Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to


macdefendertrojan@mailinator.net


and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.


Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.


If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Reply
140 replies

May 15, 2011 5:27 AM in response to Linc Davis

I wouldn't think everyone who wants a copy of this Trojan is doing a benign research project. A few copy-cats are looking for this, too.


ds store:

You don't need Text Wrangler, or Terminal as some have suggested, to edit hosts:

Click the "Go" menu and choose "Go to folder".

Type: /etc

Click "Go"

View as columns. Find "hosts" in the right column. Drag it it the desktop to copy it. Open the copy with TextEdit. Between "127.0.0.1 localhost" and " 255.255.255.255 broadcasthost", make a new line and type "127.0.0.1 bad.ad.site.com". After editing, the text should look something like this:


##

1. Host Database

#

1. localhost is used to configure the loopback interface

2. when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

127.0.0.1 bad.ad.site.com

255.255.255.255 broadcasthost

::1 localhost


Save the hosts file. Drag it back to the same "/etc" window to replace the original hosts file. Click the "Authenticate" button in the message. Type your admin password. Agree to replace the original. Restart.

You shouldn't remove the "127.0.0.1 localhost" line either. All block site lines should reflect the same IP as localhost (127.0.0.1). Keep it simple.


As for NoScript, the "log in" link for this discussion site uses a redirect now (from discussions.apple.com to daw.apple.com). NoScript blocks this very discussion until you make an allowance.


As "The Hatter" mentions (I think; he's over my head in his lingo), some apps cannot be turned off by Activity Monitor. Shouldn't the developer of Mac Defender be studying ways to make it stick better (reload itself like TechTool Pro)? Then we can't turn it off in Activity Monitor. Safe Boot should still nix it.


Now for my question:

Why does Mac Defender ask for a password? Couldn't it simply install by letting the user click the "Install" button? If I were a crook, I wouldn't want to make it any more difficult than necessary to get the credit card info... unless... maybe something much more insidious is afoot. This guy may have additional hacks at hand involving stollen passwords, so why is no one suggesting that part of the process of recovering from Mac Defender include changing the admin password?


EDIT: OMG, Apple has added an edit button! Will wonders never cease? And I thought they weren't listening when I griped about Keynote not letting me set a song to play for exactly X number of slides like PowerPoint has done for so many years. I'll be looking for that Keynote update any day now.

May 15, 2011 5:30 AM in response to Moof666

Now for my question:

Why does Mac Defender ask for a password?


It doesn't. There's been a lot of FUD about MacDefender authenticating to root, but it never does. The Apple installer, used to open and install the components in the .mpkg file the malware is packaged in, requests your admin password so the app can be moved into the Applications folder. The trojan never gets that kind of access.

May 15, 2011 5:53 AM in response to Moof666

Why does Mac Defender ask for a password?


It doesn't. The Installer asks for a password.


Couldn't it simply install by letting the user click the "Install" button?


In the form I saw, yes, if the user was a member of the admin group.


This guy may have additional hacks at hand involving stollen passwords, so why is no one suggesting that part of the process of recovering from Mac Defender include changing the admin password?


Because the trojan itself doesn't ask for the password. Everything the Installer does is determined by scripts and is therefore transparent. I looked at those scripts very carefully. They don't steal the password.


The SEO attack on Google is quite sophisticated. The trojan itself is very unsophisticated. It could do a lot of things it doesn't do, either because the dude doesn't know how or because he isn't motivated. He just wants to make a quick score. Of course that may change in the future, or may already have changed.

May 15, 2011 6:46 AM in response to Moof666

Moof666 wrote: As for NoScript, the "log in" link for this discussion site uses a redirect now (from discussions.apple.com to daw.apple.com). NoScript blocks this very discussion until you make an allowance.

This really isn't on topic, but I'm not seeing this with NoScript. The log in page is using daw.apple.com. Once log in is completed, there is a redirect to discussions.apple.com. Either Firefox, itself, with a preference setting, or the RefreshBlocker Add-on will block this redirect, but I'm not seeing NoScript getting involved at all. I have apple.com permanently whitelisted in NS.

May 17, 2011 9:19 AM in response to thomas_r.

It seems you are an expert about this malware.

Do you also know if after sitting on a system and being free to go online for a while -I've read that it is a trojan horse- there are some privileges escalation and it gets the admin password of that system and it sends it home, or it will modify sudoers file, intact some other privilege for users and groups or any other file setting some unwanted flag, creates some invisible files and so on?

MacDefender trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.