You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to


macdefendertrojan@mailinator.net


and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.


Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.


If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Reply
140 replies

May 2, 2011 11:57 PM in response to Linc Davis

I help Mark Allan, the developer of ClamXav, with tech support. He's also responsible for coding up clamav database signatures for the Mac OS X community. Currently, the database does not contain a signature for this as the AV community seems reluctant to share, so we must fend for ourselves and need your help. If you have any of the files associated with this would you please upload it to the clamav site and the VirusTotal community site.


TIA, -Al-

May 3, 2011 4:41 AM in response to MadMacs0

MadMacs0 wrote:


We've got what we need now, so expect database update shortly.


-Al-


Big thanks to you and your ClamXav team, Clamd and ClamWin. 🙂



Great work Linc !! 😀



Wonder if the lady who answers the phone for a refund is named Doris?


Doris, Boris....a cat named Moris?



Is there a way slightly advanced users can block IP 69.50.214.53? 😀

May 3, 2011 6:09 AM in response to ds store

Ok, found a relatively easy GUI way to block the IP.



Download NoobProof Firewall, skip the wizard.


http://www.hanynet.com/noobproof/


You'll end up with a screen with a BlackList button the left.


New window appears, on the right enter the IP you want to block, 69.50.214.53, OK


Mainscreen > Start Firewall.


Tools Menu > Install Startup Script



Warning, messing with Firewall settings can seriously undermine your computers security, cause it to not function correctly.


If you don't know, leave it alone. Look but don't touch. Read a book on the subject first.



Also this is no guarranty to block the malware, it only blocks all incoming connections from that IP address.

May 3, 2011 6:01 AM in response to MadMacs0

If you have any of the files associated with this would you please upload it to the clamav site and the VirusTotal community site.


I deleted the files. There's a link to the page I got them from in the Mailinator mailbox mentioned at the beginning of this topic. The message is still there as of now, but it will be deleted soon. If you're not familiar with Mailinator, see its home page for an explanation of how it works.

May 3, 2011 6:08 AM in response to Moof666

For most users, no password is needed to install an application or add a Login Item. That is the root of my malware on a Mac is mostly paranoia. Just because you download and install a Trojan on a Mac doesn't mean your system is really compromised. The Trojan is like any other application. When you don't want it anymore, just delete it. It is only when you hand over your password that you need to be worried.

May 3, 2011 6:15 AM in response to Moof666

You did not mention authentication. How does an app get into the Applications folder and the Login Items without the user's password authority?


First of all, I didn't authenticate or run the installer. I extracted the files from the BOM manually. The Installer does ask for an admin password, and I should have checked to see whether it installs anything as SUID root, but I forgot to do that. Maybe somebody else will fill in that detail. Edit: I'm pretty sure SUID doesn't work for Aqua executables in 10.6, though it does work for POSIX executables. There were none of the latter in the archive I had.


Most Mac users run all the time in their administrator account, a mistake that Apple does everything to encourage. They can install applications system-wide by drag-and-drop, no authentication necessary.


Authentication is never needed to modify the user's login items. They're stored in a preference file in his home directory.

May 3, 2011 6:24 AM in response to WZZZ

WZZZ wrote:


http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/


Yes, a hosts file addition is another excellent level of protection.


I've been running a rather large one for many years.


This is my source


http://winhelp2002.mvps.org/hosts.txt


However the "127.0.0.1 local host" line must be first deleted (from this file only), and then all "127.0.0.1" instances changed to "0.0.0.0" for OS X to use it without side complications. Find and Replace in Text Edit works very well.


Once that's completed, then the dangerous part starts. Editing the actual /etc/hosts file.


Text Wrangler "Open File By Name" works rather easy: /etc/hosts


Next move, not to touch anything one see's in the file, rather add some returns to the bottom and copy/paste the contents of the modified Text Edit file.


Save and enter the Admin password and zillions of web garbage is automatically blocked.


However, that portion of the /etc/hosts file that one added needs to be updated time to time to stay on top of the nasties.


Block a line? add "#" to the front.


Block a site? "0.0.0.0 www.facebook.com"


Easy as that, good for the kids, until they find out about web proxies, but there's OpenDNS for that. 😉


Again, play careful, your on your own.

May 3, 2011 6:36 AM in response to WZZZ

WZZZ wrote:


Add it to /etc/hosts


http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/


Actually, you can't block IP's in the /etc/hosts


What adding a "0.0.0.0 www.facebook.com" to the /etc/hosts file does is resolves the IP address of 0.0.0.0 (nothing) instead of the IP provided by your Domain Name Server (either your ISP or OpenDNS or GoogleDNS etc)


So if "www.facebook.com" IP is nothing, nothing is what your computer connects to.


It only works on Domains, not IP addresses.


The OS X Firewall can block IP addresses, but it's complicated to use for GUI fed types. 🙂


Thus I found WaterRoof and NoobProof, as other OS X GUI Firewall configs have fallen away somewhat.

May 3, 2011 9:04 AM in response to ds store

ds store wrote:


WZZZ wrote:


Add it to /etc/hosts


http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/


Actually, you can't block IP's in the /etc/hosts


What adding a "0.0.0.0 www.facebook.com" to the /etc/hosts file does is resolves the IP address of 0.0.0.0 (nothing) instead of the IP provided by your Domain Name Server (either your ISP or OpenDNS or GoogleDNS etc)


So if "www.facebook.com" IP is nothing, nothing is what your computer connects to.


It only works on Domains, not IP addresses.


The OS X Firewall can block IP addresses, but it's complicated to use for GUI fed types. 🙂


Thus I found WaterRoof and NoobProof, as other OS X GUI Firewall configs have fallen away somewhat.

Yeah, thought of that after I posted. Too bad there isn't a usable domain name coming up for that IP.


Is that just a server that comes up with a whois for 69.50.214.53? What would the relationship be between that outfit registered in Phoenix and this malware author?

May 3, 2011 10:25 AM in response to WZZZ

WZZZ wrote:


Is that just a server that comes up with a whois for 69.50.214.53? What would the relationship be between that outfit registered in Phoenix and this malware author?



Likely none, the host is legitiment, likely a compromised site/server.


Blocking the IP client side is probably a worthless effort at this time, they got the call.


I'm guessing this was a test run, could expect to see this thing get tweaked and hosted on many servers next time. 😟


Sure Apple is going to roll out a update here quick to stop this thing dead in it's tracks, even if it changes signature. 🙂

MacDefender trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.