Q: MacDefender trojan

Quick question...I hope I'm not infected.

I was using Skype to message with a friend. We often share links as we talk photography a lot.

I got a link through from him, clicked it and got the MacDefender site. Immediately sensed it was weird receiving it, so I closed the site page.

I've blocked the IP address listed above - 69.50.214.53

I've looked in my Finder for MACDefender, but I'm not finding it on my computer. I didn't click to download anything, didn't run any installers, and don't appear to have been compromised.

Is there anything else I need to do?

Also, any idea if this was definitely sent by my friend's computer, or could our skype chat have been compromised by a third computer? Should I be contacting him to tell him he may have an infection (as I'm planning to do)?

Cheers.

Just make sure it isn't installed in your applications folder.  You should be okay if it isn't there.

Nice one. I've checked my applications folder and my utilities folder and it isn't in either. Guess I'm okay, then. I've mailed my mate, suggesting he check his own system out for this.

I'm really surprised I got this through Skype. Not because Skype is in any way safe, just didn't expect it dropping in to a private chat with someone I knew.

I'd be interested to know if the link must have been sent from his computer, or if it was possible that our chat could have been hijacked by another user to send me that link. I'm assuming it was the former. Link was a google search link - the reason why it didn't strike me as odd; we're always sharing links to images we're talking about, so a google search link didn't stand out as being odd.

I'm sure, as a result of your post (though through no fault of yours), we're going to see an outbreak of people claiming the MacDefender trojans are spreading via Skype.  However, in reality, what most likely happened was that the site your friend referred you to was perfectly fine, but got a malicious JavaScript injected into the page that redirected you to the MacDefender site.

Edit: since you say the link was a Google search link, I'd upgrade that estimate from "most likely" to "almost certainly".  Google searches have been a major vector for MacDefender transmission.

Thanks, Thomas. I'm no tech-head at all, just a general user, but I like to try to have an idea of what is going on with stuff like this. Really appreciate being able to ask more experienced people on here for clarification. Cheers.

The method used by this malware to get you to its malicious web page is not new, nor is it a web page redirect or compromise of a legitimate web site in the normal sense. It is called "SEO poisoning" & it isn't that hard to understand how it works.

"SEO" stands for search engine optimization, a technique legitimate web sites have been using since the 1990's to get more traffic directed to their pages. Basically, the idea is to get enough references to the site onto the web that the algorithms used to collect search keyword data from the Internet will decide they are popular pages & thus rank them near the top of search results.

There are many ways to do this, from ones considered as completely respectable by almost everybody to ones widely considered as totally unscrupulous. But it is called SEO poisoning when the page, however it manages to get a high page rank, is a malicious one.

Note that the search site itself isn't "poisoned." In a sense, it is the Internet itself that has been poisoned with too many undeserved references to the malicious pages. There is no way to control that. The best we can hope for from the search engine providers is harder to trick page ranking algorithms, plus blacklisting of pages known to be malicious.

Aside from that, it might help to know that since the malicious pages are only interested in getting as many hits as possible regardless of what people search for on the web, the optimization is rigged for the most popular searches. Unfortunately, it is easy to automate the process & update it very quickly, so searches for whatever are the hottest topics of the moment are the most likely ones to include these bogus pages in their results.

I have been hit 3 times in the last week by 3 differently named (one was MacProtector) viruses/trojans.  Luckily I got each removed immediately, but having this happen every couple of days is annoying to say the least.  In addition to what Apple proposed, I also went back into Safari Preferences and unchecked "Open Safe Files after downloading" at the bottom of the General page section.

BTW, each time this happened I was on sites I visit all the time and was not just "browsing" on the internet.  One of these occurrences was when I was on my Gmail page and clicked on one of my label groups to bring up those emails.

I'm glad Apple is working on this, but I hope they come up with something SOON!

You won't get hit with this thing hardly at all if you run Firefox and the NoScript add-on, I think there was only two reports of Firefox users being hit and they were not running NoScript.

The malware needs Javascript running in the browser.

So with NoScript you run with very little Javascript, unless you absolutely need it which you turn it on with a quick click on the NoScript Toolbar button ("Temp allow all this page")

So what your doing is significantly reducing your exposure window.

I likely came across this thing a few dozen times already and didn't know it, because I run with very little Javascript or any scripts for that matter.

Unfortunatly Safari doesn't have NoScript, to turn off Javascript requires a trip to Safari preferences.

I think there was only two reports of Firefox users being hit and they were not running NoScript.

There is nothing about this outbreak that is unique to Safari, except that Safari will open the installer automatically.  The claim of only "two reports" from Firefox users is not a valid one in any form.  Although most of the reports I have come across involve people using Safari, most Mac users in general are using Safari, so you cannot draw any conclusions without a detailed statistical analysis of a very large number of cases.    Certainly, I've encountered plenty of people who were affected while using Firefox or Chrome.

Thomas A Reed wrote:

 

I think there was only two reports of Firefox users being hit and they were not running NoScript.

 

There is nothing about this outbreak that is unique to Safari, except that Safari will open the installer automatically.

I believe there is one other Firefox "feature" that comes into play here and that is that Firefox will ask you if you really want to download something that a javascript has automatically kicked off, whereas Safari will not.  With this outbreak the user has already requested the download, so it is unlikely he will have second thoughts, but it is another difference.

All  browser can be used to load this malware.  You should look at the appropriate sites for steps to prevent this  malware:  Virusbarrier X6  seems to work well and has a free trial - retails abt 60$

Links of interest:

http://www.bleepingcomputer.com/virus-removal/remove-xp-guard

http://news.cnet.com/8301-27080_3-20064394-245.html

http://www.apple.com/downloads/macosx/networking_security/virusbarrierx6.htmlhttp://www.apple.com/downloads/macosx/networking_security/virusbarrierx6.htmlhttp://www.apple.com/downloads/macosx/networking_security/virusbarrierx6.htmlhttp://www.apple.com/downloads/macosx/networking_security/virusbarrierx6.html

Great stuff, Kappy! Thank you.

How come you're replying to such an old thread?  You must have gone searching for information about MacDefender...  Why is that?  Do you believe that you have seen it recently?

Thomas A Reed wrote:

 

Do you believe that you have seen it recently?

I had a ClamXav forum user find four MacDefender .pkg files on Tuesday. Apparently he never allowed them to install. He didn't respond as to when he might have acquired them. http://markallan.co.uk/BB/viewtopic.php?p=14026#14026

I would have thought we had seen the end of this with the folks behind the MacDefender payment processing in jail...  But perhaps they were not the ones responsible for creating the software, and those hackers have found a new payment processor.  Of course, that's a lot of speculation based on very little information at this point.  :)