1 2 3 Previous Next 100 Replies Latest reply: Jun 26, 2013 4:29 PM by MadMacs0 Branched to a new discussion.
ds store Level 7 Level 7 (30,305 points)

Two detailed articles that go into greater depth of the malware attacking Mac users.

 

 

http://www.securelist.com/en/blog/6211/Rogueware_campaign_targeting_Mac_users

 

http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-p oison-google-image-search-results/

 

 

 

If your new to the party:

 

Mac targeted trojans are making their rounds mostly by poisoned images from Google.

 

The exploit depends upon Javascript, you can choose to turn it off in Safari preferences, however large portions of the web don't display or operate correctly without Javascript running.

 

A easier preventative option would be to use Firefox and the NoScript Add-on, use Firefox toobar customization to drag a NoScript button to the toolbar.

 

NoScript turns off all scripts and plug-ins by default, which you enable on a per site, per need, per visit type basis by clicking the NoScript button.

 

Firefox also has a pop-up window with a opt out before the downloads occurs, another safety step.

 

If you have click happy types types, it's advised to install the Public Fox ad-on as well, set a password on the broswer downloads.

 

 

If you have the trojan web page on your Mac's screen, simply use Apple Menu > Force Quit to quit the browser.

 

If you've downloaded but not run the installer, delete it immediatly from your downloads folder.

 

If you've installed the trojan and gave it your admin password, you need to backup your files to a external drive and c boot off the installer disk and Disk Utility > Erase with Zero your whole boot drive and reinstall  OS X fresh, re-install all programs from original sources, scan your files with a AV software and then return them to your computer.

 

If you gave the AV software your credit card information, you need to call the credit card company and cancel the charge and freeze it. Assume your identity has been stolen and take appropriate action to defend your identity.

 

http://www.ftc.gov/bcp/edu/microsites/idtheft/

 

 

Some other advice:

 

Use only low amount debit/credit cards online with amounts your willing to risk losing.

 

Do not enable overdraft protection with these on line type cards.

 

Maintain the bulk of your funds in more secure, no user electronic access accounts (keep the blame for loss entirely on the bank)

 

Beware that banks and credit card companies like to increase your credit/debit card limits without notice.

 

If you lose a considerable amount of funds through a electronic means in your control, like a ATM, credit card, debit card or on line banking, expect a very long and tiresome legal battle to hopefully regain those funds and prove fault.

 

 

(note: I receive no compensation from mentioning these sites/article or their solutions, etc)


MacBook Pro, Mac OS X (10.6.7), 17" Quad XP, Vista, 7, Linux(s)
  • 1. Re: Mac Malware/poisoned images
    WZZZ Level 6 Level 6 (12,225 points)
    If you've installed the trojan and gave it your admin password, you need to backup your files to a external drive and c boot off the installer disk and Disk Utility > Erase with Zero your whole boot drive and reinstall  OS X fresh, re-install all programs from original sources, scan your files with a AV software and then return them to your computer.

    Did you learn something new that's making you say this? We had been thinking, until now, that simply trashing the files would be enough. Or is this coming from taking no chances/ better safe than sorry? That's pretty drastic medicine.

     

    So far, I only skimmmed the second link you gave, and maybe that's why I didn't notice it, but I didn't see an explanation for needing to do a clean install.

     

    NoScript turns off all scripts and plug-ins by default, which you enable on a per site, per need, per visit type basis by clicking the NoScript button.

    Turns off all plug-ins?

  • 2. Re: Mac Malware/poisoned images
    ds store Level 7 Level 7 (30,305 points)

    WZZZ wrote:

     

    Did you learn something new that's making you say this? We had been thinking, until now, that simply trashing the files would be enough. Or is this coming from taking no chances/ better safe than sorry? That's pretty drastic medicine.

     

    So far, I only skimmmed the second link you gave, and maybe that's why I didn't notice it, but I didn't see an explanation for needing to do a clean install.

     

    If the Admin password was not given to the Trojan, then the browser needs to be Force Quit, rogue Log-in Items unchecked and a through search for malware program files and removed.

     

    A complete reinstall of OS X isn't necessary if the Admin/root password was not given.

     

     

    WZZZ wrote:

     

    NoScript turns off all scripts and plug-ins by default, which you enable on a per site, per need, per visit type basis by clicking the NoScript button.

    Turns off all plug-ins?

     

    NoScript doesn't turn off all plug-ins on default install of the add-on for you?

     

    Plug-ins: Flash, Java, Quicktime, Silverlight?

     

    Does here.   After all Flash is the biggest exploit angle.

  • 3. Re: Mac Malware/poisoned images
    WZZZ Level 6 Level 6 (12,225 points)

    NoScript doesn't turn off all plug-ins on default install of the add-on for you?

     

    Plug-ins: Flash, Java, Quicktime, Silverlight?

     

    Does here.   After all Flash is the biggest exploit angle.

    Was getting thrown by the term "turn off." (Since, when I "turn off" a plug-in, I think "disable" from Tools>Add-ons>Plug-ins.) I'm thinking placeholders. But, you're right, that is what's happening.

     

    Still don't understand you're recommendation for a clean install, if user gives password. Again, I thought it had been established that just cleaning out the malware files was adequate. That's why I'm asking what new did you learn, if anything, to lead you recommend  this drastic remedy?

  • 4. Re: Mac Malware/poisoned images
    ds store Level 7 Level 7 (30,305 points)

    WZZZ wrote:

     


    Still don't understand you're recommendation for a clean install, if user gives password. Again, I thought it had been established that just cleaning out the malware files was adequate. That's why I'm asking what new did you learn, if anything, to lead you recommend  this drastic remedy?

     

    None other than the website at the link stating it need the root password to install.

     

    "For the application to be installed, the user needs to input his root password."

     

    http://www.securelist.com/en/blog/6211/Rogueware_campaign_targeting_Mac_users

     

     

    It's wrong to assume this malware or any malware is going to remain what it is. Or assume what you see is what you get.

     

    If the code was examined of this present version of the malware and found not to cause any further damage outside of installing itself, then that's one thing, but the potential to do more damage is there in future or other versions of this exact malware is there.

     

    Remember a goal of a lot of these malware authors is to gain control of the machine for later use.

     

    If they know their rogue code is going to attract attention, they could be using the "MACDefender" as a cover, hope to get some fools dropping $99, let people THINK that it's a easy removal when in truth it installs or changes something much more covert, calls home, opens a port or some other action that will allow return access later.

     

     

    So far this malware has changed

     

    Best Mac Antivirus, MACDefender, MACProtector, MACSecurity, Apple Security Center...

     

    If the user doesn't give it (or any malware) the admin password, perhaps just removing the files like before will be adequate depending upon the privilege level the malware was run in and upon close examination of it's code.

     

    However, most users can't just can't simply assume the malware they see is the same one as before and a simple deletion is fine and dandy.

     

     

    To refresh:

     

     

    OS X has three "privilege levels": General, Admin and Root

     

    Without using some sort of privilege escalation exploit, any malware running uses the privileges of the user level it's running in.

     

     

    Root user is turned off by default, however a Admin level user can access the "sudo window" 5 minutes of Root User privileges by giving their Admin Password to a rogue program.

     

    This is how Software Updates and program installs across users, hooks into the operating system etc., are performed.

     

     

    So the following situations can occur depending what the user privilege level is and what the user does with the malware.

     

     

    A: Very bad:  (root level access)

     

    If the user gives the admin password to any malware, the malware has a 5 minute "root user" time window to do whatever it pleases to the computer.  Complete and total access to everything, including firmware. There is hope that if the firmware(s) wasn't attacked, the user can simply boot off the installer disk, zero their boot drive in Disk Utility and reinstall OS X.

     

    Most likely, if a user gives malware their admin password, they are going to need professional help to ensure the firmware isn't compromised or the malware can return.

     

     

    B: Can be very bad: (admin level access)

     

    If the user is a Admin User and any malware is run, with no password entered, it can certainly do considerable amount of damage, alter programs and root the machine eventually by slow methods including privilege escalation(s). Most certainly can delete or encrypt user files.

     

    Since OS X is setup as the first user being a Admin, and a lot of people remain that first Admin user, in this case it's perhaps best not to take any chances and backup > reinstall OS X, fresh programs from sources etc., to completely clear the machine.

     

    If one has the capability to examine the malware code before it's run and has the opportunity to delete parts of itself, is well trained in programing and so forth. Naturally a compete wipe and reinstall is unnecessary, they know that already.

     

     

     

    C: Is bad, but easily recovered if certain things don't happen. (general user access)

     

    If the user is a General User and any malware is run, with no password entered, it can do damage to user files,. If they are then encrypted like what ransom ware does, then it's bad if there is no uninfected backup of the data.

     

    Rogue code has the least amount of access in General User, thus it's easier to remove as it's confined to the General User's access folders. Once it's all found and removed, the computer's security should be restored.

     

    Still the malware could upload all user files and unencrypted files read by others.

     

     

     

    So, since this malware asks for the Admin password to install, it has to be assumed it had total and complete access to the machine.

     

    If the user can't understand the code, then they really don't know if the simple removal methods were adequate enough.

  • 5. Re: Mac Malware/poisoned images
    thomas_r. Level 7 Level 7 (27,930 points)
    If you've installed the trojan and gave it your admin password, you need to backup your files to a external drive and c boot off the installer disk and Disk Utility > Erase with Zero your whole boot drive and reinstall  OS X fresh

     

    I have played with this trojan extensively, and nothing that I have found supports this recommendation.  Following the MacDefender/MacSecurity/MacProtector removal instructions on my blog is adequate.  For that matter, even if reinstallation of the system was required, zeroing out the entire drive would serve no purpose whatsoever.

  • 6. Re: Mac Malware/poisoned images
    thomas_r. Level 7 Level 7 (27,930 points)

    So far this malware has changed a lot:

     

    Best Mac Antivirus, MACDefender, MACProtector, MACSecurity, Apple Security Center...

     

    Actually, it has not changed at all in the last week, to my knowledge.  I have continued to locate and examine recent copies, and they are all just MacProtector.  Further, you're obviously confused as to your terminology here.  There has never been a variant called "Best Mac Antivirus"...  the initial version of this trojan, MacDefender (not "MACDefender"), came in a .zip file named "BestMacAntivirus2011.mpkg.zip".  MacSecurity and MacProtector are distributed from sites that say "Apple Security Center" at the bottom (see the following screenshot).

     

    Please, we do not need this kind of misinformation confusing people about this issue!

     

    /___sbsstatic___/migration-images/151/15193925-1.png

  • 7. Re: Mac Malware/poisoned images
    ds store Level 7 Level 7 (30,305 points)

    Thomas A Reed wrote:

     

    If you've installed the trojan and gave it your admin password, you need to backup your files to a external drive and c boot off the installer disk and Disk Utility > Erase with Zero your whole boot drive and reinstall  OS X fresh

     

    I have played with this trojan extensively, and nothing that I have found supports this recommendation.  Following the MacDefender/MacSecurity/MacProtector removal instructions on my blog is adequate.  For that matter, even if reinstallation of the system was required, zeroing out the entire drive would serve no purpose whatsoever.

     

    Again Thomas your assuming things the way they are and not what they can or going to be.

     

    That's exactly how the malware authors want people to think. And that's why they purposely but out low grade versions of their malware first, to flood the web with outdated, ineffective removal techniques, just so they release the more potent variant and have people assume a few simple deletions here and there are going to suffice.

     

    It's wrong to get lazy on malware, "ah you don't need to zero your drive and reinstall" "just delete this and that and your done"

     

    That's fine for this particualr version of malware today, but not for the one's tomorrow or on another server someplace, is what I'm trying to say.

     

    This "MacDefender" obviously needs social engineering in order to work, so something has to be "gamed" on the user to accomplish that and not to cause further security or from the user doing the exact thing I'm recommending, which is a complete Zero and install.

     

    If "Boris" is meant to suggest the malware authors are Russian, you need to know Russians enjoy chess immensly.

     

    If we assume what we see now as a given, then we give the malware authors the chance to change things to suit their needs, we will be behind in all steps, they control the game.

     

    Am I making sense?

  • 8. Re: Mac Malware/poisoned images
    Allan Eckert Level 8 Level 8 (41,525 points)

    No.

     

    Allan

  • 9. Re: Mac Malware/poisoned images
    ds store Level 7 Level 7 (30,305 points)

    Allan Eckert wrote:

     

    No.

     

    Allan

     

    Are you being a smart @ss?

  • 10. Re: Mac Malware/poisoned images
    WZZZ Level 6 Level 6 (12,225 points)

    Actually, this might make some perk up their ears.

     

    http://x704.net/bbs/viewtopic.php?f=17&t=5307

     

    I'd assume this is the commercial version of Sophos.

     

    this is of extreme interest at my workplace. our receptionist DLed it this week supposedly surfing MSN

    sophos picked it up on her iMac. we had a chance to take it apart a little bit

     

    Quote:

    Scan items:
    Path: /Users/[name removed]/Downloads/death/anti-malware.zip enabled: yes
    Configuration:
    Scan inside archives and compressed files: Yes
    Automatically clean up threats: No
    Action on infected files: Report only

     

    Scan started at 2011-05-10 15:32:53 -0700

     

    2011-05-10 15:32:53 -0700 Threat: 'OSX/FakeAV-A' detected in /Users/nate/Downloads/death/anti-malware.zip/MacProtector.mpkg/Contents/Package s/macprotector.pkg/Contents/Archive.pax.gz/Archive.pax/./MacProtector.app/Conten ts/MacOS/MacProtector

     

    Scan completed at 2011-05-10 15:32:53 -0700.
    1 items scanned, 1 threats detected, 0 issues

     


    Looking at the payload, it looks like it root kits the OS:

     

    /usr/lib/dyld
    /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
    /System/Library/Frameworks/WebKit.framework/Versions/A/WebKit
    /usr/lib/libgcc_s.1.dylib
    /usr/lib/libSystem.B.dylib
    /usr/lib/libobjc.A.dylib
    /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationS ervices
    /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
    /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

  • 11. Re: Mac Malware/poisoned images
    Allan Eckert Level 8 Level 8 (41,525 points)

    Since you asked, you strike me as totally paranoid.

     

    Allan

  • 12. Re: Mac Malware/poisoned images
    ds store Level 7 Level 7 (30,305 points)

    Looking at the payload, it looks like it root kits the OS:

     

    /usr/lib/dyld

    /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa

    /System/Library/Frameworks/WebKit.framework/Versions/A/WebKit

    /usr/lib/libgcc_s.1.dylib

    /usr/lib/libSystem.B.dylib

     

    Well there it is there.

     

     

     

    Since you asked, you strike me as totally paranoid.

     

    Allan

     

     

    I rebuild people's infected Windows computers, what do you expect?

  • 13. Re: Mac Malware/poisoned images
    andyBall_uk Level 7 Level 7 (20,320 points)

    >>Looking at the payload, it looks like it root kits the OS:

    snip...

     

    Unless that's a very different variant from those I've seen - they're  just strings from inside the application, ( eg - /Applications/MacProtector.app/Contents/MacOS/MacProtector ) not actual files to be installed.

  • 14. Re: Mac Malware/poisoned images
    MadMacs0 Level 4 Level 4 (3,725 points)

    I just want to point out that you don't give the Trojan your password, only the installer.  At that point the Trojan isn't even installed, let alone running and able to do anything with it.  I can also assure you that the installer scripts I have analyzed to date don't do anything with it, either.  I doubt that they would be able to.  There is absolutely no way to justify reinstalling the OS.

1 2 3 Previous Next