4 Replies Latest reply: Dec 14, 2009 10:02 PM by Luvin my Pod
coding_guy Level 1 Level 1 (0 points)
Hi-

I suspect my mac has been infected/has malware. I know that the common thing to do at this point is to wipe the machine, reinstall from scratch, and only restore personal files (the apps could be infected).

Of course, that would is very inconvenient. Is there an app I can run to check my machine for viruses, malware, and other security problems?

I've had my machine compromised before and I did not reinstall at the time - I simply cleaned it up by hand. I'd like to try a better detect/clean process before I perform a reinstall.

Thanks in advance!

mbp 17 2.16, Mac OS X (10.5.8)
  • Klaus1 Level 8 Level 8 (46,945 points)
    Welcome to the forums!

    I know that the common thing to do at this point is to wipe the machine, reinstall from scratch, and only restore personal files

    Nope, not in the Mac world!

    No viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions.

    Do not be tricked by 'scareware' that attempts computer users to download fake anti-virus software. More on that here:

    http://news.bbc.co.uk/1/hi/technology/8313678.stm

    It is possible, however, to pass on a Windows virus to another Windows user, for example through an email attachment. To prevent this all you need is the free anti-virus utility ClamXav, which you can download from:

    http://www.clamxav.com/

    Do not be tempted to use Norton AV, it will mangle your system.

    However, the appearance of Trojans and other malware that can possibly infect a Mac seems to be growing, but is a completely different issue to viruses.

    If you allow a Trojan to be installed, the user's DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's (that's you!) DNS records stay modified on a minute-by-minute basis.

    You can read more about how, for example, the OSX/DNSChanger Trojan works here:

    http://www.f-secure.com/v-descs/trojanosxdnschanger.shtml

    SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:

    http://macscan.securemac.com/

    The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.

    (Note that a 30 day trial version of MacScan can be downloaded free of charge from:

    http://macscan.securemac.com/buy/

    and this can perform a complete scan of your entire hard disk. After 30 days free trial the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)

    A white paper has recently been published on the subject of Trojans by SubRosaSoft, available here:

    http://www.macforensicslab.com/ProductsAndServices/index.php?mainpage=document_general_info&cPath=11&productsid=174

    Also, beware of MacSweeper:

    MacSweeper is malware that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland based computer security software company on January 17, 2008

    http://en.wikipedia.org/wiki/MacSweeper

    On June 23, 2008 this news reached Mac users:

    http://www.theregister.co.uk/2008/06/23/mac_trojan/

    More on Trojans on the Mac here:

    http://www.technewsworld.com/story/63574.html?welcome=1214487119

    This was published on July 25, 2008:

    Attack code that exploits flaws in the net's addressing system are starting to circulate online, say security experts.

    The code could be a boon to phishing gangs who redirect web users to fake bank sites and steal login details.

    In light of the news net firms are being urged to apply a fix for the loop-hole before attacks by hi-tech criminals become widespread.

    Net security groups say there is anecdotal evidence that small scale attacks are already happening.

    Further details here: http://news.bbc.co.uk/2/hi/technology/7525206.stm

    A further development was the Koobface malware that can be picked up from Facebook (already a notorious site for malware, like many other 'social networking' sites), as reported here on December 9, 2008:

    http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7773000/7773340.stm

    You can keep up to date, particularly about malware present in some downloadable pirated software, at the Securemac site:

    http://www.securemac.com/

    There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac, and alternatives will probably appear in the future. In the meantime the advice is: be careful where you go on the web and what you download!

    If you think you may have acquired a Trojan, and you know its name, you can also locate it via the Terminal:

    http://theappleblog.com/2009/04/24/mac-botnet-how-to-ensure-you-are-not-part-of- the-problem/

    As to the recent 'Conficker furore' affecting Intel-powered computers, MacWorld recently had this to say:

    http://www.macworld.co.uk/news/index.cfm?email&NewsID=25613

    Although any content that you download has the possibility of containing malicious software, practising a bit of care will generally keep you free from the consequences of anything like the DNSChanger trojan.
    1. Avoid going to suspect and untrusted Web sites, especially p'orn'ography sites.

    2. Check out what you are downloading. Mac OS X asks you for you administrator password to install applications for a reason! Only download media and applications from well-known and trusted Web sites. If you think you may have downloaded suspicious files, read the installer packages and make sure they are legit. If you cannot determine if the program you downloaded is infected, do a quick Internet search and see if any other users reported issues after installing a particular program.

    3. Use an antivirus program like ClamXav. If you are in the habit of downloading a lot of media and other files, it may be well worth your while to run those files through an AV application.

    4. Use Mac OS X's built-in Firewalls and other security features.

    5. Stop using LimeWire. LimeWire (and other peer-to-peer sharing applications) are hotbeds of potential software issues waiting to happen to your Mac. Everything from changing permissions to downloading trojans and other malicious software can be acquired from using these applications.

    6. Resist the temptation to download pirated software. After the release of iWork '09 earlier this year, a Trojan was discovered circulating in pirated copies of Apple's productivity suite of applications (as well as pirated copies of Adobe's Photoshop CS4). Security professionals now believe that the botnet (from iServices) has become active. Although the potential damage range is projected to be minimal, an estimated 20,000 copies of the Trojan have been downloaded. SecureMac offer a simple and free tool for the removal of the iBotNet Trojan available here:

    http://macscan.securemac.com/files/iServicesTrojanRemovalTool.dmg

    Last but not least, there is the potential for having your entire email contact list stolen for use for spamming:

    http://www.nytimes.com/2009/06/20/technology/internet/20shortcuts.html?_r=1
  • coding_guy Level 1 Level 1 (0 points)
    Wow! That was a very informative post.

    I was hit some time ago by the DNS redirect attack, and performed the recommended steps to remove that problem (remove the cron entry, clean the DNS file, etc.)

    I'll follow your post and (with any luck) clean my machine.

    Thanks!
  • K Shaffer Level 6 Level 6 (11,610 points)
    You do not specify if the computer in this discussion has &/or uses a BootCamp
    partition containing a Windows OS XP/Vista, or other second system that may
    be capable of harboring malware; which would require extra effort to maintain.

    If the computer has the installed option or is actively using a Windows system
    then other tasks should be considered to protect that aspect of your computer
    from outside malware issues. The Mac OS X system is not directly affected in
    this instance, however the Windows OS, if present, requires due diligence as
    any other brand of PC would, to be ahead of the issues known to Windows OS.

    If not, then consider yourself relieved of the extra duty to maintain a lesser OS.

    Good luck & happy computing!
  • Luvin my Pod Level 1 Level 1 (0 points)
    Klaus1, Thank you for a most informative post, It was very well written.