1 2 3 Previous Next 137 Replies Latest reply: Dec 4, 2011 2:41 PM by thomas_r. Branched to a new discussion.
Linc Davis Level 10 Level 10 (117,740 points)

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to

 

macdefendertrojan@mailinator.net

 

and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.

 

Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.

 

If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.


Mac OS X (10.6.7)
  • 1. Re: MacDefender trojan
    thomas_r. Level 7 Level 7 (27,925 points)

    I'd also appreciate hearing anything anyone might know, for inclusion in my Mac Virus Guide.  My contact information can be obtained through a link on that page.

     

    Linc, if you'll send me a real e-mail privately, I'll send you anything that comes to me, and will hope that you'll do the same in return.

  • 2. Re: MacDefender trojan
    etresoft Level 7 Level 7 (24,265 points)

    I have given up looking for it. Here are some instructions from someone who may have actually seen it: https://discussions.apple.com/message/15113320

     

    Apparently it just installs itself as a Login Item and tries to get $99 from people.

  • 3. Re: MacDefender trojan
    Linc Davis Level 10 Level 10 (117,740 points)

    Here are some instructions from someone who may have actually seen it:

     

    I tried that, and several other searches as reported on this site. Either it wasn't there, or I'm filtering it.

     

    Apparently it just installs itself as a Login Item and tries to get $99 from people.

     

    Some of the victims insist they did not double-click a file in the Finder to launch the trojan. They just went to a web page, and there it was. A javascript can cause a file to be downloaded automatically, and it can simulate the launch of an application, but how does the application get launched automatically for real? That's not supposed to happen. I can't tell from the descriptions whether the victims really know what they did.

     

    A few years ago there was a proof-of-concept remote exploit in which a PowerPC PEF application could be made to look like a data file, such as an MP3. If it had the right HFS type code, that would override the filename extension. I thought that hole had been closed, but maybe it hasn't. If you (a) have Rosetta installed and (b) have Safari configured to open so-called "safe" files automatically, then maybe you're still vulnerable. I'd like to know whether this trojan is a PEF or a Mach-O bundle, and what the filename is.

  • 4. Re: MacDefender trojan
    Linc Davis Level 10 Level 10 (117,740 points)

    It seems from an analysis posted elsewhere that the trojan is distributed as a zipped Installer package. If the option to open "safe" files is set in Safari, the archive is unpacked, and the package is launched automatically. To unsophisticated users, the Installer screen looks like the ones they're used to when installing system updates, so of course they click through it.

     

    There's nothing special about this archive. The same thing happens with any pkg.zip file. I didn't know that, and I'm shocked by it.

     

    I see two implications for Apple.

     

    First, an Installer package is not a "safe" file and shouldn't be opened automatically.

     

    Second, unless a package is digitally signed by Apple, the Installer should warn the user that it's unofficial and is not to be trusted. That wouldn't stop third-party developers from distributing Installer packages, but it might prevent people from mindlessly running the Installer whenever they're prompted to do so.

  • 5. Re: MacDefender trojan
    thomas_r. Level 7 Level 7 (27,925 points)

    First, an Installer package is not a "safe" file and shouldn't be opened automatically.

     

    Absolutely!  I suspect that we'll be seeing a security update to deal with this issue soon.  Hopefully Apple doesn't drag their feet with that.

     

    Honestly, I'm amazed this hasn't been exploited before, if that option truly opens any zipped installer file.

     

    Second, unless a package is digitally signed by Apple, the Installer should warn the user that it's unofficial and is not to be trusted.

     

    Yes, that's true, why isn't quarantine catching this?  There's more going on than it seems.

  • 6. Re: MacDefender trojan
    etresoft Level 7 Level 7 (24,265 points)

    Thomas A Reed wrote:

     

    Absolutely!  I suspect that we'll be seeing a security update to deal with this issue soon.  Hopefully Apple doesn't drag their feet with that.

     

    Honestly, I'm amazed this hasn't been exploited before, if that option truly opens any zipped installer file.

     

    Yes, that's true, why isn't quarantine catching this?  There's more going on than it seems.

    Don't get your hopes up. This isn't a security vulnerability, it is a feature and the default setting.

     

    I think it has been exploited before. Technically, exploited isn't the right term in the computer sense. Technically, everything is operating as designed and expected. It is just people that are being exploited. People don't know what a ZIP package is. They don't know what an installer is. They believe people who say that Macs have viruses. Then a screen pops up and tells them they do have viruses and asks for $99. They hand it over. This trojan author has probably already made more money than I will this year.

     

    Quarantine isn't going to catch it because quarantine is designed for legitimate software you download from the internet that doesn't have an installer.

  • 7. Re: MacDefender trojan
    Linc Davis Level 10 Level 10 (117,740 points)

    Actually quarantining should catch it, but a security update will be needed. I think the default should be not to open any Installer package automatically unless it's signed.

  • 8. Re: MacDefender trojan
    etresoft Level 7 Level 7 (24,265 points)

    I don't think it will. MacDefender exploits the fact that Safari thinks it is a "safe" file. Such files are not trapped by quarantine.

  • 9. Re: MacDefender trojan
    thomas_r. Level 7 Level 7 (27,925 points)

    This isn't a security vulnerability, it is a feature and the default setting.

     

    No, it isn't.  A .zip file ought to be a safe file, and could be opened, but that should not result in launching an installer contained within that .zip file, which would absolutely NOT be a safe file.  Yet, somehow, that is happening.

     

    Quarantine isn't going to catch it because quarantine is designed for legitimate software you download from the internet that doesn't have an installer.

     

    An installer may, in many cases, be simply an application.  Quarantine does not discriminate...  any application downloaded from the internet via Safari, whether and installer or not an installer, whether zipped, in a disk image or whatnot, should be intercepted by Quarantine.  As for .pkg or .mpkg files, those are not technically applications, but then neither are .html files, yet if you download an archive of zipped .html files from somewhere, Quarantine warns you about those.

     

    I can't honestly swear, thanks to faulty memory, that I have seen Quarantine kick in when running a downloaded .pkg - but if it doesn't, that is a very, very serious security issue that needs to be addressed ASAP.

  • 10. Re: MacDefender trojan
    Linc Davis Level 10 Level 10 (117,740 points)

    Such files are not trapped by quarantine.

     

    According to that Apple Support article, downloaded Installer packages are checked for known malware. I had never heard of this myself, but that's what the article says./___sbsstatic___/migration-images/151/15116673-1.png

  • 11. Re: MacDefender trojan
    etresoft Level 7 Level 7 (24,265 points)

    I just created my own MyTrojan.pkg.zip package. With the default Safari settings, just downloading this file will unzip it and start the installer. I could fill the installer with animated GIFs showing virus scans if I wanted. I could add the application to my Login Items (no authentication needed for that). I could add pre and post install scripts to do just about anything I want. It is quite easy. No password needed. No quarantine. It just works

  • 12. Re: MacDefender trojan
    Linc Davis Level 10 Level 10 (117,740 points)

    With the default Safari settings, just downloading this file will unzip it and start the installer.

     

    I agree, that happens, and it shouldn't. I don't agree that the quarantine attribute on installer packages is simply ignored. The package is checked against some sort of database of known trojans. Neither MACDefender nor your test package is in that database.

  • 13. Re: MacDefender trojan
    WZZZ Level 6 Level 6 (12,205 points)
    The package is checked against some sort of database of known trojans. Neither MACDefender nor your test package is in that database.

    As well as in the database of any of the AV programs. A clear illustration of the uselessness of AV -- especially ones that purport to do active scanning -- if you are unlucky enough to be among the first (including the first OS X virus in the wild, if and when that appears.)

     

    All those programs, right now, are staring at this thing with their mouths wide open.

  • 14. Re: MacDefender trojan
    ds store Level 7 Level 7 (30,305 points)

    The malware "MacDefender" is a "driveby download" utilizing Javascript.

     

    It's rather simple to defeat this from occuring:

     

    1: Download Firefox 4.0

     

    2: Install the NoScript Add-on

     

    3: Install the Public Fox Add-on.

     

    4: Hit the Toolbar Customize and drag the "Temp Allow All This page" NoScript button to the Toolbar

     

    5: Setup Public Fox to require a password before a download occurs.

     

    As you surf the web with NoScript, all "scripts" including JavaScript, will be turned off by default.

    If you trust the site and need scripts to run, click the Temp Allow button.

     

    If your Public Fox pops up with asking for your password, you know you got a driveby download, cancel it and notify the website owner.

     

    "Public Fox" is searchable at Mozilla as "Public Fox"

1 2 3 Previous Next