You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to


macdefendertrojan@mailinator.net


and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.


Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.


If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Reply
140 replies

May 25, 2011 10:57 AM in response to R C-R

True... it does boggle the mind that one cyber-criminal would be willing to pay another for malware-creation software that they will then run on their own machine. 😁 And we don't really know if the author is being honest about what the actual capabilities of this thing are, since the video that supposedly shows its capabilities looks completely random and meaningless to me. I have no idea what I'm supposed to be seeing.

May 25, 2011 11:19 AM in response to R C-R

RC-R wrote: No "whitelist/blacklist" based utility is any better than the integrity of those lists. Whitelists & backlists that are supported by crowd-sourcing efforts are not immune to prejudice, errors of omission or inclusion, etc.

NoScript is not a simple whitelist/blacklist utility. With NoScript, JavaScript is off by default until you either temporarily or permanently allow or disallow (whitelist/blacklist) a site. And, even then, third-party scripts are all off by default.


Except for a very small handful of sites that come whitelisted, you are not dependent on some pre-determined whitelist/blacklist. Before you allow a site, you do your own research directly available from NS from WOT, Google Safe Browsing Diagnostic, McAfee, Webmaster Tips Site Information or just by doing a search on your own. Even then, you can still decide not to enable JS for any given site. Of course, this isn't perfect, but nothing is and it's much better than nothing.


And, even if a domain or scripts are allowed, NS is still offering some basic protection.


Since it seems you're really not very well acquainted with it and appear to be confusing it with its very distant Safari (or Camino) relative -- one which pales in comparison -- why don't you just try it and see what I'm talking about?


NoScript


http://noscript.net/features


EDIT: Thomas: I'm very far from being an expert in this field, but from what I know, JS is an easy attack vector. And, it seems likely or probable it will present itself through JS. No?


Message was edited by: WZZZ

May 25, 2011 1:11 PM in response to R C-R

R C-R wrote:


To remove the quarantine attribute from the unzipped installed items, users must authenticate with an admin password when Installer.app runs & asks for it before allowing the install to begin.

Sorry to interrupt the current discussion, but I don't see an appropriate thread yet and those involved all seem to be gathered here.


Intego posted this morning that there is a MacDefender variant called MacGuard that comes as a two-part installation not requiring a password.


<http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant- macguard-doesnt-require-password-for-installation/>

May 25, 2011 1:47 PM in response to MadMacs0

Interesting variation. I wonder if this new version claims that is able to remove the "old" MacDefender.

Probably disabling "open safe files" in Safari is now mandatory as well as configuring Mac Os X with at least two users: one as administrator for that purpose only, the other(s) with limited privileges for ordinary daily use.


It's interesting also that the ip used to download the other part of the malware was hidden in an image file with a steganographic technique.

May 25, 2011 2:21 PM in response to Rayced

Would appreciate anybody who has this latest version uploading both the original .zip file and the MacGuard application to http://www.VirusTotal.com . If either is not detected by clamav, then also upload that to http://cgi.clamav.net/sendvirus.cgi .


If you are uncomfortable doing this for any reason and can determine the URL of the site where you got it please send the link to macdefender@mailinator.com .

May 25, 2011 2:45 PM in response to Linc Davis

What surprises me is the amount of user interaction that Mac Defender required from the user to get installed. As a semi-former Windows user (As I use Win7 on Bootcamp), I think I developed a sense of not to accept any install and download that I don't remember. As for the new variant that was released that doesn't require an admin password I think that the only way to stop it is by unchecking the "open safe file" option in Safari, I disabled the funtion today, which a good step to avoid getting infected with any future treath.


By the way, removing MacDefender and its variants is relatively easy, when compared to a virus removal on Windows...

May 25, 2011 3:35 PM in response to WZZZ

WZZZ wrote:


What I'd like to understand is with the "previous" version, "Mac Defender," what happened if someone was running admin and had not set a password? Would it just go ahead and install or what?

I believe it still pops up the password dialog to which you just hit return (or click OK) as it's actually a null password.

May 25, 2011 3:46 PM in response to MadMacs0

Yes, that is what happens as for a long time only I used this computer and I had no password set. When I added accounts for my grandchildren and other guests I then set an administrator password. Before then all I did was hit return and the app would install. Very easy. And you hardly have to think about it because you for all practical purposes do nothing.


I would not be surprised if that is how so many people installed mac defender etc. Panic and then you hit return and then you are in real trouble.


laverne's mom


Message was edited by: laverne's mom

May 25, 2011 6:20 PM in response to WZZZ

Unlike the previous variants of this fake antivirus,no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.





What are they saying? Does this mean it will only automatically install where someone is running admin, but with no password set?

May 25, 2011 6:24 PM in response to WZZZ

no - like mackeeper, if you have write permission for the destination folder (applications in this case most likely, but no need for it to go there since the install script could add a login item or launchagent & place the app anywhere) it'll run w/o any password being asked for.

You still get Installer app prompting for an OK, but nothing more.

MacDefender trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.