Skip navigation

detecting malware

4585 Views 14 Replies Latest reply: Apr 14, 2014 6:44 PM by Catak6886 RSS
mmendel Calculating status...
Currently Being Moderated
Jan 20, 2013 3:46 AM

how to detect and remove malware and viruses

MacBook Pro, Mac OS X (10.6.8)
  • mende1 Level 10 Level 10 (89,470 points)
    Currently Being Moderated
    Jan 20, 2013 3:49 AM (in response to mmendel)

    Welcome to the Apple Support Communities

     

    See > http://www.reedcorner.net/mmg On OS X, you don't have to worry about malware and viruses because Mac OS X has got its security systems. However, if you want to make sure that there isn't malware, you can use Sophos or ClamXav to scan your hard drive

  • Linc Davis Level 10 Level 10 (107,510 points)
    Currently Being Moderated
    Jan 20, 2013 8:19 AM (in response to mmendel)

    1. This comment applies to malicious software ("malware") that's installed unwittingly by the victim of a network attack. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the victim's computer. That threat is in a different category, and there's no easy way to defend against it. If you have reason to suspect that you're the target of such an attack, you need expert help.

    2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user, but internally Apple calls it "XProtect." The malware recognition database is automatically updated once a day; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
       
    The following caveats apply to XProtect:
    • It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets (see below.)
    • It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
    3. Starting with OS X 10.7.5, there has been another layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't actually been tested by Apple (unless it comes from the Mac App Store), but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. For most practical purposes, applications recognized by Gatekeeper as signed can be considered safe.
       
    Gatekeeper has, however, the same limitations as XProtect, and in addition the following:
    • It can easily be disabled or overridden by the user.
    • A malware attacker could get control of a code-signing certificate under false pretenses, or could find some other way to evade Apple's controls.
    For more information about Gatekeeper, see this Apple Support article.
             
    4. Beyond XProtect and Gatekeeper, there’s no benefit, in most cases, from any other automated protection against malware. The first and best line of defense is always your own intelligence. All known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and the malware attacker. If you're smarter than he thinks you are, you'll win.
        
    That means, in practice, that you never use software that comes from an untrustworthy source. How do you know whether a source is trustworthy?
    • Any website that prompts you to install a “codec,” “plug-in,” "player," "archive extractor," or “certificate” that comes from that same site, or an unknown one, is untrustworthy.
    • A web operator who tells you that you have a “virus,” or that anything else is wrong with your computer, or that you have won a prize in a contest you never entered, is trying to commit a crime with you as the victim. (Some reputable websites did legitimately warn users who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
    • Pirated copies or "cracks" of commercial software, no matter where they come from, are unsafe.
    • Software of any kind downloaded from a BitTorrent or from a Usenet binary newsgroup is unsafe.
    • Software with a corporate brand, such as Adobe Flash Player, must be downloaded directly from the developer’s website. If it comes from any other source, it's unsafe.
    5. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was never a good idea, and Java's developers have had a lot of trouble implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style "virus" affecting OS X. Merely loading a page with malicious Java content could be harmful. Fortunately, Java on the Web is mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice.
       
    Java is not included in OS X 10.7 and later. A separate Java installer is distributed by Apple, and another one by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it — not JavaScript — in your browsers. In Safari, this is done by unchecking the box marked Enable Java in the Security tab of the preferences dialog.
      
    Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a specific task, enable Java only when needed for the task and disable it immediately when done. Close all other browser windows and tabs, and don't visit any other sites while Java is active. Never enable any version of Java on a public web page that carries third-party advertising. Use it, if at all, only on well-known, password-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.

    Follow these guidelines, and you’ll be as safe from malware as you can practically be, short of not using the Internet at all.

    6. Never install any commercial "anti-virus" or "Internet security" products for the Mac, as they all do more harm than good, if they do any good at all. If you need to be able to detect Windows malware in your files, use the free software ClamXav — nothing else.
      
    Why shouldn't you use commercial "anti-virus" products?
    • Their design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere.
    • In order to meet that nonexistent threat, the software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
    • By modifying the operating system, the software itself may create weaknesses that could be exploited by malware attackers.
    7. ClamXav doesn't have these drawbacks. That doesn't mean it's entirely safe. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
        
    ClamXav is not needed, and should not be relied upon, for protection against OS X malware. It's useful only for detecting Windows malware. Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else.
        
    A Windows malware attachment in email is usually easy to recognize. The file name will often be targeted at people who aren't very bright; for example:
      
    ♥♥♥♥♥♥♥♥♥♥♥♥♥♥!!!!!!!H0TBABEZ4U!!!!!!!.AVI♥♥♥♥♥♥♥♥♥♥♥♥♥♥.exe
       
    ClamXav may be able to tell you which particular virus or trojan it is, but do you care? In practice, there's seldom a reason to use ClamXav unless a network administrator requires you to run an anti-virus application.
        
    8. The greatest harm done by anti-virus software, in my opinion, is in its effect on human behavior. It does little or nothing to protect people from emerging threats, but they get a false sense of security from it, and then they may behave in ways that expose them to higher risk. Nothing can lessen the need for safe computing practices.
      
    9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Jan 20, 2013 2:08 PM (in response to mmendel)

    Odds are you don't have any, so tell us why you are asking?

  • Gold_Coast Calculating status...
    Currently Being Moderated
    Mar 28, 2013 5:25 AM (in response to MadMacs0)

    Even if viruses aren't detrimental to Apple devices any file infected with a virus can potentially be spread to other PC's that they would do damage to.

     

    I know a number of people that received fraudulent emails falsely claiming to represent legitimate companies.  These emails had a zip file attached in attempt to infect with the Trojan Agent virus.

     

    I had person from India renting out my spare room who requested internet access also be provided as part of his rent.  He signed a rental contract which included internet access for $15/week.

     

    I probably don't want to know what he did on the internet but during his tenancy internet usage was massive.  This probably exponentially increased the risk of malware or viruses being a real threat to systems he was connected to.  And while it may not harm a Mac, if hosting the infected data and transmitting it to a vulnerable system, the need for virus scans for all systems is evident.

  • VilleFromFinland Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 28, 2013 6:45 AM (in response to Gold_Coast)

    One really easy way to prevent malware on your computer is to use Avira - freeware virus scanner.

    It has Windows and Mac OS X versions and it protects your computer from the most malwares.

     

    This is not maybe 100% percent the Best program what is out there but it should be more than enough for regular user.

     

    I use this my self.

  • Gold_Coast Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 28, 2013 1:21 PM (in response to mmendel)

    Thanks but I know how to act appropriately with malware.

     

    Problems persist because the government does not know how to deal with internet security matters as evident in the attached response which was submitted as evidence in court.  This was after 3 people called the police while I had this document in my possesion and the police called the author of the letter to confirm it's authenticity.

     

    Persistent internet attacks are commonly classed as cyber-terrorism and the affects on systems should prompt investigation as counter-terrorism financing and anti money laundering guidelines.  Not doing so is equivalent to throwing everyones personal information, like a dog with a bone, to perfect strangers.

     

    At least having it recorded in court makes the government accountable for any loss or hardship.DFaT Internet Security Response.jpg

    Other OS
  • VilleFromFinland Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 29, 2013 12:21 PM (in response to Gold_Coast)

    Install firewall & Antivirus software.

     

    Avira also should help for detecting / preventing malware to funtion.

     

    Download & install Avira, let's get back to the subject if problem still occurs.

     

     

    Cheers

     

    Ville

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 29, 2013 1:26 PM (in response to VilleFromFinland)

    VilleFromFinland wrote:

     

    Install firewall & Antivirus software.

    I think we all heard you the first time. We haven't heard anything from the OP and it's been over a week since they joined and posted their one and only question to date, so I suspect they have all the info they need for now.

    let's get back to the subject if problem still occurs.

    What problem was that?

  • JDY425 Calculating status...
    Currently Being Moderated
    Mar 31, 2014 6:52 AM (in response to Linc Davis)

    I need a little help with the topic of malware.  I was attempting to update my Department of Defense ID card utilizing a card reader and the DEERS website.  The requirements for doing so was to have Java Runtime Environent installed.  I went to the Oracle webpage and downloaded JRE and was still not able to do so.  I also went to CNET and downlaoded JRE, which I know I probably should nothave done.  After doing so I had degraded internet access and several attempts to login to microsoft.com from an IP adress from Russia. I also received this email from google:

     

     

    Mail Delivery Subsystem mailer-daemon@googlemail.com

    2:38 AM (7 hours ago)
    https://mail.google.com/mail/u/0/images/cleardot.gif

     


    https://mail.google.com/mail/u/0/images/cleardot.gif

    https://mail.google.com/mail/u/0/images/cleardot.gif

    to me

    https://mail.google.com/mail/u/0/images/cleardot.gif

     

    Delivery to the following recipient failed permanently:

     

          info@gruz-master.com

     

    Technical details of permanent failure:
    Message rejected by Google Groups. Please visit http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 to review our Bulk Email Senders Guidelines.

     

    ----- Original message -----

     

    X-Received: by 10.112.53.170 with SMTP id c10mr4751lbp.70.1396247897662;
             Sun, 30 Mar 2014 23:38:17 -0700 (PDT)
    Return-Path: <
    Received: from mx11.mail.ru (mx11.mail.ru. [94.100.176.137])
             by mx.google.com with ESMTPS id w4si8057445lad.164.2014.03.30.23.38.17
             for <info@gruz-master.com>
             (version=TLSv1 cipher=RC4-SHA bits=128/128);
             Sun, 30 Mar 2014 23:38:17 -0700 (PDT)
    Received-SPF: softfail (google.com: domain of transitioning  does not designate 94.100.176.137 as permitted sender) client-ip=94.100.176.137;
    Authentication-Results: mx.google.com;
            spf=softfail (google.com: domain of transitioning does not designate 94.100.176.137 as permitted sender) smtp.mail=jdyork1@gmail.com;
            dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
    Received: from mail by mx11.mail.ru with local (envelope-from <>)
             id 1WUVrN-0007p4-1f
             for info@gruz-master.com; Mon, 31 Mar 2014 10:38:17 +0400
    X-ResentFrom: <gruz_master@mail.ru>
    X-MailRu-Forward: 1
    Authentication-Results: mxs.mail.ru; spf=softfail (mx11.mail.ru: transitioning domain of gmail.com does not designate 193.252.22.211 as permitted sender) smtp.mailfrom= smtp.helo=out.smtpout.orange.fr
    Received-SPF: softfail (mx11.mail.ru: transitioning domain of gmail.com does not designate 193.252.22.211 as permitted sender) client-ip=193.252.22.211; envelope-from=; helo=out.smtpout.orange.fr;
    Received: from [193.252.22.211] (port=18661 helo=out.smtpout.orange.fr)
             by mx11.mail.ru with esmtp (envelope-from <jdyork1@gmail.com>)
             id 1WUVrK-0007cl-Gk
             for gruz_master@mail.ru; Mon, 31 Mar 2014 10:38:15 +0400
    X-Mru-BL: 0:99:1024
    X-Mru-PTR: out02.smtpout.orange.fr
    X-Mru-NR: 1
    X-Mru-OF: Linux (Ethernet or modem)
    X-Mru-RC: FR
    Received: from jwcia ([122.2.22.242])
             by mwinf5d27 with ME
             id k6dm1n00B5DPNQy036drEn; Mon, 31 Mar 2014 08:38:13 +0200
    Message-ID: <0F2D17A6F020444EB24B640446D905CC@sgwoxk>
    Reply-To: =?koi8-r?B?8NLPzdTP1yDx0s/TzMHX?= <regi.str.a.c.iya1.4@gmail.com>
    From: =?koi8-r?B?8NLPzdTP1yDx0s/TzMHX?= <
    To: =?koi8-r?B?7M/ayc7Ty8nKIOnTwcHL?= <postmaster@associatebrokerscr.com>
    Subject: =?koi8-r?B?98HNIM7V1s7PIPrBy9LZ1NggxsnSzdU/IOTM0SD3wdMg?=
             =?koi8-r?B?19nHz8TOz8Ug0NLFxMzP1sXOycUhIPDSz97UydTFIQ==?=
    Date: Mon, 31 Mar 2014 12:37:43 +0600
    MIME-Version: 1.0
    Content-Type: text/html;
             charset="koi8-r"
    Content-Transfer-Encoding: base64
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.5931
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6109
    X-Spam: Not detected
    X-DMARC-Policy: none
    X-DMARC-Result: fail
    X-Mras: Ok
    X-Mru-AVCheck: false
    X-Mru-Authenticated-Sender:

     

    ----- End of message -----

    This email also has it orogin out of Russia which is leading me to believe that I have dowloaded soemthing I should not have done.  I have ran wireshark and have not gone through everything yet but did not find anything unusal just yet.  I subsequently installed little snitch with nothing unusal.  I guess the question is if I am being paranoid or is did I download malware?  

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 31, 2014 9:47 AM (in response to JDY425)

    I doubt that many people will see your posting. It's always best to start a new discussion in cases like this.

     

    A quick examination of the message indicates that it was sent using Microsoft Outlook Express 6.00.2900.5931, so it didn't come from your Mac.

     

    Also, there is currently no known malware capable of sending bulk e-mail from a Mac. If it came from your Mac there should be evidence of it in your Sent Mail folder.

     

    The majority of spam e-mail is sent using a forged From: address. Since you received a non-delivery message from Google, I suppose it's possible it was sent from your account on the server. Again, there may be evidence in the sent mailbox on the server of it having been used, but spammers have also been known to erase them after they finish. If this continues then I would change my e-mail password and make certain the spammer has not set a preference to allow a second account access. This is often done for businesses to allow a secretary to send e-mail out for their boss.

     

    Back to the JRE you downloaded from C|Net. I checked and can only find Java JRE for Windows, which you should not have been able to install anything on your Mac, even though they have been known to include adware in their installers for Windows for some time now.

     

    If you installed the JRE from www.java.com (run by oracle) you should have the latest working Version 7 Update 51. I've never tried to use a CAC card from a Mac, so I can't help you with that.

  • JDY425 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2014 10:17 AM (in response to MadMacs0)

    Thank you for the response, I just started a new discussion under the Imac section.  I am probably just going to wipe and reinstall to be 100% sure.

  • Catak6886 Calculating status...
    Currently Being Moderated
    Apr 14, 2014 6:32 PM (in response to mmendel)

    Please Help! I am getting pop ups and highlighted links on trusted sites. I have backed up my computer incase the worst happens. I also checked and no extensions are present. How can I find out what has infected my computer and more importantly how to get rid of it?

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 14, 2014 6:37 PM (in response to Catak6886)

    This thread is over a year old and I doubt that more than one or two of us are aware of your post.

     

    Please start a new discussion and you will attract far more folks who are currently on-line to assist you. That's just the way these forums work.

  • Catak6886 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 14, 2014 6:44 PM (in response to MadMacs0)

    Sorry, new to this.... Thanks so much for the heads up!

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.