a Login Item and tries to get $99 from people.

  • thomas_r. Level 7 Level 7 (26,920 points)
    Currently Being Moderated
    May 2, 2011 5:46 AM (in response to Linc Davis)

    First, an Installer package is not a "safe" file and shouldn't be opened automatically.

     

    Absolutely!  I suspect that we'll be seeing a security update to deal with this issue soon.  Hopefully Apple doesn't drag their feet with that.

     

    Honestly, I'm amazed this hasn't been exploited before, if that option truly opens any zipped installer file.

     

    Second, unless a package is digitally signed by Apple, the Installer should warn the user that it's unofficial and is not to be trusted.

     

    Yes, that's true, why isn't quarantine catching this?  There's more going on than it seems.

  • etresoft Level 7 Level 7 (23,860 points)
    Currently Being Moderated
    May 2, 2011 7:21 AM (in response to thomas_r.)

    Thomas A Reed wrote:

     

    Absolutely!  I suspect that we'll be seeing a security update to deal with this issue soon.  Hopefully Apple doesn't drag their feet with that.

     

    Honestly, I'm amazed this hasn't been exploited before, if that option truly opens any zipped installer file.

     

    Yes, that's true, why isn't quarantine catching this?  There's more going on than it seems.

    Don't get your hopes up. This isn't a security vulnerability, it is a feature and the default setting.

     

    I think it has been exploited before. Technically, exploited isn't the right term in the computer sense. Technically, everything is operating as designed and expected. It is just people that are being exploited. People don't know what a ZIP package is. They don't know what an installer is. They believe people who say that Macs have viruses. Then a screen pops up and tells them they do have viruses and asks for $99. They hand it over. This trojan author has probably already made more money than I will this year.

     

    Quarantine isn't going to catch it because quarantine is designed for legitimate software you download from the internet that doesn't have an installer.

  • etresoft Level 7 Level 7 (23,860 points)
    Currently Being Moderated
    May 2, 2011 7:46 AM (in response to Linc Davis)

    I don't think it will. MacDefender exploits the fact that Safari thinks it is a "safe" file. Such files are not trapped by quarantine.

  • thomas_r. Level 7 Level 7 (26,920 points)
    Currently Being Moderated
    May 2, 2011 7:49 AM (in response to etresoft)

    This isn't a security vulnerability, it is a feature and the default setting.

     

    No, it isn't.  A .zip file ought to be a safe file, and could be opened, but that should not result in launching an installer contained within that .zip file, which would absolutely NOT be a safe file.  Yet, somehow, that is happening.

     

    Quarantine isn't going to catch it because quarantine is designed for legitimate software you download from the internet that doesn't have an installer.

     

    An installer may, in many cases, be simply an application.  Quarantine does not discriminate...  any application downloaded from the internet via Safari, whether and installer or not an installer, whether zipped, in a disk image or whatnot, should be intercepted by Quarantine.  As for .pkg or .mpkg files, those are not technically applications, but then neither are .html files, yet if you download an archive of zipped .html files from somewhere, Quarantine warns you about those.

     

    I can't honestly swear, thanks to faulty memory, that I have seen Quarantine kick in when running a downloaded .pkg - but if it doesn't, that is a very, very serious security issue that needs to be addressed ASAP.

  • etresoft Level 7 Level 7 (23,860 points)
    Currently Being Moderated
    May 2, 2011 10:28 AM (in response to thomas_r.)

    I just created my own MyTrojan.pkg.zip package. With the default Safari settings, just downloading this file will unzip it and start the installer. I could fill the installer with animated GIFs showing virus scans if I wanted. I could add the application to my Login Items (no authentication needed for that). I could add pre and post install scripts to do just about anything I want. It is quite easy. No password needed. No quarantine. It just works

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    May 2, 2011 10:51 AM (in response to Linc Davis)
    The package is checked against some sort of database of known trojans. Neither MACDefender nor your test package is in that database.

    As well as in the database of any of the AV programs. A clear illustration of the uselessness of AV -- especially ones that purport to do active scanning -- if you are unlucky enough to be among the first (including the first OS X virus in the wild, if and when that appears.)

     

    All those programs, right now, are staring at this thing with their mouths wide open.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    May 2, 2011 10:51 AM (in response to Linc Davis)

    The malware "MacDefender" is a "driveby download" utilizing Javascript.

     

    It's rather simple to defeat this from occuring:

     

    1: Download Firefox 4.0

     

    2: Install the NoScript Add-on

     

    3: Install the Public Fox Add-on.

     

    4: Hit the Toolbar Customize and drag the "Temp Allow All This page" NoScript button to the Toolbar

     

    5: Setup Public Fox to require a password before a download occurs.

     

    As you surf the web with NoScript, all "scripts" including JavaScript, will be turned off by default.

    If you trust the site and need scripts to run, click the Temp Allow button.

     

    If your Public Fox pops up with asking for your password, you know you got a driveby download, cancel it and notify the website owner.

     

    "Public Fox" is searchable at Mozilla as "Public Fox"

1 2 3 ... 10 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (4)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.