Skip navigation

Mac Malware/poisoned images

11132 Views 100 Replies Latest reply: Jun 26, 2013 4:29 PM by MadMacs0 RSS Branched to a new discussion.
1 2 3 ... 7 Previous Next
ds store Level 7 Level 7 (30,305 points)
Currently Being Moderated
May 13, 2011 9:24 AM

Two detailed articles that go into greater depth of the malware attacking Mac users.

 

 

http://www.securelist.com/en/blog/6211/Rogueware_campaign_targeting_Mac_users

 

http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-p oison-google-image-search-results/

 

 

 

If your new to the party:

 

Mac targeted trojans are making their rounds mostly by poisoned images from Google.

 

The exploit depends upon Javascript, you can choose to turn it off in Safari preferences, however large portions of the web don't display or operate correctly without Javascript running.

 

A easier preventative option would be to use Firefox and the NoScript Add-on, use Firefox toobar customization to drag a NoScript button to the toolbar.

 

NoScript turns off all scripts and plug-ins by default, which you enable on a per site, per need, per visit type basis by clicking the NoScript button.

 

Firefox also has a pop-up window with a opt out before the downloads occurs, another safety step.

 

If you have click happy types types, it's advised to install the Public Fox ad-on as well, set a password on the broswer downloads.

 

 

If you have the trojan web page on your Mac's screen, simply use Apple Menu > Force Quit to quit the browser.

 

If you've downloaded but not run the installer, delete it immediatly from your downloads folder.

 

If you've installed the trojan and gave it your admin password, you need to backup your files to a external drive and c boot off the installer disk and Disk Utility > Erase with Zero your whole boot drive and reinstall  OS X fresh, re-install all programs from original sources, scan your files with a AV software and then return them to your computer.

 

If you gave the AV software your credit card information, you need to call the credit card company and cancel the charge and freeze it. Assume your identity has been stolen and take appropriate action to defend your identity.

 

http://www.ftc.gov/bcp/edu/microsites/idtheft/

 

 

Some other advice:

 

Use only low amount debit/credit cards online with amounts your willing to risk losing.

 

Do not enable overdraft protection with these on line type cards.

 

Maintain the bulk of your funds in more secure, no user electronic access accounts (keep the blame for loss entirely on the bank)

 

Beware that banks and credit card companies like to increase your credit/debit card limits without notice.

 

If you lose a considerable amount of funds through a electronic means in your control, like a ATM, credit card, debit card or on line banking, expect a very long and tiresome legal battle to hopefully regain those funds and prove fault.

 

 

(note: I receive no compensation from mentioning these sites/article or their solutions, etc)

MacBook Pro, Mac OS X (10.6.7), 17" Quad XP, Vista, 7, Linux(s)
  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    May 13, 2011 9:38 AM (in response to ds store)
    If you've installed the trojan and gave it your admin password, you need to backup your files to a external drive and c boot off the installer disk and Disk Utility > Erase with Zero your whole boot drive and reinstall  OS X fresh, re-install all programs from original sources, scan your files with a AV software and then return them to your computer.

    Did you learn something new that's making you say this? We had been thinking, until now, that simply trashing the files would be enough. Or is this coming from taking no chances/ better safe than sorry? That's pretty drastic medicine.

     

    So far, I only skimmmed the second link you gave, and maybe that's why I didn't notice it, but I didn't see an explanation for needing to do a clean install.

     

    NoScript turns off all scripts and plug-ins by default, which you enable on a per site, per need, per visit type basis by clicking the NoScript button.

    Turns off all plug-ins?

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    May 13, 2011 10:49 AM (in response to ds store)

    NoScript doesn't turn off all plug-ins on default install of the add-on for you?

     

    Plug-ins: Flash, Java, Quicktime, Silverlight?

     

    Does here.   After all Flash is the biggest exploit angle.

    Was getting thrown by the term "turn off." (Since, when I "turn off" a plug-in, I think "disable" from Tools>Add-ons>Plug-ins.) I'm thinking placeholders. But, you're right, that is what's happening.

     

    Still don't understand you're recommendation for a clean install, if user gives password. Again, I thought it had been established that just cleaning out the malware files was adequate. That's why I'm asking what new did you learn, if anything, to lead you recommend  this drastic remedy?

  • thomas_r. Level 7 Level 7 (26,945 points)
    Currently Being Moderated
    May 13, 2011 12:03 PM (in response to ds store)
    If you've installed the trojan and gave it your admin password, you need to backup your files to a external drive and c boot off the installer disk and Disk Utility > Erase with Zero your whole boot drive and reinstall  OS X fresh

     

    I have played with this trojan extensively, and nothing that I have found supports this recommendation.  Following the MacDefender/MacSecurity/MacProtector removal instructions on my blog is adequate.  For that matter, even if reinstallation of the system was required, zeroing out the entire drive would serve no purpose whatsoever.

  • thomas_r. Level 7 Level 7 (26,945 points)
    Currently Being Moderated
    May 13, 2011 12:10 PM (in response to ds store)

    So far this malware has changed a lot:

     

    Best Mac Antivirus, MACDefender, MACProtector, MACSecurity, Apple Security Center...

     

    Actually, it has not changed at all in the last week, to my knowledge.  I have continued to locate and examine recent copies, and they are all just MacProtector.  Further, you're obviously confused as to your terminology here.  There has never been a variant called "Best Mac Antivirus"...  the initial version of this trojan, MacDefender (not "MACDefender"), came in a .zip file named "BestMacAntivirus2011.mpkg.zip".  MacSecurity and MacProtector are distributed from sites that say "Apple Security Center" at the bottom (see the following screenshot).

     

    Please, we do not need this kind of misinformation confusing people about this issue!

     

    /___sbsstatic___/migration-images/151/15193925-1.png

  • Allan Eckert Level 8 Level 8 (39,385 points)
    Currently Being Moderated
    May 13, 2011 12:27 PM (in response to ds store)

    No.

     

    Allan

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    May 13, 2011 12:47 PM (in response to thomas_r.)

    Actually, this might make some perk up their ears.

     

    http://x704.net/bbs/viewtopic.php?f=17&t=5307

     

    I'd assume this is the commercial version of Sophos.

     

    this is of extreme interest at my workplace. our receptionist DLed it this week supposedly surfing MSN

    sophos picked it up on her iMac. we had a chance to take it apart a little bit

     

    Quote:

    Scan items:
    Path: /Users/[name removed]/Downloads/death/anti-malware.zip enabled: yes
    Configuration:
    Scan inside archives and compressed files: Yes
    Automatically clean up threats: No
    Action on infected files: Report only

     

    Scan started at 2011-05-10 15:32:53 -0700

     

    2011-05-10 15:32:53 -0700 Threat: 'OSX/FakeAV-A' detected in /Users/nate/Downloads/death/anti-malware.zip/MacProtector.mpkg/Contents/Package s/macprotector.pkg/Contents/Archive.pax.gz/Archive.pax/./MacProtector.app/Conten ts/MacOS/MacProtector

     

    Scan completed at 2011-05-10 15:32:53 -0700.
    1 items scanned, 1 threats detected, 0 issues

     


    Looking at the payload, it looks like it root kits the OS:

     

    /usr/lib/dyld
    /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
    /System/Library/Frameworks/WebKit.framework/Versions/A/WebKit
    /usr/lib/libgcc_s.1.dylib
    /usr/lib/libSystem.B.dylib
    /usr/lib/libobjc.A.dylib
    /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationS ervices
    /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
    /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

  • Allan Eckert Level 8 Level 8 (39,385 points)
    Currently Being Moderated
    May 13, 2011 12:58 PM (in response to ds store)

    Since you asked, you strike me as totally paranoid.

     

    Allan

  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    May 13, 2011 1:19 PM (in response to WZZZ)

    >>Looking at the payload, it looks like it root kits the OS:

    snip...

     

    Unless that's a very different variant from those I've seen - they're  just strings from inside the application, ( eg - /Applications/MacProtector.app/Contents/MacOS/MacProtector ) not actual files to be installed.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    May 13, 2011 4:28 PM (in response to ds store)

    I just want to point out that you don't give the Trojan your password, only the installer.  At that point the Trojan isn't even installed, let alone running and able to do anything with it.  I can also assure you that the installer scripts I have analyzed to date don't do anything with it, either.  I doubt that they would be able to.  There is absolutely no way to justify reinstalling the OS.

1 2 3 ... 7 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.