Heads Up/Warning Mac Defender

MadMacs0 wrote:

My apologies to anybody who was surprised by accessing this link...

Posted it to the Hosts for removal.

MadMacs0 wrote:

I was under the impression that the webmaster had disabled the problem or that the malware site had gone cold...

I think this shows that webmasters don't generally have the tools to stop this kind of attack. I have no idea if DigitalOne AG is the only company (probably unknowingly) hosting an infected page, but if I were the webmaster of PJ Media I would either contact DigitalOne AG through the abuse email address or PJ Media's own hosting service to report the problem.

R C-R wrote:

I think this shows that webmasters don't generally have the tools to stop this kind of attack.

Agree. He did add a comment this morning:

"...it doesn’t even look like it’s their ads that are serving up the initial malicious Javascript vector. Right now it looks like it’s tied to ChronoPay, which is sort of the bearded-Spock Russian version of PayPal."

Also of note, a SANS Institute email this morning (they do Information Security Training and Certification) had this to say about the rise in Web Malware:

"More than one million websites have been infected in the last quarter, over three million malvertising impressions get served per day, and a new web page is infected once a second. There is no escaping the fact that web malware attacks are on a sharp rise. Recently, cybercriminals have been getting more and more aggressive with using social networks, ad networks, and popular web widgets as platforms for the distribution of malware."

Spread the word

APPLE-SA-2011-05-31-1 Security Update 2011-003

Security Update 2011-003 is now available and addresses the following:

File Quarantine

Available for: Mac OS X v10.6.7, Mac OS X Server v10.6.7

Impact: Definition added

Description: The OSX.MacDefender.A definition has been added to the malware check within File Quarantine. Information on File Quarantine is available in this Knowledge Base article: http://support.apple.com/kb/HT3662

File Quarantine

Available for: Mac OS X v10.6.7, Mac OS X Server v10.6.7

Impact: Automatically update the known malware definitions

Description: The system will check daily for updates to the File Quarantine malware definition list. An opt-out capability is provided via the "Automatically update safe downloads list" checkbox in Security Preferences. Additional information is available in this Knowledge Base article: http://support.apple.com/kb/HT4651

Malware removal

Available for: Mac OS X v10.6.7, Mac OS X Server v10.6.7

Impact: Remove the MacDefender malware if detected

Description: The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed. Additional information is available in this Knowledge Base article: http://support.apple.com/kb/HT4651

For Mac OS X v10.6.7 and Mac OS X Server v10.6.

The download file is named: SecUpd2011-003Snow.dmg

Its SHA-1 digest is: 07843c32a8b367fbe4318bdf22dd98013a91cd51

Good news indeed. Maybe the most significant part of this is the daily check for updates to the malware definition list. That would seem to indicate that Apple is adopting the practices of some of the anti-virus vendors to get these updates to users quickly, instead of waiting for them to check for updates manually.

http://www.theregister.co.uk/2011/06/01/mac_osx_scareware_evasion/

Another new variant?

Yes, & there are probably more to follow. However, they are all still basically the same trojan & require user help to be installed. If you don't install anything you did not explicitly download yourself, the trojan can't succeed.

The press & other media sources have not been particularly good about reporting that fact, instead opting for more sensational stories implying OS X has suddenly becoming just as susceptible to "viruses" as Windows.

Of course, viruses are a different & much harder kind of malware to engineer, & there are still no known ones capable of infecting OS X in the wild, but that doesn't grab eyeballs or the revenue that comes with that.

I suspect the media is making far more off this trojan than its author ever will.

Tony Curtis wrote:

http://www.theregister.co.uk/2011/06/01/mac_osx_scareware_evasion/

Another new variant?

Yes and Apple appears to have already updated their software to catch it today, believe it or not. A colleague is attempting to grab another copy of the installer to confirm that it works.

Last night was interesting as I found a link that offered a variant of this thing.

I use Camino and never went past the "Open" part.

Force-Quit on several attempts and tried a traceroute on the url to 'serverside.su' that appears to be german block with Russian text??

Looked for Cookies etc but nothing was downloaded?

However, found a MacProtector.mpkg.zip (4k) within my downloads Folder today? Must have come down while exploring last night bypassing the requirement to accept scanning?

ClamXAV doesn't recognise it in .zip form and I haven't unzipped it yet.

BBedit seems to show it's some form of code, so think it's the real thing?

Interesting that the url I found was consistently active but didn't know whether the payload source was.

Just downloaded Mac Sophos home to see what it does.

Tony Curtis wrote:

Last night was interesting as I found a link that offered a variant of this thing.

I use Camino and never went past the "Open" part.

Force-Quit on several attempts and tried a traceroute on the url to 'serverside.su' that appears to be german block with Russian text??

Looked for Cookies etc but nothing was downloaded?

However, found a MacProtector.mpkg.zip (4k) within my downloads Folder today? Must have come down while exploring last night bypassing the requirement to accept scanning?

ClamXAV doesn't recognise it in .zip form and I haven't unzipped it yet.

It should have. Please do not delete it yet. Upload it to http://www.virustotal.com. If it says that clamav does not classify it as malware, upload it again to http://cgi.clamav.net/sendvirus.cgi

Sophos didn't recognise it as a problem neither did your first url. (Worried about this as the upload directons wanted me to open the thing??) Uploaded to Clam.

Tony Curtis wrote:

Sophos didn't recognise it as a problem neither did your first url. (Worried about this as the upload directons wanted me to open the thing??) Uploaded to Clam.

I know the dialog box says "Open" but all it actually does is choose it for upload. Thanks for your help. I'll get somebody on it.

Tony Curtis wrote:

Sophos didn't recognise it as a problem neither did your first url.

With the default settings, Sophos should have no problems identifying the MacProtector.mpkg.zip immediately on download -- the definition for that was added within a day or so of its appearance. If it isn't doing that, check the settings. In particular, make sure that the "On-access" scanner is on & that the option for "Scan inside archives & compressed files" is on.

These are the defaults but if you have changed them, for instance by turning off the "On-access" scanner, it won't be able to detect anything. If the 'scan inside' option is not on, it won't detect zip files until they are unzipped.

Tony Curtis wrote:

Sophos didn't recognise it as a problem neither did your first url. Uploaded to Clam.

Tony,

clamav signature writer could not find the file by searching for "MacProtector". Was "MacProtector.mpkg.zip" the exact name of the file you uploaded to clamav? It might also be helpful to have the ID provided by VirusTotal when you uploaded there, if you have it. You should be able to find it in your browser history as a URL you can post here, as well.

For R C-R

We think this may be something new disguised as an older version. Most of the usual sites have gone cold today and those that still work are dispensing older versions, but this could be something else that came out before they shut it down.

Hello MadMacs0

Google was the first search. Camino now warns it's a damaging url

Haven't tried others yet or force-connect.

File uploaded to Clam was called 'Trojan.zip' and contained the MacProtector.mpkg.zip, the url and a WHOIS search both as textClipping.