Linc Davis

Q: MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to

 

macdefendertrojan@mailinator.net

 

and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.

 

Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.

 

If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Close

Q: MacDefender trojan

  • All replies
  • Helpful answers

first Previous Page 8 of 10 last Next
  • by ds store,

    ds store ds store May 25, 2011 6:34 PM in response to WZZZ
    Level 7 (30,400 points)
    May 25, 2011 6:34 PM in response to WZZZ

    WZZZ wrote:

     

    Does this mean it will only automatically install where someone is running admin, but with no password set?

     

    It will install automatically if your running as admin user regardless of your password as it doesn't need it.

  • by WZZZ,

    WZZZ WZZZ May 25, 2011 6:38 PM in response to andyBall_uk
    Level 6 (13,112 points)
    Mac OS X
    May 25, 2011 6:38 PM in response to andyBall_uk

    >>You still get Installer app prompting for an OK, but nothing more.

     

    Is the prompt for an OK from Installer.app, then, meaningless? In other words, this means it installs whether or not you authenticate, or hit Return, in the case of there being no password set?

     

    EDIT: Just saw ds store's reply. This is very scary. I'd read that Apple was getting ready to issue a patch for Mac Defender in the 10.6.8. But they better get busy writing again. And they better do something, finally, about "Open "safe" files after...." in Safari.

  • by andyBall_uk,

    andyBall_uk andyBall_uk May 25, 2011 6:45 PM in response to WZZZ
    Level 7 (20,495 points)
    May 25, 2011 6:45 PM in response to WZZZ

    well it's no worse once downloaded than someone downloading any dubious app & running it - but right enough, the impression many had was that things were somehow safer than that.

     

    Downloading & then opening a zip with an installer package inside & running that installer automatically should never have been considered part of 'opening safe files' .

  • by MadMacs0,

    MadMacs0 MadMacs0 May 25, 2011 6:52 PM in response to ds store
    Level 5 (4,791 points)
    May 25, 2011 6:52 PM in response to ds store

    ds store wrote:

     

    It will install automatically if your running as admin user regardless of your password as it doesn't need it.

    I don't have a copy of it yet, but from what I have read to date you still have an opportunity to stop it by not pushing the continue button on the installer dialog.

  • by R C-R,

    R C-R R C-R May 25, 2011 7:21 PM in response to MadMacs0
    Level 6 (17,685 points)
    May 25, 2011 7:21 PM in response to MadMacs0

    MadMacs0 wrote:

    Intego posted this morning that there is a MacDefender variant called MacGuard that comes as a two-part installation not requiring a password.

    I wonder if intego is being completely straightforward about this. If you are running Snow Leopard, then even if you are logged into an admin account, you have to supply an admin password to install downloaded software into the root level Applications folder. The only exceptions to this are 1) if you use an app that doesn't support Snow Leopard's quarantine feature or 2) the downloaded software comes from a site with a valid Certificate Authority (CA) on file in your Mac.

     

    Safari most definitely supports the quarantine feature. I'm not sure if earlier OS versions like Leopard or Tiger support it, or do so to the same extent, but as long as a user is running Snow Leopard and it is up to date, the new variant should not be able to bypass the authentication dialog if it (or its derivatives) want to install anything in /Applications/ or any other system domain location.

     

    I mention the up to date proviso because Security Update 2011-002 addressed an issue with fraudulent certificates issued by a Comodo affiliate registration authority, thus breaking the chain of trust CA's rely on.

  • by William Kucharski,

    William Kucharski William Kucharski May 25, 2011 8:13 PM in response to WZZZ
    Level 6 (15,159 points)
    Mac OS X
    May 25, 2011 8:13 PM in response to WZZZ

    You have to give your OK to the installer to install the application; the difference is it now installs as you rather than the admin user so it doesn't require that you supply your admin password.

     

    But the bottom line is you still have to allow the installer to install the application.

     

    Don't install anything you haven't explicitly downloaded from a trusted site, and you will have no issues with this or any other malware.

  • by ds store,

    ds store ds store May 26, 2011 3:06 PM in response to Linc Davis
    Level 7 (30,400 points)
    May 26, 2011 3:06 PM in response to Linc Davis

    Something striking iPads

     

    It's using javascript to popup a window that appears to be from MacKeeper

     

    Screen shot 2011-05-26 at 5.56.06 PM.jpg

  • by MadMacs0,

    MadMacs0 MadMacs0 May 26, 2011 3:29 PM in response to ds store
    Level 5 (4,791 points)
    May 26, 2011 3:29 PM in response to ds store

    ds store wrote:

     

    Something striking iPads

     

    It's using javascript to popup a window that appears to be from MacKeeper

    Assume that's as far as you took it.  The url shown isn't working.  If you know the url you visited can you email it to macdefender@mailinator.com?

  • by William Kucharski,

    William Kucharski William Kucharski May 26, 2011 3:37 PM in response to ds store
    Level 6 (15,159 points)
    Mac OS X
    May 26, 2011 3:37 PM in response to ds store

    As always, just ignore it.

  • by ds store,

    ds store ds store May 26, 2011 3:47 PM in response to MadMacs0
    Level 7 (30,400 points)
    May 26, 2011 3:47 PM in response to MadMacs0

    MadMacs0 wrote:


    Assume that's as far as you took it.  The url shown isn't working.  If you know the url you visited can you email it to macdefender@mailinator.com?

     

    It's coming tagged "iPad/MacKeeper" couldn't reproduce on my Mac, but I'll give everything I got.

  • by R C-R,

    R C-R R C-R May 26, 2011 3:54 PM in response to ds store
    Level 6 (17,685 points)
    May 26, 2011 3:54 PM in response to ds store

    ds store wrote:

    It's coming tagged "iPad/MacKeeper" couldn't reproduce on my Mac, but I'll give everything I got.

    Do you have an iPad & did you see the popup on it yourself, or is this a secondhand report from another user?

  • by MadMacs0,

    MadMacs0 MadMacs0 May 26, 2011 4:28 PM in response to ds store
    Level 5 (4,791 points)
    May 26, 2011 4:28 PM in response to ds store

    ds store wrote:

     

    It's coming tagged "iPad/MacKeeper" couldn't reproduce on my Mac, but I'll give everything I got.

    I'm quite sure there is no MacKeeper for the iPad (I checked both the app store and the MacKeeper site), and as far as I know there is no AV software for the iPad so if you cannot reach it with your Mac I wouldn't waste too much more time on it since at this point nothing can be done to prevent it short of publicity and education.

  • by ds store,

    ds store ds store May 26, 2011 4:58 PM in response to R C-R
    Level 7 (30,400 points)
    May 26, 2011 4:58 PM in response to R C-R

    Credit goes to turningtest2 for coming across this and posting it in the Hosts Lounge.

     

    Just keeping the lines of communication open there R C-R, take a chill pill or something.

  • by ds store,

    ds store ds store May 26, 2011 5:09 PM in response to MadMacs0
    Level 7 (30,400 points)
    May 26, 2011 5:09 PM in response to MadMacs0

    MadMacs0 wrote:


    I'm quite sure there is no MacKeeper for the iPad (I checked both the app store and the MacKeeper site), and as far as I know there is no AV software for the iPad so if you cannot reach it with your Mac I wouldn't waste too much more time on it since at this point nothing can be done to prevent it short of publicity and education.

     

    The URL is different than what is displayed in the blue popup, the full picture and links was sent to the email addy.

     

    Strange it popped up on iPad, so I''m guessing it's just looking at browser info?

     

    Anything that's using the (supposedly?) legitimate MacKeeper and not matching their domain has got to be malware.

     

    So I sent what I links I've found as the site changes it's main page often, turingtest2 reports there is other hanky panky going on so there is good chance you and Linc Davis might find more of what your looking for there.

  • by R C-R,

    R C-R R C-R May 26, 2011 6:11 PM in response to ds store
    Level 6 (17,685 points)
    May 26, 2011 6:11 PM in response to ds store

    ds store wrote:

    Anything that's using the (supposedly?) legitimate MacKeeper and not matching their domain has got to be malware.

    Or just a poorly coded ad.

first Previous Page 8 of 10 last Next