You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to


macdefendertrojan@mailinator.net


and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.


Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.


If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Reply
140 replies

May 29, 2011 8:25 AM in response to Chris the Gamer

Nice one. I've checked my applications folder and my utilities folder and it isn't in either. Guess I'm okay, then. I've mailed my mate, suggesting he check his own system out for this.


I'm really surprised I got this through Skype. Not because Skype is in any way safe, just didn't expect it dropping in to a private chat with someone I knew.


I'd be interested to know if the link must have been sent from his computer, or if it was possible that our chat could have been hijacked by another user to send me that link. I'm assuming it was the former. Link was a google search link - the reason why it didn't strike me as odd; we're always sharing links to images we're talking about, so a google search link didn't stand out as being odd.

May 29, 2011 8:28 AM in response to Scrybe

I'm sure, as a result of your post (though through no fault of yours), we're going to see an outbreak of people claiming the MacDefender trojans are spreading via Skype. However, in reality, what most likely happened was that the site your friend referred you to was perfectly fine, but got a malicious JavaScript injected into the page that redirected you to the MacDefender site.


Edit: since you say the link was a Google search link, I'd upgrade that estimate from "most likely" to "almost certainly". Google searches have been a major vector for MacDefender transmission.

May 29, 2011 10:55 AM in response to Scrybe

The method used by this malware to get you to its malicious web page is not new, nor is it a web page redirect or compromise of a legitimate web site in the normal sense. It is called "SEO poisoning" & it isn't that hard to understand how it works.


"SEO" stands for search engine optimization, a technique legitimate web sites have been using since the 1990's to get more traffic directed to their pages. Basically, the idea is to get enough references to the site onto the web that the algorithms used to collect search keyword data from the Internet will decide they are popular pages & thus rank them near the top of search results.


There are many ways to do this, from ones considered as completely respectable by almost everybody to ones widely considered as totally unscrupulous. But it is called SEO poisoning when the page, however it manages to get a high page rank, is a malicious one.


Note that the search site itself isn't "poisoned." In a sense, it is the Internet itself that has been poisoned with too many undeserved references to the malicious pages. There is no way to control that. The best we can hope for from the search engine providers is harder to trick page ranking algorithms, plus blacklisting of pages known to be malicious.


Aside from that, it might help to know that since the malicious pages are only interested in getting as many hits as possible regardless of what people search for on the web, the optimization is rigged for the most popular searches. Unfortunately, it is easy to automate the process & update it very quickly, so searches for whatever are the hottest topics of the moment are the most likely ones to include these bogus pages in their results.

May 30, 2011 11:06 AM in response to R C-R

I have been hit 3 times in the last week by 3 differently named (one was MacProtector) viruses/trojans. Luckily I got each removed immediately, but having this happen every couple of days is annoying to say the least. In addition to what Apple proposed, I also went back into Safari Preferences and unchecked "Open Safe Files after downloading" at the bottom of the General page section.


BTW, each time this happened I was on sites I visit all the time and was not just "browsing" on the internet. One of these occurrences was when I was on my Gmail page and clicked on one of my label groups to bring up those emails.


I'm glad Apple is working on this, but I hope they come up with something SOON!

May 30, 2011 11:45 AM in response to zanne101

You won't get hit with this thing hardly at all if you run Firefox and the NoScript add-on, I think there was only two reports of Firefox users being hit and they were not running NoScript.


The malware needs Javascript running in the browser.


So with NoScript you run with very little Javascript, unless you absolutely need it which you turn it on with a quick click on the NoScript Toolbar button ("Temp allow all this page")


So what your doing is significantly reducing your exposure window.


I likely came across this thing a few dozen times already and didn't know it, because I run with very little Javascript or any scripts for that matter.


Unfortunatly Safari doesn't have NoScript, to turn off Javascript requires a trip to Safari preferences. 😟

May 30, 2011 12:23 PM in response to ds store

I think there was only two reports of Firefox users being hit and they were not running NoScript.


There is nothing about this outbreak that is unique to Safari, except that Safari will open the installer automatically. The claim of only "two reports" from Firefox users is not a valid one in any form. Although most of the reports I have come across involve people using Safari, most Mac users in general are using Safari, so you cannot draw any conclusions without a detailed statistical analysis of a very large number of cases. Certainly, I've encountered plenty of people who were affected while using Firefox or Chrome.

May 30, 2011 12:49 PM in response to thomas_r.

Thomas A Reed wrote:


I think there was only two reports of Firefox users being hit and they were not running NoScript.


There is nothing about this outbreak that is unique to Safari, except that Safari will open the installer automatically.

I believe there is one other Firefox "feature" that comes into play here and that is that Firefox will ask you if you really want to download something that a javascript has automatically kicked off, whereas Safari will not. With this outbreak the user has already requested the download, so it is unlikely he will have second thoughts, but it is another difference.

Dec 1, 2011 6:19 PM in response to MadMacs0

I would have thought we had seen the end of this with the folks behind the MacDefender payment processing in jail... But perhaps they were not the ones responsible for creating the software, and those hackers have found a new payment processor. Of course, that's a lot of speculation based on very little information at this point. :)

MacDefender trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.