Previous 1 2 3 Next 137 Replies Latest reply: Dec 4, 2011 2:41 PM by thomas_r. Branched to a new discussion.
Linc Davis Level 10 Level 10
expertise.applications
Applications

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to

 

macdefendertrojan@mailinator.net

 

and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.

 

Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.

 

If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.


Mac OS X (10.6.7)
Solved by Linc Davis on May 2, 2011 10:40 PM Solved

I found the trojan. I will shortly send a mail to the above-named Mailinator mailbox with the link. The message will be deleted after a few hours. In case it's not clear, that link is to a malware page. Do not visit the link unless you know what you're doing.

 

I analysed the trojan only superficially. I didn't run the installer because I wasn't motivated to take the necessary precautions. Instead, I extracted the package contents manually and ran them in an unprivileged account, which I then deleted.

 

The archive that I downloaded was named "BestMacAntivirus2011.mpkg.zip." The package installs only the application MacDefender.app. It also runs a shell script that launches the application.

 

When launched, the application adds itself to the user's login items and writes a preference file, ~/Library/Preferences/com.alppe.md.plist.plist. It doesn't modify any other user files. It runs as a multi-threaded 64-bit process and doesn't spawn any subprocesses. It contacts a server at the address 69.50.214.53, which is in a netblock assigned to "atjeu publishing, llc" of Phoenix, AZ. A hosting service seems to operate out of that network. The registrant's contact name is given by whois as "Vasilev, Boris."

 

The application is localized in two languages, English and Russian.

 

The bundle identifier is "com.alppe.spav.plist". That's a Java-style MIB, not a filename. The indicated domain is registered anonymously in Australia and is represented by a parking page.

 

The application really does scan the Applications folder and flags a number of executables variously as "Rootkit," "Worm," "Troyan," (sic) and so forth. After the scan completes, the main window closes, but the application doesn't exit. It loads some objectionable pages in Safari, as has been reported, and installs a menu item. There is no Quit menu and the only way to get rid of it is to terminate the process with kill(1) or Activity Monitor.

 

So to summarize, the trojan can be removed simply by killing the process "MacDefender" in Activity Monitor, deleting the application and the preference file, and removing the login item. There would also be a receipt in /var/db/receipts if you ran the installer, which I didn't.

Reply by MadMacs0 on May 3, 2011 2:27 AM Helpful

We've got what we need now, so expect database update shortly.

 

-Al-

Reply by MadMacs0 on May 3, 2011 8:01 PM Helpful

The clamav signature database has been updated to include two variants of the MacDefender Trojan, so ClamXav will detect all known versions of the .zip, .pkg and .app files associated with it.

 

-Al-

All replies

  • thomas_r. Level 7 Level 7
    expertise.macosx
    Mac OS X

    I'd also appreciate hearing anything anyone might know, for inclusion in my Mac Virus Guide.  My contact information can be obtained through a link on that page.

     

    Linc, if you'll send me a real e-mail privately, I'll send you anything that comes to me, and will hope that you'll do the same in return.

  • etresoft Level 7 Level 7

    I have given up looking for it. Here are some instructions from someone who may have actually seen it: https://discussions.apple.com/message/15113320

     

    Apparently it just installs itself as a Login Item and tries to get $99 from people.

  • Linc Davis Level 10 Level 10
    expertise.applications
    Applications

    Here are some instructions from someone who may have actually seen it:

     

    I tried that, and several other searches as reported on this site. Either it wasn't there, or I'm filtering it.

     

    Apparently it just installs itself as a Login Item and tries to get $99 from people.

     

    Some of the victims insist they did not double-click a file in the Finder to launch the trojan. They just went to a web page, and there it was. A javascript can cause a file to be downloaded automatically, and it can simulate the launch of an application, but how does the application get launched automatically for real? That's not supposed to happen. I can't tell from the descriptions whether the victims really know what they did.

     

    A few years ago there was a proof-of-concept remote exploit in which a PowerPC PEF application could be made to look like a data file, such as an MP3. If it had the right HFS type code, that would override the filename extension. I thought that hole had been closed, but maybe it hasn't. If you (a) have Rosetta installed and (b) have Safari configured to open so-called "safe" files automatically, then maybe you're still vulnerable. I'd like to know whether this trojan is a PEF or a Mach-O bundle, and what the filename is.

  • Linc Davis Level 10 Level 10
    expertise.applications
    Applications

    It seems from an analysis posted elsewhere that the trojan is distributed as a zipped Installer package. If the option to open "safe" files is set in Safari, the archive is unpacked, and the package is launched automatically. To unsophisticated users, the Installer screen looks like the ones they're used to when installing system updates, so of course they click through it.

     

    There's nothing special about this archive. The same thing happens with any pkg.zip file. I didn't know that, and I'm shocked by it.

     

    I see two implications for Apple.

     

    First, an Installer package is not a "safe" file and shouldn't be opened automatically.

     

    Second, unless a package is digitally signed by Apple, the Installer should warn the user that it's unofficial and is not to be trusted. That wouldn't stop third-party developers from distributing Installer packages, but it might prevent people from mindlessly running the Installer whenever they're prompted to do so.

  • thomas_r. Level 7 Level 7
    expertise.macosx
    Mac OS X

    First, an Installer package is not a "safe" file and shouldn't be opened automatically.

     

    Absolutely!  I suspect that we'll be seeing a security update to deal with this issue soon.  Hopefully Apple doesn't drag their feet with that.

     

    Honestly, I'm amazed this hasn't been exploited before, if that option truly opens any zipped installer file.

     

    Second, unless a package is digitally signed by Apple, the Installer should warn the user that it's unofficial and is not to be trusted.

     

    Yes, that's true, why isn't quarantine catching this?  There's more going on than it seems.

  • etresoft Level 7 Level 7

    Thomas A Reed wrote:

     

    Absolutely!  I suspect that we'll be seeing a security update to deal with this issue soon.  Hopefully Apple doesn't drag their feet with that.

     

    Honestly, I'm amazed this hasn't been exploited before, if that option truly opens any zipped installer file.

     

    Yes, that's true, why isn't quarantine catching this?  There's more going on than it seems.

    Don't get your hopes up. This isn't a security vulnerability, it is a feature and the default setting.

     

    I think it has been exploited before. Technically, exploited isn't the right term in the computer sense. Technically, everything is operating as designed and expected. It is just people that are being exploited. People don't know what a ZIP package is. They don't know what an installer is. They believe people who say that Macs have viruses. Then a screen pops up and tells them they do have viruses and asks for $99. They hand it over. This trojan author has probably already made more money than I will this year.

     

    Quarantine isn't going to catch it because quarantine is designed for legitimate software you download from the internet that doesn't have an installer.

  • Linc Davis Level 10 Level 10
    expertise.applications
    Applications

    Actually quarantining should catch it, but a security update will be needed. I think the default should be not to open any Installer package automatically unless it's signed.

  • etresoft Level 7 Level 7

    I don't think it will. MacDefender exploits the fact that Safari thinks it is a "safe" file. Such files are not trapped by quarantine.

  • thomas_r. Level 7 Level 7
    expertise.macosx
    Mac OS X

    This isn't a security vulnerability, it is a feature and the default setting.

     

    No, it isn't.  A .zip file ought to be a safe file, and could be opened, but that should not result in launching an installer contained within that .zip file, which would absolutely NOT be a safe file.  Yet, somehow, that is happening.

     

    Quarantine isn't going to catch it because quarantine is designed for legitimate software you download from the internet that doesn't have an installer.

     

    An installer may, in many cases, be simply an application.  Quarantine does not discriminate...  any application downloaded from the internet via Safari, whether and installer or not an installer, whether zipped, in a disk image or whatnot, should be intercepted by Quarantine.  As for .pkg or .mpkg files, those are not technically applications, but then neither are .html files, yet if you download an archive of zipped .html files from somewhere, Quarantine warns you about those.

     

    I can't honestly swear, thanks to faulty memory, that I have seen Quarantine kick in when running a downloaded .pkg - but if it doesn't, that is a very, very serious security issue that needs to be addressed ASAP.

  • Linc Davis Level 10 Level 10
    expertise.applications
    Applications

    Such files are not trapped by quarantine.

     

    According to that Apple Support article, downloaded Installer packages are checked for known malware. I had never heard of this myself, but that's what the article says./___sbsstatic___/migration-images/151/15116673-1.png

  • etresoft Level 7 Level 7

    I just created my own MyTrojan.pkg.zip package. With the default Safari settings, just downloading this file will unzip it and start the installer. I could fill the installer with animated GIFs showing virus scans if I wanted. I could add the application to my Login Items (no authentication needed for that). I could add pre and post install scripts to do just about anything I want. It is quite easy. No password needed. No quarantine. It just works

  • Linc Davis Level 10 Level 10
    expertise.applications
    Applications

    With the default Safari settings, just downloading this file will unzip it and start the installer.

     

    I agree, that happens, and it shouldn't. I don't agree that the quarantine attribute on installer packages is simply ignored. The package is checked against some sort of database of known trojans. Neither MACDefender nor your test package is in that database.

  • WZZZ Level 6 Level 6
    expertise.macosx
    Mac OS X
    The package is checked against some sort of database of known trojans. Neither MACDefender nor your test package is in that database.

    As well as in the database of any of the AV programs. A clear illustration of the uselessness of AV -- especially ones that purport to do active scanning -- if you are unlucky enough to be among the first (including the first OS X virus in the wild, if and when that appears.)

     

    All those programs, right now, are staring at this thing with their mouths wide open.

  • ds store Level 7 Level 7

    The malware "MacDefender" is a "driveby download" utilizing Javascript.

     

    It's rather simple to defeat this from occuring:

     

    1: Download Firefox 4.0

     

    2: Install the NoScript Add-on

     

    3: Install the Public Fox Add-on.

     

    4: Hit the Toolbar Customize and drag the "Temp Allow All This page" NoScript button to the Toolbar

     

    5: Setup Public Fox to require a password before a download occurs.

     

    As you surf the web with NoScript, all "scripts" including JavaScript, will be turned off by default.

    If you trust the site and need scripts to run, click the Temp Allow button.

     

    If your Public Fox pops up with asking for your password, you know you got a driveby download, cancel it and notify the website owner.

     

    "Public Fox" is searchable at Mozilla as "Public Fox"

Previous 1 2 3 Next