MacJoseph

Q: Heads Up/Warning Mac Defender

Just as a heads up and warning, there hsa been two incidents in the last hour or so where users are being redirected and Mac Defender seems to have downloaded itself claiming a virus has been detected. This is a trojan and should be deleted immediately. If you feel you need protection perhaps installing ClamXav would be an option. Be careful where your surfing in the Interwebs. Any information you can provide if you encounter this problem would be greatly appreciated, info such as the browser you're using and the website that is redirecting you.

 

Regards,

 

Joseph

MacBook Pro, Mac OS X (10.6.7), 2011 MBP 15" 2.0Ghz 4GB RAM

Posted on Apr 30, 2011 10:24 AM

Close

Q: Heads Up/Warning Mac Defender

  • All replies
  • Helpful answers

first Previous Page 11 of 13 last Next
  • by MadMacs0,

    MadMacs0 MadMacs0 May 30, 2011 12:43 PM in response to R C-R
    Level 5 (4,801 points)
    May 30, 2011 12:43 PM in response to R C-R

    R C-R wrote:

     

    WARNING: I tried reloading the PJ Media URL posted here several times & it did eventually result in the MacDefender page loading & the anti-malware.zip package being downloaded.

    My apologies to anybody who was surprised by accessing this link.  I was under the impression that the webmaster had disabled the problem or that the malware site had gone cold, because I wasn't seeing it.  I now realize that it was because I was using Safari with Safari Adblock installed, so I wasn't seeing any of the ads.

  • by ds store,

    ds store ds store May 30, 2011 1:03 PM in response to MadMacs0
    Level 7 (30,400 points)
    May 30, 2011 1:03 PM in response to MadMacs0

    MadMacs0 wrote:

     

    My apologies to anybody who was surprised by accessing this link...

     

    Posted it to the Hosts for removal.

  • by R C-R,

    R C-R R C-R May 30, 2011 1:42 PM in response to MadMacs0
    Level 6 (17,690 points)
    May 30, 2011 1:42 PM in response to MadMacs0

    MadMacs0 wrote:

    I was under the impression that the webmaster had disabled the problem or that the malware site had gone cold...

    I think this shows that webmasters don't generally have the tools to stop this kind of attack. I have no idea if DigitalOne AG is the only company (probably unknowingly) hosting an infected page, but if I were the webmaster of PJ Media I would either contact DigitalOne AG through the abuse email address or PJ Media's own hosting service to report the problem.

  • by MadMacs0,

    MadMacs0 MadMacs0 May 30, 2011 4:42 PM in response to R C-R
    Level 5 (4,801 points)
    May 30, 2011 4:42 PM in response to R C-R

    R C-R wrote:

     

    I think this shows that webmasters don't generally have the tools to stop this kind of attack.

    Agree.  He did add a comment this morning:

     

    "...it doesn’t even look like it’s their ads that are serving up the initial malicious Javascript vector. Right now it looks like it’s tied to ChronoPay, which is sort of the bearded-Spock Russian version of PayPal."

     

    Also of note, a SANS Institute email this morning (they do Information Security Training and Certification) had this to say about the rise in Web Malware:

     

    "More than one million websites have been infected in the last quarter, over three million malvertising impressions get served per day, and a new web page is infected once a second. There is no escaping the fact that web malware attacks are on a sharp rise. Recently, cybercriminals have been getting more and more aggressive with using social networks, ad networks, and popular web widgets as platforms for the distribution of malware."

  • by MadMacs0,

    MadMacs0 MadMacs0 May 31, 2011 1:57 PM in response to MacJoseph
    Level 5 (4,801 points)
    May 31, 2011 1:57 PM in response to MacJoseph

    Spread the word

    APPLE-SA-2011-05-31-1 Security Update 2011-003

     

    Security Update 2011-003 is now available and addresses the following:

     

    File Quarantine

    Available for:  Mac OS X v10.6.7, Mac OS X Server v10.6.7

    Impact:  Definition added

    Description:  The OSX.MacDefender.A definition has been added to the malware check within File Quarantine. Information on File Quarantine is available in this Knowledge Base article: http://support.apple.com/kb/HT3662

     

    File Quarantine

    Available for:  Mac OS X v10.6.7, Mac OS X Server v10.6.7

    Impact:  Automatically update the known malware definitions

    Description:  The system will check daily for updates to the File Quarantine malware definition list. An opt-out capability is provided via the "Automatically update safe downloads list" checkbox in Security Preferences. Additional information is available in this Knowledge Base article: http://support.apple.com/kb/HT4651

     

    Malware removal

    Available for:  Mac OS X v10.6.7, Mac OS X Server v10.6.7

    Impact:  Remove the MacDefender malware if detected

    Description:  The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed. Additional information is available in this Knowledge Base article: http://support.apple.com/kb/HT4651

     

    For Mac OS X v10.6.7 and Mac OS X Server v10.6.

    The download file is named: SecUpd2011-003Snow.dmg

    Its SHA-1 digest is: 07843c32a8b367fbe4318bdf22dd98013a91cd51

  • by R C-R,

    R C-R R C-R May 31, 2011 3:14 PM in response to MadMacs0
    Level 6 (17,690 points)
    May 31, 2011 3:14 PM in response to MadMacs0

    Good news indeed. Maybe the most significant part of this is the daily check for updates to the malware definition list. That would seem to indicate that Apple is adopting the practices of some of the anti-virus vendors to get these updates to users quickly, instead of waiting for them to check for updates manually.

  • by Tony Curtis,

    Tony Curtis Tony Curtis Jun 1, 2011 8:14 PM in response to R C-R
    Level 1 (5 points)
    Jun 1, 2011 8:14 PM in response to R C-R
  • by R C-R,

    R C-R R C-R Jun 1, 2011 8:29 PM in response to Tony Curtis
    Level 6 (17,690 points)
    Jun 1, 2011 8:29 PM in response to Tony Curtis

    Yes, & there are probably more to follow. However, they are all still basically the same trojan & require user help to be installed. If you don't install anything you did not explicitly download yourself, the trojan can't succeed.

     

    The press & other media sources have not been particularly good about reporting that fact, instead opting for more sensational stories implying OS X has suddenly becoming just as susceptible to "viruses" as Windows.

     

    Of course, viruses are a different & much harder kind of malware to engineer, & there are still no known ones capable of infecting OS X in the wild, but that doesn't grab eyeballs or the revenue that comes with that.

     

    I suspect the media is making far more off this trojan than its author ever will.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 1, 2011 8:36 PM in response to Tony Curtis
    Level 5 (4,801 points)
    Jun 1, 2011 8:36 PM in response to Tony Curtis

    Tony Curtis wrote:

     

    http://www.theregister.co.uk/2011/06/01/mac_osx_scareware_evasion/

     

    Another new variant?

    Yes and Apple appears to have already updated their software to catch it today, believe it or not.  A colleague is attempting to grab another copy of the installer to confirm that it works.

  • by Tony Curtis,

    Tony Curtis Tony Curtis Jun 1, 2011 8:52 PM in response to R C-R
    Level 1 (5 points)
    Jun 1, 2011 8:52 PM in response to R C-R

    Last night was interesting as I found a link that offered a variant of this thing.

    I use Camino and never went past the "Open" part.

    Force-Quit on several attempts and tried a traceroute on the url to 'serverside.su' that appears to be german block with Russian text??

    Looked for Cookies etc but nothing was downloaded?

    However, found a MacProtector.mpkg.zip (4k) within my downloads Folder today? Must have come down while exploring last night bypassing the requirement to accept scanning?

    ClamXAV doesn't recognise it in .zip form and I haven't unzipped it yet.

    BBedit seems to show it's some form of code, so think it's the real thing?

    Interesting that the url I found was consistently active but didn't know whether the payload source was.

    Just downloaded Mac Sophos home to see what it does.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 1, 2011 8:58 PM in response to Tony Curtis
    Level 5 (4,801 points)
    Jun 1, 2011 8:58 PM in response to Tony Curtis

    Tony Curtis wrote:

     

    Last night was interesting as I found a link that offered a variant of this thing.

    I use Camino and never went past the "Open" part.

    Force-Quit on several attempts and tried a traceroute on the url to 'serverside.su' that appears to be german block with Russian text??

    Looked for Cookies etc but nothing was downloaded?

    However, found a MacProtector.mpkg.zip (4k) within my downloads Folder today? Must have come down while exploring last night bypassing the requirement to accept scanning?

    ClamXAV doesn't recognise it in .zip form and I haven't unzipped it yet.

    It should have.  Please do not delete it yet.  Upload it to http://www.virustotal.com.  If it says that clamav does not classify it as malware, upload it again to http://cgi.clamav.net/sendvirus.cgi

  • by Tony Curtis,

    Tony Curtis Tony Curtis Jun 1, 2011 9:16 PM in response to MadMacs0
    Level 1 (5 points)
    Jun 1, 2011 9:16 PM in response to MadMacs0

    Sophos didn't recognise it as a problem neither did your first url. (Worried about this as the upload directons wanted me to open the thing??) Uploaded to Clam.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 1, 2011 9:21 PM in response to Tony Curtis
    Level 5 (4,801 points)
    Jun 1, 2011 9:21 PM in response to Tony Curtis

    Tony Curtis wrote:

     

    Sophos didn't recognise it as a problem neither did your first url. (Worried about this as the upload directons wanted me to open the thing??) Uploaded to Clam.

    I know the dialog box says "Open" but all it actually does is choose it for upload.  Thanks for your help.  I'll get somebody on it.

  • by R C-R,

    R C-R R C-R Jun 2, 2011 10:19 AM in response to Tony Curtis
    Level 6 (17,690 points)
    Jun 2, 2011 10:19 AM in response to Tony Curtis

    Tony Curtis wrote:

    Sophos didn't recognise it as a problem neither did your first url.

    With the default settings, Sophos should have no problems identifying the MacProtector.mpkg.zip immediately on download -- the definition for that was added within a day or so of its appearance. If it isn't doing that, check the settings. In particular, make sure that the "On-access" scanner is on & that the option for "Scan inside archives & compressed files" is on.

     

    These are the defaults but if you have changed them, for instance by turning off the "On-access" scanner, it won't be able to detect anything. If the 'scan inside' option is not on, it won't detect zip files until they are unzipped.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 2, 2011 11:19 AM in response to Tony Curtis
    Level 5 (4,801 points)
    Jun 2, 2011 11:19 AM in response to Tony Curtis

    Tony Curtis wrote:

     

    Sophos didn't recognise it as a problem neither did your first url. Uploaded to Clam.

    Tony,

     

    clamav signature writer could not find the file by searching for "MacProtector".  Was "MacProtector.mpkg.zip" the exact name of the file you uploaded to clamav?  It might also be helpful to have the ID provided by VirusTotal when you uploaded there, if you have it.  You should be able to find it in your browser history as a URL you can post here, as well.

     

    For R C-R

     

    We think this may be something new disguised as an older version.  Most of the usual sites have gone cold today and those that still work are dispensing older versions, but this could be something else that came out before they shut it down.

first Previous Page 11 of 13 last Next