Q: MacDefender trojan

I have been through all of them and have not found anything that worked. Got a link to the specific post you are referring to?

It's not working anymore.  This malware has gotten to be much harder to find...  I was stumbling across it every few minutes on Google Images a couple days ago.  Now I can't find a single working link.  I'm not sure why that might be, but it's a very good thing, IMO.

I'm not sure why that might be, but it's a very good thing, IMO.

I agree, unless they are rebuilding/renaming it again then we might see it back in another form.

Hopefully people got a bit wiser now as to just clicking everything without thinking.

If you happen to come across it please keep me in mind, mailmethebug@mailinator.com

Pr0digy V. wrote:

 

I have been through all of them and have not found anything that worked. Got a link to the specific post you are referring to?

Hit the MacRumors forums, the script kiddies there would be glad to email you a altered copy.

You really want to leave that email address out in the open like that?

Edited the post right as you commented

There should be a 1:1 messaging feature in this forum!

(maybe there is now and i have yet to find it, not too familiar with the new design and layout yet)

use Mailinator

http://www.mailinator.com/

There is no PM here. If you're going to put up your address, which I don't recommend, at least don't put it up in link form so it can be picked up by a bot. e.g. uty at blah blah. com

Thanks for the tip, not sure how the site works exactly but created an address and put it up in the earlier post.

I wouldn't think everyone who wants a copy of this Trojan is doing a benign research project. A few copy-cats are looking for this, too.

ds store:

You don't need Text Wrangler, or Terminal as some have suggested, to edit hosts:

Click the "Go" menu and choose "Go to folder".

Type: /etc

Click "Go"

View as columns. Find "hosts" in the right column. Drag it it the desktop to copy it. Open the copy with TextEdit. Between "127.0.0.1 localhost" and " 255.255.255.255 broadcasthost", make a new line and type "127.0.0.1 bad.ad.site.com". After editing, the text should look something like this:

##

   1. Host Database

#

   1. localhost is used to configure the loopback interface

   2. when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

127.0.0.1 bad.ad.site.com

255.255.255.255 broadcasthost

::1 localhost

Save the hosts file. Drag it back to the same "/etc" window to replace the original hosts file. Click the "Authenticate" button in the message. Type your admin password. Agree to replace the original. Restart.

You shouldn't remove the "127.0.0.1 localhost" line either. All block site lines should reflect the same IP as localhost (127.0.0.1). Keep it simple.

As for NoScript, the "log in" link for this discussion site uses a redirect now (from discussions.apple.com to daw.apple.com). NoScript blocks this very discussion until you make an allowance.

As "The Hatter" mentions (I think; he's over my head in his lingo), some apps cannot be turned off by Activity Monitor. Shouldn't the developer of Mac Defender be studying ways to make it stick better (reload itself like TechTool Pro)? Then we can't turn it off in Activity Monitor. Safe Boot should still nix it.

Now for my question:

Why does Mac Defender ask for a password? Couldn't it simply install by letting the user click the "Install" button? If I were a crook, I wouldn't want to make it any more difficult than necessary to get the credit card info... unless... maybe something much more insidious is afoot. This guy may have additional hacks at hand involving stollen passwords, so why is no one suggesting that part of the process of recovering from Mac Defender include changing the admin password?

EDIT: OMG, Apple has added an edit button! Will wonders never cease? And I thought they weren't listening when I griped about Keynote not letting me set a song to play for exactly X number of slides like PowerPoint has done for so many years. I'll be looking for that Keynote update any day now.

Now for my question:

Why does Mac Defender ask for a password?

It doesn't.  There's been a lot of FUD about MacDefender authenticating to root, but it never does.  The Apple installer, used to open and install the components in the .mpkg file the malware is packaged in, requests your admin password so the app can be moved into the Applications folder.   The trojan never gets that kind of access.

Moof666 wrote: As for NoScript, the "log in" link for this discussion site uses a redirect now (from discussions.apple.com to daw.apple.com). NoScript blocks this very discussion until you make an allowance.

This really isn't on topic, but I'm not seeing this with NoScript. The log in page is using daw.apple.com. Once log in is completed, there is a redirect to discussions.apple.com. Either Firefox, itself, with a preference setting, or the RefreshBlocker Add-on will block this redirect, but I'm not seeing NoScript getting involved at all. I have apple.com permanently whitelisted in NS.

There's an easy MacDefender kill program at Macupdate that eradicates it and patches Safari to not run "safe" files anymore:

http://www.macupdate.com/app/mac/38520/macdefenderkiller

Easy and free and is great in a lab environment where you have to kill it on multiple machines.

Did you tried it? Does this also eradicate the malware from Time Machine's backups?