Q: MacDefender trojan

Thomas A Reed wrote:

All we really know for sure is that Safari is not yet supported.

Actually all we really know for sure is that one criminal is offering an unproven 'crime kit' to other criminals for $1000 a pop. Kinda makes you wonder who is trying to scam whom, doesn't it?

True...  it does boggle the mind that one cyber-criminal would be willing to pay another for malware-creation software that they will then run on their own machine.    And we don't really know if the author is being honest about what the actual capabilities of this thing are, since the video that supposedly shows its capabilities looks completely random and meaningless to me.  I have no idea what I'm supposed to be seeing.

RC-R wrote: No "whitelist/blacklist" based utility is any better than the integrity of those lists. Whitelists & backlists that are supported by crowd-sourcing efforts are not immune to prejudice, errors of omission or inclusion, etc.

NoScript is not a simple whitelist/blacklist utility. With NoScript, JavaScript is off by default until you either temporarily or permanently allow or disallow (whitelist/blacklist) a site. And, even then, third-party scripts are all off by default.

Except for a very small handful of sites that come whitelisted, you are not dependent on some pre-determined whitelist/blacklist. Before you allow a site, you do your own research directly available from NS from WOT, Google Safe Browsing Diagnostic, McAfee, Webmaster Tips Site Information or just by doing a search on your own. Even then, you can still decide not to enable JS for any given site. Of course, this isn't perfect, but nothing is and it's much better than nothing.

And, even if a domain or scripts are allowed, NS is still offering some basic protection.

Since it seems you're really not very well acquainted with it and appear to be confusing it with its very distant Safari (or Camino) relative -- one which pales in comparison -- why don't you just try it and see what I'm talking about?

NoScript

http://noscript.net/features

EDIT: Thomas: I'm very far from being an expert in this field, but from what I know, JS is an easy attack vector. And, it seems likely or probable it will present itself through JS. No?

Message was edited by: WZZZ

R C-R wrote:

 

To remove the quarantine attribute from the unzipped installed items, users must authenticate with an admin password when Installer.app runs & asks for it before allowing the install to begin.

Sorry to interrupt the current discussion, but I don't see an appropriate thread yet and those involved all seem to be gathered here.

Intego posted this morning that there is a MacDefender variant called MacGuard that comes as a two-part installation not requiring a password.

<http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant- macguard-doesnt-require-password-for-installation/>

Interesting variation. I wonder if this new version claims that is able to remove the "old" MacDefender.

Probably disabling "open safe files" in Safari is now mandatory as well as configuring Mac Os X with at least two users: one as administrator for that purpose only, the other(s) with limited privileges for ordinary daily use.

It's interesting also that the ip used to download the other part of the malware was hidden in an image file with a steganographic technique.

Would appreciate anybody who has this latest version uploading both the original .zip file and the MacGuard application to http://www.VirusTotal.com .  If either is not detected by clamav, then also upload that to http://cgi.clamav.net/sendvirus.cgi .

If you are uncomfortable doing this for any reason and can determine the URL of the site where you got it please send the link to macdefender@mailinator.com .

What surprises me is the amount of user interaction that Mac Defender required from the user to get installed. As a semi-former Windows user (As I use Win7 on Bootcamp), I think I developed a sense of not to accept any install and download that I don't remember. As for the new variant that was released that doesn't require an admin password I think that the only way to stop it is by unchecking the "open safe file" option in Safari, I disabled the funtion today, which a good step to avoid getting infected with any future treath.

By the way, removing MacDefender and its variants is relatively easy, when compared to a virus removal on Windows...

Is there not some way to tell OSX that you want it to ask for a password for opening specific file types EVERY time? Perhaps a configurable list of file types like .zip, .rar, .dmg? This could be a pain for most people but would prevent anything opening without you knowing.

>> a two-part installation not requiring a password.

Yes, the same way that mackeeper is delivered - just click one button & it's in.

add a  fake need for authorisation later on (fairly plausible) and they could tuck all sorts away.

andyBall_uk wrote:

 

>> a two-part installation not requiring a password.

 

Yes, the same way that mackeeper is delivered - just click one button & it's in.

You noticed that too!

What I'd like to understand is with the "previous" version, "Mac Defender," what happened if someone was running admin and had not set a password? Would it just go ahead and install or what?

WZZZ wrote:

 

What I'd like to understand is with the "previous" version, "Mac Defender," what happened if someone was running admin and had not set a password? Would it just go ahead and install or what?

I believe it still pops up the password dialog to which you just hit return (or click OK) as it's actually a null password.

Yes, that is what happens as for a long time only I used this computer and I had no password set.  When I added accounts for my grandchildren and other guests I then set an administrator password.  Before then all I did was hit return and the app would install.  Very easy.  And you hardly have to think about it because you for all practical purposes do nothing.

I would not be surprised if that is how so many people installed mac defender etc.  Panic and then you hit return and then you are in real trouble.

laverne's mom

Message was edited by: laverne's mom

Unlike the previous variants of this fake antivirus,no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

 

 

What are they saying? Does this mean it will only automatically install where someone is running admin, but with no password set?

no - like mackeeper, if you have write permission for the destination folder (applications in this case most likely, but no need for it to go there since the install script could add a login item or launchagent & place the app anywhere) it'll run w/o any password being asked for.

You still get Installer app prompting for an OK, but nothing more.