Heads Up/Warning Mac Defender

aliasnexus0 wrote:

I do not believe it is a Flash based exploit. I have Flash disabled by default in Chrome, and I have to manually activate any Flash plugins that try load.

From reading around it appears to be a JavaScript exploit. More details here: http://www.macrumors.com/2011/05/02/new-macdefender-malware-threat-for-mac-os-x/

Ah! Good to know.

So then to stop this is to turn off Javascrip in Safari preferences, which would e a hassle to hit preferences to turn it on if one needed it on a trusted site.

Or simply use Firefox and the NoScript Add-on, turn it on with a click on the Toolbar button if you trust the site.

Here’s some Safety precautions you could take on your Mac, Some are more reasonable than others, and how you use your computer will partially dictate what is appropriate for your uses. However, the ones with an asterisk (*) are ideas that are pretty basic and should be done (in my opinion) by everyone.

1. * Don't run as an administrator level account
2. * Make sure your administrative account(s) has/have a strong password
3. * Uncheck any browser options that automatically open files
4. * Disable any browser features that you do not need (Example: If you never use Java or Flash then disable them, you can always enable them again for the few times you might need them, when those occasions occur)
   • Given this instance, I'm considering disabling JavaScript for Google sites.
   • I also generally disable pop-ups unless a sight I trust needs it for a specific reason, then I enable it only while I perform that task.
5. * Never enter your computer account's login/password for anything you didn't explicitly run and trust.
6. If you want to be extra cautious, then enable parental controls on the account you use and only enable the programs you need on a daily bases, and disable everything else, including the Installer application.
7. If you want Anti-Virus:
   • ClamAVx (http://ClamAVx.com)
   • Mac Scan (http://macscan.securemac.com)
   • Avast
   • Virus Barrier
   • Symantec (Norton) & Mcafee both make products, but be prepared for your system to slow down a fair amount
   • I'm sure there are other good products, I just haven't used many others.
8. If you want to make sure programs (like malware) are not "phoning home" then I'd suggest a program called: "Little Snitch". It allows you to authorize or deny outgoing network communications.
9. Enable your Mac's Firewall (System Preferences >> security >> Firewall)
10. Lock your keychain when you don't need it.
    • (Applications/Utilities/KeyChain Access.app) >> Preferences>>Show Status in menu bar.
    • This will add a little lock icon, up by the clock, click on it and lock all key chains when not in use.
11. * Change your password(s) regularly
12. * Only give your credit card and/or other personal information on secured websites that are reputable and for sites/programs where you intentionally initiated the purchase transaction.
13. Use separate, encrypted disk images to store your data, and only authenticate and mount the specific ones you need, when you need it. Then dismount the disk images and lock your keychain when you're done. (Reaching into the realm of paranoia now)

The malware "MacDefender" is a "driveby download" utilizing Javascript.

It's rather simple to defeat this from occuring:

1: Download Firefox 4.0

2: Install the NoScript Add-on

3: Install the Public Fox Add-on.

4: Hit the Toolbar Customize and drag the "Temp Allow All This page" NoScript button to the Toolbar

5: Setup PublicFox to require a password before a download occurs.

As you surf the web with NoScript, all "scripts" including JavaScript, will be turned off by default.

If you trust the site and need scripts to run, click the Temp Allow button.

If your Public Fox pops up with asking for your password, you know you got a driveby download, cancel it and notify the website owner.

Note: Public Fox is searched at Mozilla as "Public Fox"

Sophos also offers their antivirus for free for Mac home users:

http://www.sophos.com/en-us/products/free-tools.aspx

Eric Brian wrote:

Sophos also offers their antivirus for free for Mac home users:

http://www.sophos.com/en-us/products/free-tools.aspx

Always on anti-virus is still unnecessary on a Mac and often conflicts with OS X changes.

Just some common sense is needed and a little more attention by Apple in preventing drive by downloads.

Hello Joseph,

Just to let you know that I too, was using google images, (on chrome) when the malware hit my macbook.

I'm only 17 and am an IT NOOB, so a warning popped up telling me to download 'macdefender' and the idiot that i am, i downloaded it (i thought it sounded like a genuine anti-virus and i just bought the macbook so without thinking i got myself into that situation). This all happened to me yesterday but before i read this discussion, a friend of mine found this link which helped me permanently delete mac defender.

http://thenextweb.com/apple/2011/05/02/bogus-macdefender-malware-campaign-target s-mac-users-using-google-images/

These steps were probably already mentioned in this discussion but I found it easy to follow. So I'd recommend anyone who got hit by the malware to go to the link, scroll down, and follow those 5 steps. I have now permanently deleted mac defender (I'm pretty sure). So yeah. 🙂

Cheers guys. Nadiah x

Unfortunately ClamXav does not yet detect this one since the greater AV community has not chosen to share it yet. We need those of you who find this on your hard drive to please upload whatever files you have to the clamav database here http://cgi.clamav.net/sendvirus.cgi and this community site http://www.virustotal.com/index.html.

TIA, -Al-

We've got what we need now, so expect database update shortly.

-Al-

Thank you for your help the other day. I just thought I would let you know we were on google again, looking at pictures again and the program downloaded itself again. We were furiously trying to get out of it and before we could it downloaded again. We followed your instructions and took it off but I see that you are trying to track this problem so I thought I would let you know.

Thanks again

Angelique

The clamav signature database has been updated to include two variants of the MacDefender Trojan, so ClamXav will detect all known versions of the .zip, .pkg and .app files associated with it.

-Al-

Hard to say. There are like 150 servers used by clamav.net to distribute database updates around the world. The updater process does it's best to figure out the closest one to your location to make it easier to connect and for network balancing. Normally it will try five different mirrors before giving up, but there could be other network issues involved. I've never seen the entire network go down, but individual servers go down or out of date all the time. If it hasn't cleared up in an hour or two, come over to http://markallan.co.uk/BB/viewforum.php?f=1 and we can work it out over there. Meanwhile take a look at your update log for additional clues.

-Al-