You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to


macdefendertrojan@mailinator.net


and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.


Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.


If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Reply
140 replies

May 22, 2011 11:49 AM in response to Linc Davis

Simply don't blindly put your password in when the computer asks you to. This third party software can be avoided. First of all it doesn't have software update icon, second Apple will never release and support malware removal, third... it doesn't look anything like a system error message or any system message at all. People who fall for this third party software will learn a valuable lesson that they need to be careful what they do when they use the computer. Also the program does nothing malicious to the system nor does it steal any information without your consent so this is not malware, trojan, worm... nothing... this is only a credit card scam for people with no brains.

May 24, 2011 7:28 PM in response to prbsparx

prbsparx wrote:

An Installer is not considered a safe file. A zip file is.

You are mixing up the terminology. The "installer" is Installer.app, a core OS service application supplied by Apple with your Mac. It is considered safe because (among other reasons) it came from Apple.


A zip file is not inherently either safe or unsafe. But if it contains an executable file of any kind or an installer package, and it was downloaded from any site other than one with a valid certificate authority (CA) on your Mac, then any executable or installer package it contains 'inherits' the quarantine attribute it received if downloaded by any app (like Safari, Mail, or some other browsers) that supports quarantine.


To remove the quarantine attribute from the unzipped installed items, users must authenticate with an admin password when Installer.app runs & asks for it before allowing the install to begin.

I suspect that Apple will be changing something to make it where installers will not open automatically.

Apple already includes the 'open safe items' option in Safari, but as explained above there is no security compromise involved if you use it. You still must authenticate before Installer.app will do anything. That requires a social engineering exploit like this trojan includes. Apple can't do anything about that other than to urge users to be careful about what they install, which already does.

May 25, 2011 6:30 AM in response to MKZA

Only a guess, but it is probably because in Apple's estimation not that many users want the hassle of or have the expertise to use a site-by-site or other similar type of Javascript script blocker. For those that do, Safari 5 running on OS 10.5 or 10.6 offers extensions that have some of that functionality.


Aside from that, there are some security & stability concerns associated with using Mozilla/Firefox add-ons themselves that users might want to consider.

May 25, 2011 7:46 AM in response to R C-R

Yes, those who think they're safe just because they're using Firefox may wish to consider the example of the Weyland-Yutani crime kit, which could be used to create form-grabbing trojans for Firefox, but not Safari (at this time). Any browser is going to have strengths and weaknesses, so it's better to be smart than to assume your browser choice makes you safe.

May 25, 2011 8:57 AM in response to WZZZ

NoScript will probably protect against this.


Since no trojans have yet been created with this kit, and since nobody who has actually seen the code is talking, it's impossible to predict whether JavaScript is involved at all or how a trojan would be distributed. The point, though, is that using Firefox may be a greater risk once the trojan is in place.


The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.”
Brian Krebs of Krebs on Security


All we really know for sure is that Safari is not yet supported.

May 25, 2011 10:37 AM in response to WZZZ

WZZZ wrote:

NoScript will probably protect against this.

A few things to consider about that:


• No "whitelist/blacklist" based utility is any better than the integrity of those lists. Whitelists & backlists that are supported by crowd-sourcing efforts are not immune to prejudice, errors of omission or inclusion, etc.


• Like any other open source effort, it is possible for someone to create a variant containing its own hidden malware piggybacking on the legitimate code & using a social engineering exploit to get itself installed.


So it is no less important to make sure of the source & the code before installing it than it would be with any other package, & not to become complacent about its less-than-absolute level of protection once it is installed.

MacDefender trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.