You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to


macdefendertrojan@mailinator.net


and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.


Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.


If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Reply
140 replies

May 25, 2011 6:38 PM in response to andyBall_uk

>>You still get Installer app prompting for an OK, but nothing more.


Is the prompt for an OK from Installer.app, then, meaningless? In other words, this means it installs whether or not you authenticate, or hit Return, in the case of there being no password set?


EDIT: Just saw ds store's reply. This is very scary. I'd read that Apple was getting ready to issue a patch for Mac Defender in the 10.6.8. But they better get busy writing again. And they better do something, finally, about "Open "safe" files after...." in Safari.

May 25, 2011 6:45 PM in response to WZZZ

well it's no worse once downloaded than someone downloading any dubious app & running it - but right enough, the impression many had was that things were somehow safer than that.


Downloading & then opening a zip with an installer package inside & running that installer automatically should never have been considered part of 'opening safe files' .

May 25, 2011 7:21 PM in response to MadMacs0

MadMacs0 wrote:

Intego posted this morning that there is a MacDefender variant called MacGuard that comes as a two-part installation not requiring a password.

I wonder if intego is being completely straightforward about this. If you are running Snow Leopard, then even if you are logged into an admin account, you have to supply an admin password to install downloaded software into the root level Applications folder. The only exceptions to this are 1) if you use an app that doesn't support Snow Leopard's quarantine feature or 2) the downloaded software comes from a site with a valid Certificate Authority (CA) on file in your Mac.


Safari most definitely supports the quarantine feature. I'm not sure if earlier OS versions like Leopard or Tiger support it, or do so to the same extent, but as long as a user is running Snow Leopard and it is up to date, the new variant should not be able to bypass the authentication dialog if it (or its derivatives) want to install anything in /Applications/ or any other system domain location.


I mention the up to date proviso because Security Update 2011-002 addressed an issue with fraudulent certificates issued by a Comodo affiliate registration authority, thus breaking the chain of trust CA's rely on.

May 25, 2011 8:13 PM in response to WZZZ

You have to give your OK to the installer to install the application; the difference is it now installs as you rather than the admin user so it doesn't require that you supply your admin password.


But the bottom line is you still have to allow the installer to install the application.


Don't install anything you haven't explicitly downloaded from a trusted site, and you will have no issues with this or any other malware.

May 26, 2011 4:28 PM in response to ds store

ds store wrote:


It's coming tagged "iPad/MacKeeper" couldn't reproduce on my Mac, but I'll give everything I got.

I'm quite sure there is no MacKeeper for the iPad (I checked both the app store and the MacKeeper site), and as far as I know there is no AV software for the iPad so if you cannot reach it with your Mac I wouldn't waste too much more time on it since at this point nothing can be done to prevent it short of publicity and education.

May 26, 2011 5:09 PM in response to MadMacs0

MadMacs0 wrote:

I'm quite sure there is no MacKeeper for the iPad (I checked both the app store and the MacKeeper site), and as far as I know there is no AV software for the iPad so if you cannot reach it with your Mac I wouldn't waste too much more time on it since at this point nothing can be done to prevent it short of publicity and education.


The URL is different than what is displayed in the blue popup, the full picture and links was sent to the email addy.


Strange it popped up on iPad, so I''m guessing it's just looking at browser info?


Anything that's using the (supposedly?) legitimate MacKeeper and not matching their domain has got to be malware.


So I sent what I links I've found as the site changes it's main page often, turingtest2 reports there is other hanky panky going on so there is good chance you and Linc Davis might find more of what your looking for there. 😉

May 29, 2011 8:15 AM in response to Linc Davis

Quick question...I hope I'm not infected.


I was using Skype to message with a friend. We often share links as we talk photography a lot.


I got a link through from him, clicked it and got the MacDefender site. Immediately sensed it was weird receiving it, so I closed the site page.


I've blocked the IP address listed above - 69.50.214.53


I've looked in my Finder for MACDefender, but I'm not finding it on my computer. I didn't click to download anything, didn't run any installers, and don't appear to have been compromised.


Is there anything else I need to do?


Also, any idea if this was definitely sent by my friend's computer, or could our skype chat have been compromised by a third computer? Should I be contacting him to tell him he may have an infection (as I'm planning to do)?


Cheers.

MacDefender trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.