Linc Davis

Q: MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to

 

macdefendertrojan@mailinator.net

 

and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.

 

Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.

 

If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Close

Q: MacDefender trojan

  • All replies
  • Helpful answers

first Previous Page 4 of 10 last Next
  • by ds store,

    ds store ds store May 3, 2011 10:25 AM in response to WZZZ
    Level 7 (30,395 points)
    May 3, 2011 10:25 AM in response to WZZZ

    WZZZ wrote:

     

    Is that just a server that comes up with a whois for 69.50.214.53? What would the relationship be between that outfit registered in Phoenix and this malware author?

     

     

    Likely none, the host is legitiment, likely a compromised site/server.

     

    Blocking the IP client side is probably a worthless effort at this time, they got the call.

     

    I'm guessing this was a test run, could expect to see this thing get tweaked and hosted on many servers next time.

     

    Sure Apple is going to roll out a update here quick to stop this thing dead in it's tracks, even if it changes signature.

  • by The hatter,

    The hatter The hatter May 3, 2011 10:33 AM in response to etresoft
    Level 9 (60,935 points)
    May 3, 2011 10:33 AM in response to etresoft

    * use your router firewall to filter and block instead of software

     

    *  some programs (TechTool Pro comes to mind) slide in startup and background processes that will remain - and require an uninstaller almost always.

  • by MadMacs0,Helpful

    MadMacs0 MadMacs0 May 3, 2011 8:01 PM in response to MadMacs0
    Level 5 (4,791 points)
    May 3, 2011 8:01 PM in response to MadMacs0

    The clamav signature database has been updated to include two variants of the MacDefender Trojan, so ClamXav will detect all known versions of the .zip, .pkg and .app files associated with it.

     

    -Al-

  • by ds store,

    ds store ds store May 8, 2011 5:40 PM in response to MadMacs0
    Level 7 (30,395 points)
    May 8, 2011 5:40 PM in response to MadMacs0

    MadMacs0 wrote:

     

    The clamav signature database has been updated to include two variants of the MacDefender Trojan, so ClamXav will detect all known versions of the .zip, .pkg and .app files associated with it.

     

    -Al-

     

    Thanks Al,

     

    Be sending people your way.

  • by ronaldz,

    ronaldz ronaldz May 9, 2011 9:24 AM in response to ds store
    Level 1 (5 points)
    May 9, 2011 9:24 AM in response to ds store

    ou may a trojan called  Mac Defender   / Protector / Security

     

     

     

    Check you downloads folder and apps folder to see if it is there If  you not find it

     

    -If go to safari, preferences, general, deselect  - open all safe downloads ( may not be exact wording)

     

     

     

    If you find it go to  DO NOT SIGN UP or GIVE CREDIT CARD INFO....

     

     

     

    Go to acitivity monitor in ultilies - quit the program.

     

    trash it from downloads, app folder, remove for Login Item in accouns (sys. pref)

     

    Boot into safe mode - hold the option key down and when you restart the mac

     

    look at these locations to see if remains.... if found try removing them again

     

     

     

    Uncheck the safari pref as above

     

     

     

    I advise getting security software or wait for Apple to come up with a security fix

  • by flash8898,

    flash8898 flash8898 May 9, 2011 9:57 AM in response to etresoft
    Level 1 (0 points)
    May 9, 2011 9:57 AM in response to etresoft

    Mine came through on Firefox... not Safari.

  • by etresoft,

    etresoft etresoft May 9, 2011 9:58 AM in response to ronaldz
    Level 7 (29,173 points)
    Mac OS X
    May 9, 2011 9:58 AM in response to ronaldz

    ronaldz wrote:

     

    I advise getting security software or wait for Apple to come up with a security fix

     

    There is no way for security software to reliably detect this trojan. It can be easily changed and already has been. There is also no Apple security fix to address it.

     

    Mac trojans are fundamentally unlike Windows malware. Because MacOS X is secure to begin with. You, the user, must install the malware. That is the only way to get infected. The only reliable defense is to just not click the "install" button.

     

    When you install software and hand over your admin password, the software can do anything it wants. Because MacOS X is secure and malware must be installed by the user, there is no way for anti-virus software to stop it.

     

    Don't put your faith in anti-virus software, don't wait for Apple to release a security fix, just don't install it. Apple has created the Mac App store as a way to distribute legitimate, trusted software to end users. Most legitimate software can, and should, use the Mac App store. Being safe from malware on MacOS X is very easy - if you don't trust the installer, don't provide your password. When in doubt, just select "Quit Installer" from the "Installer" menu.

  • by thomas_r.,

    thomas_r. thomas_r. May 9, 2011 10:16 AM in response to etresoft
    Level 7 (30,919 points)
    Mac OS X
    May 9, 2011 10:16 AM in response to etresoft

    To back up etresoft, I and several other folks who tested AV software against these trojans saw a several day delay before the first was recognized by any AV software, by which point many people were already affected, and then another delay when MacDefender morphed into MacSecurity.  I'm sure some of the folks fooled by this malware were running AV software at the time.

     

    Over-reliance on AV software can produce a complacent attitude that results in an easy infection.  After all, the software must be okay if the AV software didn't catch it, right?

     

    That said, though, I do hope that Apple removes .mpkg files from the "safe" file list in Safari and adds them to the list of things to be held in Quarantine.  That would go much further towards preventing such outbreaks than any malware-specific protection.

  • by The hatter,

    The hatter The hatter May 9, 2011 11:22 AM in response to thomas_r.
    Level 9 (60,935 points)
    May 9, 2011 11:22 AM in response to thomas_r.

    Kaspersky for Mac

    4.05.2011  16:10

     

    It is detected as either "not-a-virus:FraudTool.OSX.Defma.a." or "HOAX.OSX.FakeAVDefma.a".

     

    Kaspersky for Mac: MACDEFENDER

  • by etresoft,

    etresoft etresoft May 9, 2011 11:34 AM in response to thomas_r.
    Level 7 (29,173 points)
    Mac OS X
    May 9, 2011 11:34 AM in response to thomas_r.

    Thomas A Reed wrote:

     

    That said, though, I do hope that Apple removes .mpkg files from the "safe" file list in Safari and adds them to the list of things to be held in Quarantine.  That would go much further towards preventing such outbreaks than any malware-specific protection.

    I wish Apple would get rid of that option altogether. It serves no useful purpose to anyone except malware authors.

  • by ds store,

    ds store ds store May 9, 2011 11:55 AM in response to flash8898
    Level 7 (30,395 points)
    May 9, 2011 11:55 AM in response to flash8898

    flash8898 wrote:

     

    Mine came through on Firefox... not Safari.

     

    To prevent further infections, install NoScript Add:on for Firefox, use the toolbar customization to drag NoScript button to the Toolbar for easy enabling and disabling of scripts on a per site basis.

     

    Also if you install Public Fox, you can set a password on the downloads.

     

    Use the free ClamXav to remove your present infection first though.

     

    http://www.clamxav.com/

  • by jayv.,

    jayv. jayv. May 9, 2011 12:32 PM in response to Linc Davis
    Level 4 (1,290 points)
    May 9, 2011 12:32 PM in response to Linc Davis

    I have just sent an email to the mentioned email address, any help would be welcome

  • by thomas_r.,

    thomas_r. thomas_r. May 9, 2011 12:39 PM in response to jayv.
    Level 7 (30,919 points)
    Mac OS X
    May 9, 2011 12:39 PM in response to jayv.

    Pr0digy V. wrote:

     

    I have just sent an email to the mentioned email address, any help would be welcome

     

    Note that the address Linc posted was just a way to send him a link to the trojan.  Did you need assistance beyond what has been offered here?

  • by jayv.,

    jayv. jayv. May 9, 2011 12:41 PM in response to thomas_r.
    Level 4 (1,290 points)
    May 9, 2011 12:41 PM in response to thomas_r.

    Hi Thomas,

    I was hoping Linc could provide me with a link to the file or the file itself as i am researching this subject and am very eager to get my hands on it.

  • by ds store,

    ds store ds store May 9, 2011 12:54 PM in response to jayv.
    Level 7 (30,395 points)
    May 9, 2011 12:54 PM in response to jayv.

    Pr0digy V. wrote:

     

    Hi Thomas,

    I was hoping Linc could provide me with a link to the file or the file itself as i am researching this subject and am very eager to get my hands on it.

     

    Somebody posted it on one of the other threads this morning, might still be active.

     

     

    This is it (don't click unless your a security professional)

     

    http://jackerst.com/?id=541682

first Previous Page 4 of 10 last Next