Mac Defender

WZZZ wrote:

etresoft wrote: I just created my own MyTrojan.pkg.zip package. With the default Safari settings, just downloading this file will unzip it and start the installer.

Yes, the installer (Apple's Installer.app in the case of the MacDefender malware) will start (launch). But it will not install anything until & unless the user initiates that action by pressing the "Install" button.

I'm not sure it is actually possible to "fill the installer with animated GIFs" -- Installer.app generates the user interface & just reads content from the .pkg or .mkpkg files that launch it -- but even if it did, this is no different from what the rogue website did to simulate a scan. The install process is still controlled by Installer.app & nothing will be installed unless the user presses the "Install" button.

Sure, someone could attempt to use a preinstall script to do something malicious before anything is actually installed but, as explained in the "Component Package Scripts pane" section of this developer doc, that triggers a user warning before it will do so. The user has to dismiss & ignore that for anything to happen.

This malware is a social engineering exploit, not some new vector of attack that bypasses the security features built into OS X.

BTW, you might want to check out this Sophos article, which explains the attack in detail, including the fact that its free 'home edition' AV software for Macs already detects multiple versions of this 'fakeAV' exploit.

I got hit with this this morning...I also installed it (have spent the last month planning a trip to Europe and a couple days ago I had a problem opening a .doc contract from a rental company). I thought perhaps there may have been a reason for that...or that that particular .doc may have been infected and my Microsoft Word app was somehow invaded. Yes, I should have known better but the MacDefender script makes it appear there really are "infected" files, etc. It all "happened" too quickly. As soon as I did it, I logged on here to check out my suspicions. I deleted the program using "Clean My Mac" and following the instructions in this thread, it appears to have cleaned out all the junk that came with the nasty little program.

Now I want my morning coffee.

Thank you so much! I did this and it took care of it. I just got off the phone with Apple Care because I wanted to double check that I got all of it, and they said these steps were just what they recommended. Thanks again!

just like the people using Windows 7, most users will just click on anything. "it's asking for my password....ok"

I was one of the people who got caught up in all this! It was horrible- the pop ups. It happened when I was looking for pictures through Google for a project! Thanks!!

I had the same problem. The solution was to safe boot: 1)Shut down computer 2) Press start and when the startup tone begins press the SMALL shift button (sound must be on). Do no release it until you see the apple logo. You can now scan for the fill from the Finder and delete it.

jonfromoslo wrote:

I had the same problem. The solution was to safe boot: 1)Shut down computer 2) Press start and when the startup tone begins press the SMALL shift button (sound must be on).

I'm not exactly what you mean by "the SMALL shift button" but Apple's instructions for starting up in Safe Mode can be found in this KnowledgeBase article.

Gees! When will people learn that Macs are not infected by viruses and installing any antivirus software is the same as installing malware and/or spyware on your Mac? Just be careful what you download. I've used Macs for over a decade, both for business and pleasure and never run any anti-virus junk software nor have I ever had any issues. All this virus malarky is just left over paranoia from Windoze users. If your machine or browser is running bad it is because of a corrupt cache and/or preference file. That is all it can be.

SR

How is installing ClamXav or Sophos the same as installing malware, or spyware? Can you explain how that is?

Joseph

Silly rabbit wrote:

Gees! When will people learn that Macs are not infected by viruses and installing any antivirus software is the same as installing malware and/or spyware on your Mac?

That is a very simple view of a very complex topic. All AV software is not alike, & like every other kind of software -- including malware -- it evolves over time.

And just being careful is not necessarily enough: Apple takes trojans seriously enough that it has quietly added a modest amount of AV software into Snow Leopard itself, & although it works much like commercial AV software, it is currently limited to three specific types of trojans & is rarely updated.

The people easiest to fool are those that believe they can't be fooled. Whatever you decide to do about malware threats, don't think that just because you use a Mac you are immune. You may not always be able to tell a rogue web site from a legitimate one, or what looks like an Apple interface item from a bogus one. Pay careful attention not just to what you download or where it comes from, but also what happens after you download it.

If you are not an expert Mac OS user or for any other reason are not confident about your ability to tell trojans from legitimate software, you might want to consider AV software. Some users may need to configure their Macs for more security than the default, & Apple makes available guides for this as well.

It isn't all just malarky or paranoia. There are devious & clever people out there trying their best to compromise your Mac, & their attacks are getting increasingly more sophisticated & polished.

Kudos RC. +1

"Gees! When will people learn that Macs are not infected by viruses and installing any antivirus software is the same as installing malware and/or spyware on your Mac? Just be careful what you download. I've used Macs for over a decade, both for business and pleasure and never run any anti-virus junk software nor have I ever had any issues. All this virus malarky is just left over paranoia from Windoze users. If your machine or browser is running bad it is because of a corrupt cache and/or preference file. That is all it can be."

i've had the same load of Windows XP on a machine for 9 years and never had an infection and have never run A/V software. and i ran several P2P file-sharing apps over that time. like i said before, it comes down to the user. you can pack your Windows system with all kinds of "defenses" but if you're not smart you WILL get infected.

as Mac becomes more popular you'll see malware written specifically for Mac OS. where there's a will there's a way. obviously Mac users need to smarten-up as well when i see all these threads about Mac Defender.

I did some testing of this on a crash test dummy Mac I have. I wanted to see how the installer behaved in a Standard User account.

So I did a Google Images search using a keyword that I had heard would find the trojan for me. It took like 20 seconds to find.

So under a Standard User account and Safari's Open "safe" files option checked on, the download unzipped and presented an installer.

However, the installer failed after entering the admin credentials.

However, the installer failed after entering the admin credentials.

Did you enter the credentials of the standard user account, or of an admin account on that Mac? If the latter, how did it fail?

...after entering the admin credentials.