MacDefender trojan

Simply don't blindly put your password in when the computer asks you to. This third party software can be avoided. First of all it doesn't have software update icon, second Apple will never release and support malware removal, third... it doesn't look anything like a system error message or any system message at all. People who fall for this third party software will learn a valuable lesson that they need to be careful what they do when they use the computer. Also the program does nothing malicious to the system nor does it steal any information without your consent so this is not malware, trojan, worm... nothing... this is only a credit card scam for people with no brains.

An Installer is not considered a safe file. A zip file is. Safari will automatically open a Zip file. That zip file can be set to automatically open a PKG. I suspect that Apple will be changing something to make it where installers will not open automatically.

5/24/11, finally: http://support.apple.com/kb/HT4650,

How to avoid or remove Mac Defender malware

prbsparx wrote:

An Installer is not considered a safe file. A zip file is.

You are mixing up the terminology. The "installer" is Installer.app, a core OS service application supplied by Apple with your Mac. It is considered safe because (among other reasons) it came from Apple.

A zip file is not inherently either safe or unsafe. But if it contains an executable file of any kind or an installer package, and it was downloaded from any site other than one with a valid certificate authority (CA) on your Mac, then any executable or installer package it contains 'inherits' the quarantine attribute it received if downloaded by any app (like Safari, Mail, or some other browsers) that supports quarantine.

To remove the quarantine attribute from the unzipped installed items, users must authenticate with an admin password when Installer.app runs & asks for it before allowing the install to begin.

I suspect that Apple will be changing something to make it where installers will not open automatically.

Apple already includes the 'open safe items' option in Safari, but as explained above there is no security compromise involved if you use it. You still must authenticate before Installer.app will do anything. That requires a social engineering exploit like this trojan includes. Apple can't do anything about that other than to urge users to be careful about what they install, which already does.

Sorry, you're correct, I used Installer when I meant Installer Package.

From what has been described in this thread it sounds like the ZIP file is unarchived, and the Package is opened. Based on how the Open Safe Downloads command works, it should open the package, only the zip file.

Based on how the Open Safe Downloads command works, it should open the package, only the zip file.

I'm not sure what you mean by this. The option will unzip a downloaded zipped file, & if it contains an installer package, will start Installer.app.

Why doesn't Apple do something simple like introduce a script blocker for Safari, something like NOScript for Firefox which allows you to enable scripts on a site-by-site basis. I don't use Safari specifically for this reason, I'm not letting a browser decide for me what's safe and what's not.

Only a guess, but it is probably because in Apple's estimation not that many users want the hassle of or have the expertise to use a site-by-site or other similar type of Javascript script blocker. For those that do, Safari 5 running on OS 10.5 or 10.6 offers extensions that have some of that functionality.

Aside from that, there are some security & stability concerns associated with using Mozilla/Firefox add-ons themselves that users might want to consider.

Yes, those who think they're safe just because they're using Firefox may wish to consider the example of the Weyland-Yutani crime kit, which could be used to create form-grabbing trojans for Firefox, but not Safari (at this time). Any browser is going to have strengths and weaknesses, so it's better to be smart than to assume your browser choice makes you safe.

NoScript will probably protect against this.

http://forums.informaction.com/viewtopic.php?f=19&t=6373&sid=1fa65a28153a4e839f8 3fa823ed693b4

The Weyland-Yutani BOT supports web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow.

http://www.csis.dk/en/csis/blog/3195/

NoScript will probably protect against this.

Since no trojans have yet been created with this kit, and since nobody who has actually seen the code is talking, it's impossible to predict whether JavaScript is involved at all or how a trojan would be distributed. The point, though, is that using Firefox may be a greater risk once the trojan is in place.

The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.”
Brian Krebs of Krebs on Security

All we really know for sure is that Safari is not yet supported.

http://blog.eset.com/2011/05/25/macdefender-and-its-many-faces

WZZZ wrote:

NoScript will probably protect against this.

A few things to consider about that:

• No "whitelist/blacklist" based utility is any better than the integrity of those lists. Whitelists & backlists that are supported by crowd-sourcing efforts are not immune to prejudice, errors of omission or inclusion, etc.

• Like any other open source effort, it is possible for someone to create a variant containing its own hidden malware piggybacking on the legitimate code & using a social engineering exploit to get itself installed.

So it is no less important to make sure of the source & the code before installing it than it would be with any other package, & not to become complacent about its less-than-absolute level of protection once it is installed.

Thomas A Reed wrote:

All we really know for sure is that Safari is not yet supported.

Actually all we really know for sure is that one criminal is offering an unproven 'crime kit' to other criminals for $1000 a pop. Kinda makes you wonder who is trying to scam whom, doesn't it? 😉