MacJoseph

Q: Heads Up/Warning Mac Defender

Just as a heads up and warning, there hsa been two incidents in the last hour or so where users are being redirected and Mac Defender seems to have downloaded itself claiming a virus has been detected. This is a trojan and should be deleted immediately. If you feel you need protection perhaps installing ClamXav would be an option. Be careful where your surfing in the Interwebs. Any information you can provide if you encounter this problem would be greatly appreciated, info such as the browser you're using and the website that is redirecting you.

 

Regards,

 

Joseph

MacBook Pro, Mac OS X (10.6.7), 2011 MBP 15" 2.0Ghz 4GB RAM

Posted on Apr 30, 2011 10:24 AM

Close

Q: Heads Up/Warning Mac Defender

  • All replies
  • Helpful answers

first Previous Page 6 of 13 last Next
  • by MadMacs0,

    MadMacs0 MadMacs0 May 3, 2011 9:24 PM in response to MacJoseph
    Level 5 (4,801 points)
    May 3, 2011 9:24 PM in response to MacJoseph

    Hard to say.  There are like 150 servers used by clamav.net to distribute database updates around the world.  The updater process does it's best to figure out the closest one to your location to make it easier to connect and for network balancing.  Normally it will try five different mirrors before giving up, but there could be other network issues involved.  I've never seen the entire network go down, but individual servers go down or out of date all the time.  If it hasn't cleared up in an hour or two, come over to http://markallan.co.uk/BB/viewforum.php?f=1 and we can work it out over there.  Meanwhile take a look at your update log for additional clues.

     

    -Al-

  • by MacJoseph,

    MacJoseph MacJoseph May 4, 2011 5:19 AM in response to MadMacs0
    Level 3 (595 points)
    May 4, 2011 5:19 AM in response to MadMacs0

    MadMacs

     

    Thanks will do that.

     

    Joseph

  • by crm92,

    crm92 crm92 May 6, 2011 9:38 PM in response to MacJoseph
    Level 1 (0 points)
    May 6, 2011 9:38 PM in response to MacJoseph

    Hi

    I am having trouble with this program that downloaded from google. mine is not called MacDefender, but MacProtector. I tried downloading ClamXav and it asks for updates which it cant get because they are supposedly being interrupted. Since this program downloaded my other internet server, google chrome is starting on its own and is taking me to web pages which I didnt want to visit. I dont know what to do, I am worried. I hope you can help me

  • by MadMacs0,

    MadMacs0 MadMacs0 May 6, 2011 10:34 PM in response to crm92
    Level 5 (4,801 points)
    May 6, 2011 10:34 PM in response to crm92

    If it's like MacDefender there is nothing to worry about until you give those people your credit card number.

     

    For help with ClamXav come over to the forum and somebody will help you with that.  There's a link to it in my reply at the top of this page.

     

    Again, if this program is the same as MacDefender then to disable it reboot with the shift key held down into safe mode.  Find MacProtector (probably in your Applications folder), drag it to the trash, empty the trash and reboot in the regular manner.

     

    So yesterday they started using MacSecurity and you are telling me that today it's called MacProtector?!  I don't see how we can possibly keep up if they change it every day.  At any rate, my guess is that none of the AV software folks will be able to find this new variety of MacDefender, so we need your help to get it to the folks that can take care of that.  We need to find the file that initially downloaded to your computer.  It's probably in your download folder and may still be called "BestMacAntivirus2011.mpkg.zip" or something similar.  I need you to upload it to VirusTotal and check to see if it is identified by "clamav".  If it's not then please upload it to clamav and we can get started on updating the database.

  • by MadMacs0,

    MadMacs0 MadMacs0 May 7, 2011 12:44 AM in response to MadMacs0
    Level 5 (4,801 points)
    May 7, 2011 12:44 AM in response to MadMacs0

    That file in your download folder might now be called "Archive3.zip".  If you see anything else in your download folder that doesn't sound familiar, upload that, as well.  Best to keep your download folder clear of old files so that you will quickly see anything there that shouldn't be.

  • by R C-R,

    R C-R R C-R May 7, 2011 4:04 AM in response to ds store
    Level 6 (17,690 points)
    May 7, 2011 4:04 AM in response to ds store

    ds store wrote:

    Eric Brian wrote:

    Sophos also offers their antivirus for free for Mac home users:

    http://www.sophos.com/en-us/products/free-tools.aspx

     

    Always on anti-virus is still unnecessary on a Mac and often conflicts with OS X changes.

     

    Just some common sense is needed and a little more attention by Apple in preventing drive by downloads.

     

    Whether or not always-on AV scanning software is necessary or desirable is something very user should decide for themselves, based on their expertise & familiarity with the OS. There are no known viruses in the wild that affect OS X, but there are many other kinds of malware that can affect OS X users.

     

    This is especially true of trojans like MacDefender (& a new variant called MacProtector) because they trick users into installing their payloads by pretending to be something they are not. Apple can't prevent this, short of building the same kind of definition-based AV detection into the OS that stand-alone AV apps provide.

     

    Apple has in fact done exactly that in recent updates to Snow Leopard; however, because OS updates are released infrequently & so far Apple has included just a few older trojan variant definitions, this offers no protection for emerging ones.

     

    That is the primary benefit of third party AV apps: their catalogs of malware definitions are usually much more extensive & updated far more frequently, for some products within hours of the discovery of a new threat. For example, the Sophos definitions were updated to detect MacProtector less than 24 hours after it appeared. By default, the free Sophos home edition software is set to check for updates every hour, so its users would be exposed to so-called zero day attacks for less than a day.

     

    FWIW, I have been using the free Sophos product since last November. It has not interfered with any OS update in any way.

     

    Also note that common sense alone won't prevent these newer attacks from being downloaded. The MacProtector variant downloads before the web page is rendered. Users still have to be tricked into installing it, but just visiting the bogus site that hosts it will place a copy of its deceptively named zip archive in the downloads folder.

  • by jsd2,

    jsd2 jsd2 May 7, 2011 6:21 AM in response to R C-R
    Level 5 (6,210 points)
    May 7, 2011 6:21 AM in response to R C-R

    R C-R wrote:


    The MacProtector variant downloads before the web page is rendered. Users still have to be tricked into installing it, but just visiting the bogus site that hosts it will place a copy of its deceptively named zip archive in the downloads folder.

     

    In this instance I found this to be true for Safari, but not for FireFox.

     

    As a test yesterday I created a new standard user account and from there tried using plain-vanilla browser environments to access a website I knew was infected with MacSecurity malware.  For Safari v5.05 my only change from the initial default preferences was to first uncheck the box for "Open 'safe' files after downloading." For Firefox 3.6.17 I made no changes to the default preferences at all, and I didn't install any extra add-ons.

     

    On visiting the infected website, I got the same phony flashing display with both browsers. Safari proceeded to download the malware Zip file automatically, with no further input from me. FireFox did not download anything and instead asked me if I wanted to save the zip file:

     

    Screen shot 2011-05-06a  at 2.14.11 PM.png

    I haven't tested other browsers.

  • by edinburghlad,

    edinburghlad edinburghlad May 7, 2011 1:17 PM in response to MacJoseph
    Level 1 (0 points)
    May 7, 2011 1:17 PM in response to MacJoseph

    Hi Joseph,

     

    I have tried to put the MacDefender into my Trash but it will not let me as MacDefender is still running. Any ideas how to close it down?

     

    I am a bit of dunce when it comes to IT so an idiots guide would be appreciated.

     

    John

  • by R C-R,

    R C-R R C-R May 7, 2011 1:51 PM in response to edinburghlad
    Level 6 (17,690 points)
    May 7, 2011 1:51 PM in response to edinburghlad

    Several posts in this & related topic mention ways to shut down (quit) MacDefender. This post (by MacJoseph on page two of this topic if the link isn't working for you) mentions one way using Activity Monitor.

  • by OBRA3,

    OBRA3 OBRA3 May 8, 2011 1:17 AM in response to MacJoseph
    Level 1 (0 points)
    May 8, 2011 1:17 AM in response to MacJoseph

    Definitely got hit by google images too.  Ended up downloading the anti-malware.zip.  Of course I had the open "safe" files checked in safari prefs and the file was nice enough to open itself and open the installer.  I was of course very unhappy at this point as my computer houses a lot of sensitive information.  I closed the installer out and then ran my security software on the zip file- which houses MacProtector.mkpg.  It immediately picked up on the MacDefender trojan and cleaned it. 

     

    Definitely take the steps above posts.  Personally, I tried Clam but it was a little too basic and went with VirusBarrier X6 Dual Protection (provides Panda Antivirus if you're running a virtualized Windows machine) from Intego software- wasn't a big fan of Norton either- total bloatware. So far I haven't experienced any slowdowns and it does its job.  It may be overkill for some people but I'm happy as it warns me if there's anyone sniffing for open ports etc- and I can schedule full scans so they happen in the middle of the night.     

     

    I also went through and ritualistically cleaned out all my cookies.  Bleh- and am also scanning the computers on my network.  Ugh. 

     

    Biggest thing I learned- un-click the "open safe files" check box. 

     

    Other lessons for folks:

     

    1.  Unless you requested something to download and something downloads- don't trust it.  EVER.

    2.  Mac viruses/trojans are on the rise.  Get used to it and forget the "I'm ok cuz I have a Mac." 

    I've been a mac user since 91 and it's only been in the last year or two that I've taken to buying anti-virus software.

    3.  Don't open e-mail attachments/links in e-mails- A. from strangers B. from people you know if it seems out of the ordinary.  Even then if it's from your friends check and hover (in some e-mail clients) over the link and see if it goes where it says it goes.

    4.  Use a service like google mail- they're pretty good about weeding out trojan/virus e-mails- but even then some still get through.  Default to lesson 3.

    5.  Don't ever click on e-mail links from your "bank" or the "irs".  Go to the website directly by typing it in your browser.

    6.  You have not won the lottery in the UK or have a rich uncle who passed away in some far off land. 

    7.  Just be careful with your google/yahoo/bing searches. 

    8.  Update your software on a regular basis- OS X, Microsoft, Adobe.  (they have updaters included with their software).

     

    Best of luck out there - and don't be scammed.

  • by jayv.,

    jayv. jayv. May 8, 2011 12:49 PM in response to MacJoseph
    Level 4 (1,290 points)
    May 8, 2011 12:49 PM in response to MacJoseph

    Hi,

     

    I'm researching the MAC Defender issues and would love to get my hands on it, i need a website where i can download it because two days of googling and visiting some very shady websites.... i still got nothing.

    Any help greatly appreciated.

     

    Jay

  • by R C-R,

    R C-R R C-R May 8, 2011 1:14 PM in response to OBRA3
    Level 6 (17,690 points)
    May 8, 2011 1:14 PM in response to OBRA3

    OBRA3 wrote:

    Biggest thing I learned- un-click the "open safe files" check box.

    It doesn't matter much if that option is checked in Safari or not. Either way, the malware still ends up in the designated Downloads folder, & until it is installed with an intentional click of Installer.app's "Install" button, it can't do anything more insidious than taking up a tiny amount of HD space.

     

    Personally, I think I might rather have the Installer app launch to let me know right then & there that something I didn't ask for had just been downloaded instead of discovering it later in the Downloads folder & wondering where it came from or maybe confusing it with something I did intentionally download.

     

    Regardless, the most important thing to learn from this is not to install anything that you are not completely sure of. A quick search of the web should give you a good idea about the app's legitimacy -- if it doesn't, or anything looks fishy about what you do find then don't install it.

  • by OBRA3,

    OBRA3 OBRA3 May 8, 2011 1:34 PM in response to R C-R
    Level 1 (0 points)
    May 8, 2011 1:34 PM in response to R C-R

    Yup- that it is true.  It won't auto install but it still prevents the installer from opening on its own in the first place.

     

    I always have the downloads open all the time so I did see that something did download.

     

    And agreed- don't install.  

  • by MadMacs0,

    MadMacs0 MadMacs0 May 8, 2011 2:19 PM in response to jayv.
    Level 5 (4,801 points)
    May 8, 2011 2:19 PM in response to jayv.

    Sorry, but all my sources have gone quiet and I haven't seen any reports of new infection today.  I'm sure they will show up again soon.  Maybe taking the day off (Mother's Day, Sunday, ...)?

  • by R C-R,

    R C-R R C-R May 8, 2011 3:21 PM in response to MadMacs0
    Level 6 (17,690 points)
    May 8, 2011 3:21 PM in response to MadMacs0

    It is pretty much the nature of the rogue web pages that pop into existence via SEO (search engine optimization) poisoning attacks to disappear again not long after they are identified as such. The few I've seen don't even have DNS names, just numeric IP addresses -- another indication that they are not a part of a legitimate web site.

first Previous Page 6 of 13 last Next