MacJoseph

Q: Heads Up/Warning Mac Defender

Just as a heads up and warning, there hsa been two incidents in the last hour or so where users are being redirected and Mac Defender seems to have downloaded itself claiming a virus has been detected. This is a trojan and should be deleted immediately. If you feel you need protection perhaps installing ClamXav would be an option. Be careful where your surfing in the Interwebs. Any information you can provide if you encounter this problem would be greatly appreciated, info such as the browser you're using and the website that is redirecting you.

 

Regards,

 

Joseph

MacBook Pro, Mac OS X (10.6.7), 2011 MBP 15" 2.0Ghz 4GB RAM

Posted on Apr 30, 2011 10:24 AM

Close

Q: Heads Up/Warning Mac Defender

  • All replies
  • Helpful answers

first Previous Page 10 of 13 last Next
  • by R C-R,

    R C-R R C-R May 24, 2011 11:10 AM in response to drStrangeP0rk
    Level 6 (17,700 points)
    May 24, 2011 11:10 AM in response to drStrangeP0rk

    drStrangeP0rk wrote:

    The good news is it detect all version I have so no worries for users but it gets to the issue of how we need to create a common way to tag these so we can all be talking the same language. (I saw a article about that this was agreed upon recently.)

    There are no standards for naming malware. Each company making anti-virus detection & removal software uses whatever conventions it sees fit to use, in part to best support its software.

     

    Where did you see an article saying there was any agreement about naming malware variants & who was agreeing to what?

  • by My voice is my password,

    My voice is my password My voice is my password May 24, 2011 4:20 PM in response to MacJoseph
    Level 2 (282 points)
    Old Hardware
    May 24, 2011 4:20 PM in response to MacJoseph

    Apple recently published an article - How to avoid or remove Mac Defender malware:

     

     

    http://support.apple.com/kb/HT4650

     

    -mvimp

  • by drStrangeP0rk,

    drStrangeP0rk drStrangeP0rk May 25, 2011 4:02 PM in response to MadMacs0
    Level 1 (0 points)
    May 25, 2011 4:02 PM in response to MadMacs0

    Yep, but you never know.

  • by Tony Curtis,

    Tony Curtis Tony Curtis May 29, 2011 7:54 PM in response to My voice is my password
    Level 1 (5 points)
    May 29, 2011 7:54 PM in response to My voice is my password

    AFAIK redirection downloads the payload. In this case Little Snitch http://www.obdev.at/products/littlesnitch/index.html would protect against this, IF, the user understands ANY unrequested redirection is suspicious, and inhibits the redirection Snitch informs of.

  • by MadMacs0,

    MadMacs0 MadMacs0 May 29, 2011 9:22 PM in response to Tony Curtis
    Level 5 (4,801 points)
    May 29, 2011 9:22 PM in response to Tony Curtis

    I use Little Snitch and it has never said a word when I have visited a couple of these sites (on purpose).  I'm fairly certain that they use port 80 which is wide open for all my browsers.  I'm not familiar with any way to restrict redirections in Snitch, but I'll have to check that out.

  • by R C-R,

    R C-R R C-R May 29, 2011 9:51 PM in response to Tony Curtis
    Level 6 (17,700 points)
    May 29, 2011 9:51 PM in response to Tony Curtis

    It isn't a redirect. It is the result of SEO poisoning, in which search services like Google provides are tricked into ranking malicious web pages as popular ones in search results. You can search this site using the phrase "SEO poisoning" to find several posts that go into the details of how this exploit works.

  • by MadMacs0,

    MadMacs0 MadMacs0 May 29, 2011 10:32 PM in response to R C-R
    Level 5 (4,801 points)
    May 29, 2011 10:32 PM in response to R C-R

    I know everybody says that's what it is and I think I have read through most of the details, but none of them explained what I observed.  For instance, during the hunt for MacGuard last week, I was given a Google URL, which would have been the SEO poison site, saw the image and within seconds found myself at one of the known download sites where the download began.  Was that not a JavaScript redirect?  I then hit the back button on my browser and was soon sent to a completely different IP where a second download commenced.

  • by Tony Curtis,

    Tony Curtis Tony Curtis May 29, 2011 11:09 PM in response to MadMacs0
    Level 1 (5 points)
    May 29, 2011 11:09 PM in response to MadMacs0

    Makes sense. (Can't see method to config LS to detect redirects.) A contiguous port 80 wouldn't be detected by LS, (I think?) However, I thought the redirect downloaded a 'pointer' to get the .zip via manipulating the Browser? In this case, I believe, LS would ask permission.

     

    It doesn't matter if it's an SEO, the link redirected to contains the payload??

     

    Interesting read: http://www.reedcorner.net/news.php/?p=82

  • by R C-R,

    R C-R R C-R May 29, 2011 11:05 PM in response to MadMacs0
    Level 6 (17,700 points)
    May 29, 2011 11:05 PM in response to MadMacs0

    What exactly do you mean by a Google URL? Did it begin with http://www.google.com/ or something else? If so, did you do anything at all after that page loaded? What image did you see?

     

    Message was edited by: R C-R (fighting the ASC formatting)

  • by MadMacs0,

    MadMacs0 MadMacs0 May 29, 2011 11:48 PM in response to R C-R
    Level 5 (4,801 points)
    May 29, 2011 11:48 PM in response to R C-R

    R C-R wrote:

     

    What exactly do you mean by a Google URL? Did it begin with http://www.google.com/ or something else? If so, did you do anything at all after that page loaded? What image did you see?

    Yes it did.  I have it documented and was going to put it here, but turns out it's active at the present time, so I sent it to mailinator with Subject: MacGuard.  I checked and it did not arrive, so I resent it to the alternate address and that hasn't arrived either.  (There are two other messages waiting there, however.)  If it doesn't I'll post a partial URL that I've verified won't work.

     

    The image is a bare hard drive being erased with a pink and grey pencil eraser.

  • by MadMacs0,

    MadMacs0 MadMacs0 May 30, 2011 12:34 AM in response to MadMacs0
    Level 5 (4,801 points)
    May 30, 2011 12:34 AM in response to MadMacs0

    I used Firefox this time and NoScripts stops the redirect.  More about that later.

     

    Here's a screenshot showing a partial URL and the source of the image:Picture 1.png

    The image site antiqueamulets.com (66.147.242.166) belongs to bluehost.com and has some interesting registration info here http://www.whois.net/whois/antiqueamulets.com

     

    NoScript is blocking one or more scripts from this site.  Google's script(s) have been allowed.

     

    www.whitecanyon.com (198.171.144.170) belongs to whitec.securesites.net

    Registrant:

    WhiteCanyon Inc.

       ATTN WHITECANYON.COM

       care of Network Solutions

       PO Box 459

       Drums, PA.  US

  • by MadMacs0,

    MadMacs0 MadMacs0 May 30, 2011 1:02 PM in response to MacJoseph
    Level 5 (4,801 points)
    May 30, 2011 1:02 PM in response to MacJoseph

    I received this a tip a few moments ago from a ClamXav user in Maui who apparently stumbled across a MacGuard site while browsing the PJ Media site.  A few minutes later the webmaster had posted this note speculating that the redirects were coming from an ad -- < Edited by Host >

    . In addition to passing on removal information he seems to have done some code sleuthing in the response to a comment at the bottom of the page.

  • by jsd2,

    jsd2 jsd2 May 30, 2011 4:24 AM in response to R C-R
    Level 5 (6,215 points)
    May 30, 2011 4:24 AM in response to R C-R

    A few weeks ago this Intego blog posting, How SEO Poisoning Works and Why You Should Care, referred readers to this highly technical analysis of how Google image search results were being exploited by malware:

    Thousands of Hacked Sites Seriously Poison Google Image Search Results

     

    Summary sentence:

    The attack uses cloaking to feed keyword-rich pages with hot-linked images to search engine bots and return a malicious JavaScript that redirects to fake AV sites to visitors that come from search engines.

     

    See the article for technical details.

  • by R C-R,

    R C-R R C-R May 30, 2011 5:34 AM in response to MadMacs0
    Level 6 (17,700 points)
    May 30, 2011 5:34 AM in response to MadMacs0

    As I'm sure you know normally you arrive at pages like this from a Google image search; after clicking on an image in the search results page the image loads in the foreground & the page it comes from loads in the background.

     

    I'm not sure if this is technically a redirect or what, but just like with other 'poisoned' Google searches, the user has to click on one of the results of a search to go to the malicious page. Several articles about SEO poisoning say Google image searches are a favorite target, since it is easier to get a high ranking in them than in other searches.

  • by R C-R,

    R C-R R C-R May 30, 2011 6:06 AM in response to MadMacs0
    Level 6 (17,700 points)
    May 30, 2011 6:06 AM in response to MadMacs0

    It is a pity that the PJ Media "sticky" is saying that unchecking the 'open safe' option in Safari will "prevent the malicious page from actually installing anything on your machine," instead of making it clear that it will be downloaded even without that option on, & that a user still has to install it.

     

    WARNING: I tried reloading the PJ Media URL posted here several times & it did eventually result in the MacDefender page loading & the anti-malware.zip package being downloaded. Sophos immediately identified it as 'OSX/FakeAVZp-C' & quarantined it. According to my browser history the URL for the page is in the oddsiti.com domain.

     

    EDIT: The whois info for oddsiti.com is in part:

     

    netname:        DIGITALONE-NET

    descr:          DigitalOne AG Colocation and Dedicated Servers

    remarks:        --------------------------------------------------

    remarks:        Please, send abuse reports to abuse@digitalone.com

    remarks:        --------------------------------------------------

    country:        US

    admin-c:        DA440-RIPE

    tech-c:         DA440-RIPE

    status:         ASSIGNED PA

    mnt-by:         MNT-TRI

    source:         RIPE # Filtered

     

    role:           DigitalOne AG

    address:        12100 Sunrise Valley Drive

    address:        Reston, VA 20191, United States

    abuse-mailbox:  abuse@digitalone.com

    admin-c:        SO1294-RIPE

    tech-c:         SO1294-RIPE

    nic-hdl:        DA440-RIPE

    mnt-by:         MNT-TRI

    source:         RIPE # Filtered

     

    % Information related to xxx.xxx.xxx.xxx (removed by R C-R)

     

    route:          xxx.xxx.xxx.xxx (removed by R C-R)

    descr:          True Records Inc.

    remarks:        ------------------------------------------------------

    remarks:        Routing, peering and security:         noc@truerec.com

    remarks:        Spam reports and abuse:              abuse@truerec.com

    remarks:        ------------------------------------------------------

    origin:         AS47328

    mnt-by:         MNT-MBNET

    source:         RIPE # Filtered

first Previous Page 10 of 13 last Next