Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Linc Davis
Linc Davis Author
User level: Level 10
209,547 points

MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to


macdefendertrojan@mailinator.net


and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.


Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.


If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Reply
140 replies
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

May 2, 2011 11:57 PM in response to Linc Davis

I help Mark Allan, the developer of ClamXav, with tech support. He's also responsible for coding up clamav database signatures for the Mac OS X community. Currently, the database does not contain a signature for this as the AV community seems reluctant to share, so we must fend for ourselves and need your help. If you have any of the files associated with this would you please upload it to the clamav site and the VirusTotal community site.


TIA, -Al-

Reply
User profile for user: ds store
ds store
User level: Level 7
30,745 points

May 3, 2011 4:41 AM in response to MadMacs0

MadMacs0 wrote:


We've got what we need now, so expect database update shortly.


-Al-


Big thanks to you and your ClamXav team, Clamd and ClamWin. 🙂



Great work Linc !! 😀



Wonder if the lady who answers the phone for a refund is named Doris?


Doris, Boris....a cat named Moris?



Is there a way slightly advanced users can block IP 69.50.214.53? 😀

Reply
User profile for user: ds store
ds store
User level: Level 7
30,745 points

May 3, 2011 6:09 AM in response to ds store

Ok, found a relatively easy GUI way to block the IP.



Download NoobProof Firewall, skip the wizard.


http://www.hanynet.com/noobproof/


You'll end up with a screen with a BlackList button the left.


New window appears, on the right enter the IP you want to block, 69.50.214.53, OK


Mainscreen > Start Firewall.


Tools Menu > Install Startup Script



Warning, messing with Firewall settings can seriously undermine your computers security, cause it to not function correctly.


If you don't know, leave it alone. Look but don't touch. Read a book on the subject first.



Also this is no guarranty to block the malware, it only blocks all incoming connections from that IP address.

Reply
User profile for user: Linc Davis
Linc Davis Author
User level: Level 10
209,547 points

May 3, 2011 6:01 AM in response to MadMacs0

If you have any of the files associated with this would you please upload it to the clamav site and the VirusTotal community site.


I deleted the files. There's a link to the page I got them from in the Mailinator mailbox mentioned at the beginning of this topic. The message is still there as of now, but it will be deleted soon. If you're not familiar with Mailinator, see its home page for an explanation of how it works.

Reply
User profile for user: etresoft
etresoft
User level: Level 8
46,804 points

May 3, 2011 6:08 AM in response to Moof666

For most users, no password is needed to install an application or add a Login Item. That is the root of my malware on a Mac is mostly paranoia. Just because you download and install a Trojan on a Mac doesn't mean your system is really compromised. The Trojan is like any other application. When you don't want it anymore, just delete it. It is only when you hand over your password that you need to be worried.

Reply
User profile for user: Linc Davis
Linc Davis Author
User level: Level 10
209,547 points

May 3, 2011 6:15 AM in response to Moof666

You did not mention authentication. How does an app get into the Applications folder and the Login Items without the user's password authority?


First of all, I didn't authenticate or run the installer. I extracted the files from the BOM manually. The Installer does ask for an admin password, and I should have checked to see whether it installs anything as SUID root, but I forgot to do that. Maybe somebody else will fill in that detail. Edit: I'm pretty sure SUID doesn't work for Aqua executables in 10.6, though it does work for POSIX executables. There were none of the latter in the archive I had.


Most Mac users run all the time in their administrator account, a mistake that Apple does everything to encourage. They can install applications system-wide by drag-and-drop, no authentication necessary.


Authentication is never needed to modify the user's login items. They're stored in a preference file in his home directory.

Reply
User profile for user: ds store
ds store
User level: Level 7
30,745 points

May 3, 2011 6:24 AM in response to WZZZ

WZZZ wrote:


http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/


Yes, a hosts file addition is another excellent level of protection.


I've been running a rather large one for many years.


This is my source


http://winhelp2002.mvps.org/hosts.txt


However the "127.0.0.1 local host" line must be first deleted (from this file only), and then all "127.0.0.1" instances changed to "0.0.0.0" for OS X to use it without side complications. Find and Replace in Text Edit works very well.


Once that's completed, then the dangerous part starts. Editing the actual /etc/hosts file.


Text Wrangler "Open File By Name" works rather easy: /etc/hosts


Next move, not to touch anything one see's in the file, rather add some returns to the bottom and copy/paste the contents of the modified Text Edit file.


Save and enter the Admin password and zillions of web garbage is automatically blocked.


However, that portion of the /etc/hosts file that one added needs to be updated time to time to stay on top of the nasties.


Block a line? add "#" to the front.


Block a site? "0.0.0.0 www.facebook.com"


Easy as that, good for the kids, until they find out about web proxies, but there's OpenDNS for that. 😉


Again, play careful, your on your own.

Reply
User profile for user: ds store
ds store
User level: Level 7
30,745 points

May 3, 2011 6:36 AM in response to WZZZ

WZZZ wrote:


Add it to /etc/hosts


http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/


Actually, you can't block IP's in the /etc/hosts


What adding a "0.0.0.0 www.facebook.com" to the /etc/hosts file does is resolves the IP address of 0.0.0.0 (nothing) instead of the IP provided by your Domain Name Server (either your ISP or OpenDNS or GoogleDNS etc)


So if "www.facebook.com" IP is nothing, nothing is what your computer connects to.


It only works on Domains, not IP addresses.


The OS X Firewall can block IP addresses, but it's complicated to use for GUI fed types. 🙂


Thus I found WaterRoof and NoobProof, as other OS X GUI Firewall configs have fallen away somewhat.

Reply
User profile for user: WZZZ
WZZZ
User level: Level 6
13,226 points

May 3, 2011 9:04 AM in response to ds store

ds store wrote:


WZZZ wrote:


Add it to /etc/hosts


http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/


Actually, you can't block IP's in the /etc/hosts


What adding a "0.0.0.0 www.facebook.com" to the /etc/hosts file does is resolves the IP address of 0.0.0.0 (nothing) instead of the IP provided by your Domain Name Server (either your ISP or OpenDNS or GoogleDNS etc)


So if "www.facebook.com" IP is nothing, nothing is what your computer connects to.


It only works on Domains, not IP addresses.


The OS X Firewall can block IP addresses, but it's complicated to use for GUI fed types. 🙂


Thus I found WaterRoof and NoobProof, as other OS X GUI Firewall configs have fallen away somewhat.

Yeah, thought of that after I posted. Too bad there isn't a usable domain name coming up for that IP.


Is that just a server that comes up with a whois for 69.50.214.53? What would the relationship be between that outfit registered in Phoenix and this malware author?

Reply
User profile for user: ds store
ds store
User level: Level 7
30,745 points

May 3, 2011 10:25 AM in response to WZZZ

WZZZ wrote:


Is that just a server that comes up with a whois for 69.50.214.53? What would the relationship be between that outfit registered in Phoenix and this malware author?



Likely none, the host is legitiment, likely a compromised site/server.


Blocking the IP client side is probably a worthless effort at this time, they got the call.


I'm guessing this was a test run, could expect to see this thing get tweaked and hosted on many servers next time. 😟


Sure Apple is going to roll out a update here quick to stop this thing dead in it's tracks, even if it changes signature. 🙂

Reply

MacDefender trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up