MacJoseph

Q: Heads Up/Warning Mac Defender

Just as a heads up and warning, there hsa been two incidents in the last hour or so where users are being redirected and Mac Defender seems to have downloaded itself claiming a virus has been detected. This is a trojan and should be deleted immediately. If you feel you need protection perhaps installing ClamXav would be an option. Be careful where your surfing in the Interwebs. Any information you can provide if you encounter this problem would be greatly appreciated, info such as the browser you're using and the website that is redirecting you.

 

Regards,

 

Joseph

MacBook Pro, Mac OS X (10.6.7), 2011 MBP 15" 2.0Ghz 4GB RAM

Posted on Apr 30, 2011 10:24 AM

Close

Q: Heads Up/Warning Mac Defender

  • All replies
  • Helpful answers

first Previous Page 5 of 13 last Next
  • by ds store,

    ds store ds store May 2, 2011 10:21 AM in response to Skip P
    Level 7 (30,400 points)
    May 2, 2011 10:21 AM in response to Skip P

    Skip P wrote:

     

    My big takeaway complaint from all of this is why isn't Safari written to ALWAYS allow you to close dialog windows ?

     

    Because the window isn't a Safari or OS X window, it's likely a Flash base clickable image that looks like a window, why clicking the "close box" installs the malware.

     

    Remember, NoScript for Firefox  or Click2Flash for Safari stops Flash elements from running automatically.

  • by ds store,

    ds store ds store May 2, 2011 10:28 AM in response to aliasnexus0
    Level 7 (30,400 points)
    May 2, 2011 10:28 AM in response to aliasnexus0

    aliasnexus0 wrote:

     

    I do not believe it is a Flash based exploit. I have Flash disabled by default in Chrome, and I have to manually activate any Flash plugins that try load.

     

    From reading around it appears to be a JavaScript exploit. More details here: http://www.macrumors.com/2011/05/02/new-macdefender-malware-threat-for-mac-os-x/

     

    Ah! Good to know.

     

    So then to stop this is to turn off Javascrip in Safari preferences, which would e a hassle to hit preferences to turn it on if one needed it on a trusted site.

     

    Or simply use Firefox and the NoScript Add-on, turn it on with a click on the Toolbar button if you trust the site.

  • by arkling,

    arkling arkling May 2, 2011 10:37 AM in response to MacJoseph
    Level 1 (25 points)
    May 2, 2011 10:37 AM in response to MacJoseph

      Here’s some Safety precautions you could take on your Mac, Some are more reasonable than others, and how you use your computer will partially dictate what is appropriate for your uses. However, the ones with an asterisk (*) are ideas that are pretty basic and should be done (in my opinion) by everyone.

    1. * Don't run as an administrator level account
    2. * Make sure your administrative account(s) has/have a strong password
    3. * Uncheck any browser options that automatically open files
    4. * Disable any browser features that you do not need (Example: If you never use Java or Flash then disable them, you can always enable them again for the few times you might need them, when those occasions occur)
      • Given this instance, I'm considering disabling JavaScript for Google sites.
      • I also generally disable pop-ups unless a sight I trust needs it for a specific reason, then I enable it only while I perform that task.
    5. * Never enter your computer account's login/password for anything you didn't explicitly run and trust.
    6. If you want to be extra cautious, then enable parental controls on the account you use and only enable the programs you need on a daily bases, and disable everything else, including the Installer application.
    7. If you want Anti-Virus:      
      • ClamAVx (http://ClamAVx.com)
      • Mac Scan (http://macscan.securemac.com)
      • Avast
      • Virus Barrier
      • Symantec (Norton) & Mcafee both make products, but be prepared for your system to slow down a fair amount
      • I'm sure there are other good products, I just haven't used many others.
    8. If you want to make sure programs (like malware) are not "phoning home" then I'd suggest a program called: "Little Snitch". It allows you to authorize or deny outgoing network communications.
    9. Enable your Mac's Firewall (System Preferences >> security >> Firewall)
    10. Lock your keychain when you don't need it.       
      • (Applications/Utilities/KeyChain Access.app) >> Preferences>>Show Status in menu bar.
      • This will add a little lock icon, up by the clock, click on it and lock all key chains when not in use.
    11. * Change your password(s) regularly
    12. * Only give your credit card and/or other personal information on secured websites that are reputable and for sites/programs where you intentionally initiated the purchase transaction.
    13. Use separate, encrypted disk images to store your data, and only authenticate and mount the specific ones you need, when you need it. Then dismount the disk images and lock your keychain when you're done. (Reaching into the realm of paranoia now)
  • by ds store,

    ds store ds store May 2, 2011 10:44 AM in response to MacJoseph
    Level 7 (30,400 points)
    May 2, 2011 10:44 AM in response to MacJoseph

    The malware "MacDefender" is a "driveby download" utilizing Javascript.

     

    It's rather simple to defeat this from occuring:

     

    1: Download Firefox 4.0

     

    2: Install the NoScript Add-on

     

    3: Install the Public Fox Add-on.

     

    4: Hit the Toolbar Customize and drag the "Temp Allow All This page" NoScript button to the Toolbar

     

    5: Setup PublicFox to require a password before a download occurs.

     

    As you surf the web with NoScript, all "scripts" including JavaScript, will be turned off by default.

    If you trust the site and need scripts to run, click the Temp Allow button.

     

    If your Public Fox pops up with asking for your password, you know you got a driveby download, cancel it and notify the website owner.

     

    Note: Public Fox is searched at Mozilla as "Public Fox"

  • by Eric Brian,

    Eric Brian Eric Brian May 2, 2011 1:01 PM in response to MacJoseph
    Level 1 (0 points)
    May 2, 2011 1:01 PM in response to MacJoseph

    Sophos also offers their antivirus for free for Mac home users:

     

    http://www.sophos.com/en-us/products/free-tools.aspx

  • by ds store,

    ds store ds store May 2, 2011 1:41 PM in response to Eric Brian
    Level 7 (30,400 points)
    May 2, 2011 1:41 PM in response to Eric Brian

    Eric Brian wrote:

     

    Sophos also offers their antivirus for free for Mac home users:

     

    http://www.sophos.com/en-us/products/free-tools.aspx

     

    Always on anti-virus is still unnecessary on a Mac and often conflicts with OS X changes.

     

    Just some common sense is needed and a little more attention by Apple in preventing drive by downloads.

  • by Nadiah,

    Nadiah Nadiah May 2, 2011 4:37 PM in response to MacJoseph
    Level 1 (0 points)
    May 2, 2011 4:37 PM in response to MacJoseph

    Hello Joseph,

     

    Just to let you know that I too, was using google images, (on chrome) when the malware hit my macbook.

     

     

    I'm only 17 and am an IT NOOB, so a warning popped up telling me to download 'macdefender' and the idiot that i am, i downloaded it (i thought it sounded like a genuine anti-virus and i just bought the macbook so without thinking i got myself into that situation). This all happened to me yesterday but before i read this discussion, a friend of mine found this link which helped me permanently delete mac defender.

     

    http://thenextweb.com/apple/2011/05/02/bogus-macdefender-malware-campaign-target s-mac-users-using-google-images/

     

    These steps were probably already mentioned in this discussion but I found it easy to follow. So I'd recommend anyone who got hit by the malware to go to the link, scroll down, and follow those 5 steps. I have now permanently deleted mac defender (I'm pretty sure). So yeah.

     

    Cheers guys. Nadiah x

  • by MacJoseph,

    MacJoseph MacJoseph May 2, 2011 4:41 PM in response to Nadiah
    Level 3 (595 points)
    May 2, 2011 4:41 PM in response to Nadiah

    Nadiah

     

    Thanks so much for the info and link. Glad to know you handled it well. And you're not an idot!

     

    Joseph

  • by MacJoseph,

    MacJoseph MacJoseph May 2, 2011 8:10 PM in response to Nadiah
    Level 3 (595 points)
    May 2, 2011 8:10 PM in response to Nadiah

    Hi All

     

    In case anyone is interested here is an article that appeared today on MacWorld about the MacDefender issue. It is being described as a trojan horse. http://www.macworld.com/article/159595/2011/05/macdefender_trojan_horse.html

     

    Joseph

  • by MadMacs0,

    MadMacs0 MadMacs0 May 2, 2011 10:22 PM in response to MacJoseph
    Level 5 (4,801 points)
    May 2, 2011 10:22 PM in response to MacJoseph

    Unfortunately ClamXav does not yet detect this one since the greater AV community has not chosen to share it yet.  We need those of you who find this on your hard drive to please upload whatever files you have to the clamav database here http://cgi.clamav.net/sendvirus.cgi and this community site http://www.virustotal.com/index.html.

     

    TIA, -Al-

  • by MadMacs0,

    MadMacs0 MadMacs0 May 3, 2011 2:25 AM in response to MadMacs0
    Level 5 (4,801 points)
    May 3, 2011 2:25 AM in response to MadMacs0

    We've got what we need now, so expect database update shortly.

     

    -Al-

  • by aatyler,

    aatyler aatyler May 3, 2011 2:50 PM in response to MacJoseph
    Level 1 (5 points)
    May 3, 2011 2:50 PM in response to MacJoseph

    Thank you for your help the other day.  I just thought I would let you know we were on google again, looking at pictures again and the program downloaded itself again.  We were furiously trying to get out of it and before we could it downloaded again.  We followed your instructions and took it off but I see that you are trying to track this problem so I thought I would let you know.

     

    Thanks again

     

    Angelique

  • by MacJoseph,

    MacJoseph MacJoseph May 3, 2011 3:15 PM in response to aatyler
    Level 3 (595 points)
    May 3, 2011 3:15 PM in response to aatyler

    Angelique

     

    Sorry to hear it tried to bite you again. Yes Mad Macs is trying to get a handle on it. I know most people say you don't need virus protection, and that's true, however I would rather have peace of mind. So I run ClamXav. I also use the Clam Sentry feature which you can set to actively scan your entire hard disk, and will scan files as you download them. This is what I do. Mad Macs said ClamXav would be updated for the MacDefender Trojan. I don't know what web browser you use, but if it is Firefox you can get some security extensions. If you're using Safari try GlimmerBlocker. I'm glad to have been able to help you.

     

    Regards,

     

    Joseph

  • by MadMacs0,

    MadMacs0 MadMacs0 May 3, 2011 8:10 PM in response to MadMacs0
    Level 5 (4,801 points)
    May 3, 2011 8:10 PM in response to MadMacs0

    The clamav signature database has been updated to include two variants of the MacDefender Trojan, so ClamXav will detect all known versions of the .zip, .pkg and .app files associated with it.

     

    -Al-

  • by MacJoseph,

    MacJoseph MacJoseph May 3, 2011 9:14 PM in response to MadMacs0
    Level 3 (595 points)
    May 3, 2011 9:14 PM in response to MadMacs0

    MadMacs

     

    Is there a problem with ClamXav server to update definitions? I don't seem to be ale to connect to update. When I started a scan it said definitons were not up to date. But I'm not able to connect to update. Thanks

     

    Joseph

first Previous Page 5 of 13 last Next