MacDefender trojan

>>You still get Installer app prompting for an OK, but nothing more.

Is the prompt for an OK from Installer.app, then, meaningless? In other words, this means it installs whether or not you authenticate, or hit Return, in the case of there being no password set?

EDIT: Just saw ds store's reply. This is very scary. I'd read that Apple was getting ready to issue a patch for Mac Defender in the 10.6.8. But they better get busy writing again. And they better do something, finally, about "Open "safe" files after...." in Safari.

well it's no worse once downloaded than someone downloading any dubious app & running it - but right enough, the impression many had was that things were somehow safer than that.

Downloading & then opening a zip with an installer package inside & running that installer automatically should never have been considered part of 'opening safe files' .

ds store wrote:

It will install automatically if your running as admin user regardless of your password as it doesn't need it.

I don't have a copy of it yet, but from what I have read to date you still have an opportunity to stop it by not pushing the continue button on the installer dialog.

MadMacs0 wrote:

Intego posted this morning that there is a MacDefender variant called MacGuard that comes as a two-part installation not requiring a password.

I wonder if intego is being completely straightforward about this. If you are running Snow Leopard, then even if you are logged into an admin account, you have to supply an admin password to install downloaded software into the root level Applications folder. The only exceptions to this are 1) if you use an app that doesn't support Snow Leopard's quarantine feature or 2) the downloaded software comes from a site with a valid Certificate Authority (CA) on file in your Mac.

Safari most definitely supports the quarantine feature. I'm not sure if earlier OS versions like Leopard or Tiger support it, or do so to the same extent, but as long as a user is running Snow Leopard and it is up to date, the new variant should not be able to bypass the authentication dialog if it (or its derivatives) want to install anything in /Applications/ or any other system domain location.

I mention the up to date proviso because Security Update 2011-002 addressed an issue with fraudulent certificates issued by a Comodo affiliate registration authority, thus breaking the chain of trust CA's rely on.

You have to give your OK to the installer to install the application; the difference is it now installs as you rather than the admin user so it doesn't require that you supply your admin password.

But the bottom line is you still have to allow the installer to install the application.

Don't install anything you haven't explicitly downloaded from a trusted site, and you will have no issues with this or any other malware.

Something striking iPads

It's using javascript to popup a window that appears to be from MacKeeper

ds store wrote:

Something striking iPads

It's using javascript to popup a window that appears to be from MacKeeper

Assume that's as far as you took it. The url shown isn't working. If you know the url you visited can you email it to macdefender@mailinator.com?

As always, just ignore it.

MadMacs0 wrote:

Assume that's as far as you took it. The url shown isn't working. If you know the url you visited can you email it to macdefender@mailinator.com?

It's coming tagged "iPad/MacKeeper" couldn't reproduce on my Mac, but I'll give everything I got.

ds store wrote:

It's coming tagged "iPad/MacKeeper" couldn't reproduce on my Mac, but I'll give everything I got.

Do you have an iPad & did you see the popup on it yourself, or is this a secondhand report from another user?

ds store wrote:

It's coming tagged "iPad/MacKeeper" couldn't reproduce on my Mac, but I'll give everything I got.

I'm quite sure there is no MacKeeper for the iPad (I checked both the app store and the MacKeeper site), and as far as I know there is no AV software for the iPad so if you cannot reach it with your Mac I wouldn't waste too much more time on it since at this point nothing can be done to prevent it short of publicity and education.

Credit goes to turningtest2 for coming across this and posting it in the Hosts Lounge.

Just keeping the lines of communication open there R C-R, take a chill pill or something. 😉

MadMacs0 wrote:

I'm quite sure there is no MacKeeper for the iPad (I checked both the app store and the MacKeeper site), and as far as I know there is no AV software for the iPad so if you cannot reach it with your Mac I wouldn't waste too much more time on it since at this point nothing can be done to prevent it short of publicity and education.

The URL is different than what is displayed in the blue popup, the full picture and links was sent to the email addy.

Strange it popped up on iPad, so I''m guessing it's just looking at browser info?

Anything that's using the (supposedly?) legitimate MacKeeper and not matching their domain has got to be malware.

So I sent what I links I've found as the site changes it's main page often, turingtest2 reports there is other hanky panky going on so there is good chance you and Linc Davis might find more of what your looking for there. 😉

ds store wrote:

Anything that's using the (supposedly?) legitimate MacKeeper and not matching their domain has got to be malware.

Or just a poorly coded ad.

Quick question...I hope I'm not infected.

I was using Skype to message with a friend. We often share links as we talk photography a lot.

I got a link through from him, clicked it and got the MacDefender site. Immediately sensed it was weird receiving it, so I closed the site page.

I've blocked the IP address listed above - 69.50.214.53

I've looked in my Finder for MACDefender, but I'm not finding it on my computer. I didn't click to download anything, didn't run any installers, and don't appear to have been compromised.

Is there anything else I need to do?

Also, any idea if this was definitely sent by my friend's computer, or could our skype chat have been compromised by a third computer? Should I be contacting him to tell him he may have an infection (as I'm planning to do)?

Cheers.