You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Linc Davis
Linc Davis Author
User level: Level 10
209,649 points

MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to


macdefendertrojan@mailinator.net


and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.


Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.


If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Reply
140 replies
User profile for user: WZZZ
WZZZ
User level: Level 6
13,226 points

May 2, 2011 11:16 AM in response to etresoft

That's if you insist on using Safari. And, there are other browser based threats that Firefox with NoScript will protect you against that Safari won't.


People have, for years, been warning, even screaming, about the Safari default "open "safe" files...and Apple does nothing about it. Maybe, this time Apple will listen.

Reply
User profile for user: ds store
ds store
User level: Level 7
30,815 points

May 2, 2011 11:17 AM in response to etresoft

etresoft wrote:


It is even easier than that. In Safari, go to Preferences > General > uncheck "Open 'safe' files after downloading"


Easier, but not safer.


A driveby Trojan downloads can hide themselves among other downloads with legitimate names and be accidentally installed.


Public Fox will stop any download and ask for a password, alerting you to the download before it starts.



And WZZZ is correct, there are a lot of web based nasties out there that NoScript protects against.


The site isn't pretty, but that doesn't matter what this Add-on does for safer browsing.


http://noscript.net/

Reply
User profile for user: SteveAMP
SteveAMP
User level: Level 1
0 points

May 2, 2011 11:26 AM in response to Linc Davis

Actually, in this case the .zip opens to the installer package but does not automatically run the installer. My wife ran into the MACDefender on Saturday and stopped clicking on anything once she realized that something was fishy. Two installer packages were in her downloads file but nothing had been installed. I had her force quit Safari and the pop-up and have now trashed (and emptied the trash) the two installer packages.

Reply
User profile for user: ds store
ds store
User level: Level 7
30,815 points

May 2, 2011 11:32 AM in response to WZZZ

WZZZ wrote:


People have, for years, been warning, even screaming, about the Safari default "open "safe" files...and Apple does nothing about it. Maybe, this time Apple will listen.


Apple didn't do anything with "safe files" the last time a exploit used this avenue of attack.


Safari has been hacked in mere seconds at each annual Pwn2Own contest for the last few years running.


One could jailbreak a iOS device simply by visiting a web page.


There is something else they didn't fix apparantly in Mac's, far worse and non-user unrecoverable if one gets exploited and the malware targets this area, but I'm not mentioning it on a public forum.


Lets just say you don't want to run any malware on your Mac, even for fun, unless you have system level experience.

Reply
User profile for user: WZZZ
WZZZ
User level: Level 6
13,226 points

May 2, 2011 2:07 PM in response to Linc Davis

Linc Davis wrote:


I wouldn't use any browser that didn't allow me the kind of JS filtering that NoScript affords.


Safari does allow it, with the JavaScript Blacklist extension. Not that one in user a hundred would know that, anymore than he'd know about Firefox extensions.

Not even close. NoScript is far more than a blacklist. Why don't you visit the NoScript site to see for yourself.


http://noscript.net/features

Reply
User profile for user: ds store
ds store
User level: Level 7
30,815 points

May 2, 2011 5:56 PM in response to WZZZ

The Weyland-Yutani BOT supports web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow. The webinjects templates are identical to the ones used in Zeus and Spyeye.


User uploaded file

CSIS eCrime Unit is in possession of videos documenting both the admin panel and its functionality as well as the builder itself. Both video clips prove this kit to be fully operational already. This v1.0 of the BOT has a license price for the complete kit equal to 1,000 WMZ/LR.


CSIS finds this crimekit to be quite disturbing news since MacOS previously to some degree has been spared from the increasing amount of malware which has haunted Windows-based systems for years. This could have resulted in a false sense of security that might make Mac OS user especially vulnerable to a sudden and highly sophisticated attack.


Well I guess I better the advertsing done, rent some retail floor space, hire security guards and crowd control people with walkies, because the money is about to flow... 😉



Also it looks like MacDefender has hit a bender, no more reports and likely some torts. 🙂

Reply
User profile for user: Linc Davis
Linc Davis Author
User level: Level 10
209,649 points

May 2, 2011 10:40 PM in response to Linc Davis

I found the trojan. I will shortly send a mail to the above-named Mailinator mailbox with the link. The message will be deleted after a few hours. In case it's not clear, that link is to a malware page. Do not visit the link unless you know what you're doing.


I analysed the trojan only superficially. I didn't run the installer because I wasn't motivated to take the necessary precautions. Instead, I extracted the package contents manually and ran them in an unprivileged account, which I then deleted.


The archive that I downloaded was named "BestMacAntivirus2011.mpkg.zip." The package installs only the application MacDefender.app. It also runs a shell script that launches the application.


When launched, the application adds itself to the user's login items and writes a preference file, ~/Library/Preferences/com.alppe.md.plist.plist. It doesn't modify any other user files. It runs as a multi-threaded 64-bit process and doesn't spawn any subprocesses. It contacts a server at the address 69.50.214.53, which is in a netblock assigned to "atjeu publishing, llc" of Phoenix, AZ. A hosting service seems to operate out of that network. The registrant's contact name is given by whois as "Vasilev, Boris."


The application is localized in two languages, English and Russian.


The bundle identifier is "com.alppe.spav.plist". That's a Java-style MIB, not a filename. The indicated domain is registered anonymously in Australia and is represented by a parking page.


The application really does scan the Applications folder and flags a number of executables variously as "Rootkit," "Worm," "Troyan," (sic) and so forth. After the scan completes, the main window closes, but the application doesn't exit. It loads some objectionable pages in Safari, as has been reported, and installs a menu item. There is no Quit menu and the only way to get rid of it is to terminate the process with kill(1) or Activity Monitor.


So to summarize, the trojan can be removed simply by killing the process "MacDefender" in Activity Monitor, deleting the application and the preference file, and removing the login item. There would also be a receipt in /var/db/receipts if you ran the installer, which I didn't.

Reply

MacDefender trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up