Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

MacDefender trojan

I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to


macdefendertrojan@mailinator.net


and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.


Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.


If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.

Mac OS X (10.6.7)

Posted on May 1, 2011 6:36 PM

Reply
140 replies

May 1, 2011 8:31 PM in response to etresoft

Here are some instructions from someone who may have actually seen it:


I tried that, and several other searches as reported on this site. Either it wasn't there, or I'm filtering it.


Apparently it just installs itself as a Login Item and tries to get $99 from people.


Some of the victims insist they did not double-click a file in the Finder to launch the trojan. They just went to a web page, and there it was. A javascript can cause a file to be downloaded automatically, and it can simulate the launch of an application, but how does the application get launched automatically for real? That's not supposed to happen. I can't tell from the descriptions whether the victims really know what they did.


A few years ago there was a proof-of-concept remote exploit in which a PowerPC PEF application could be made to look like a data file, such as an MP3. If it had the right HFS type code, that would override the filename extension. I thought that hole had been closed, but maybe it hasn't. If you (a) have Rosetta installed and (b) have Safari configured to open so-called "safe" files automatically, then maybe you're still vulnerable. I'd like to know whether this trojan is a PEF or a Mach-O bundle, and what the filename is.

May 2, 2011 5:25 AM in response to Linc Davis

It seems from an analysis posted elsewhere that the trojan is distributed as a zipped Installer package. If the option to open "safe" files is set in Safari, the archive is unpacked, and the package is launched automatically. To unsophisticated users, the Installer screen looks like the ones they're used to when installing system updates, so of course they click through it.


There's nothing special about this archive. The same thing happens with any pkg.zip file. I didn't know that, and I'm shocked by it.


I see two implications for Apple.


First, an Installer package is not a "safe" file and shouldn't be opened automatically.


Second, unless a package is digitally signed by Apple, the Installer should warn the user that it's unofficial and is not to be trusted. That wouldn't stop third-party developers from distributing Installer packages, but it might prevent people from mindlessly running the Installer whenever they're prompted to do so.

May 2, 2011 5:46 AM in response to Linc Davis

First, an Installer package is not a "safe" file and shouldn't be opened automatically.


Absolutely! I suspect that we'll be seeing a security update to deal with this issue soon. Hopefully Apple doesn't drag their feet with that.


Honestly, I'm amazed this hasn't been exploited before, if that option truly opens any zipped installer file.


Second, unless a package is digitally signed by Apple, the Installer should warn the user that it's unofficial and is not to be trusted.


Yes, that's true, why isn't quarantine catching this? There's more going on than it seems.

May 2, 2011 7:21 AM in response to thomas_r.

Thomas A Reed wrote:


Absolutely! I suspect that we'll be seeing a security update to deal with this issue soon. Hopefully Apple doesn't drag their feet with that.


Honestly, I'm amazed this hasn't been exploited before, if that option truly opens any zipped installer file.


Yes, that's true, why isn't quarantine catching this? There's more going on than it seems.

Don't get your hopes up. This isn't a security vulnerability, it is a feature and the default setting.


I think it has been exploited before. Technically, exploited isn't the right term in the computer sense. Technically, everything is operating as designed and expected. It is just people that are being exploited. People don't know what a ZIP package is. They don't know what an installer is. They believe people who say that Macs have viruses. Then a screen pops up and tells them they do have viruses and asks for $99. They hand it over. This trojan author has probably already made more money than I will this year.


Quarantine isn't going to catch it because quarantine is designed for legitimate software you download from the internet that doesn't have an installer.

May 2, 2011 7:49 AM in response to etresoft

This isn't a security vulnerability, it is a feature and the default setting.


No, it isn't. A .zip file ought to be a safe file, and could be opened, but that should not result in launching an installer contained within that .zip file, which would absolutely NOT be a safe file. Yet, somehow, that is happening.


Quarantine isn't going to catch it because quarantine is designed for legitimate software you download from the internet that doesn't have an installer.


An installer may, in many cases, be simply an application. Quarantine does not discriminate... any application downloaded from the internet via Safari, whether and installer or not an installer, whether zipped, in a disk image or whatnot, should be intercepted by Quarantine. As for .pkg or .mpkg files, those are not technically applications, but then neither are .html files, yet if you download an archive of zipped .html files from somewhere, Quarantine warns you about those.


I can't honestly swear, thanks to faulty memory, that I have seen Quarantine kick in when running a downloaded .pkg - but if it doesn't, that is a very, very serious security issue that needs to be addressed ASAP.

May 2, 2011 10:28 AM in response to thomas_r.

I just created my own MyTrojan.pkg.zip package. With the default Safari settings, just downloading this file will unzip it and start the installer. I could fill the installer with animated GIFs showing virus scans if I wanted. I could add the application to my Login Items (no authentication needed for that). I could add pre and post install scripts to do just about anything I want. It is quite easy. No password needed. No quarantine. It just works 🙂

May 2, 2011 10:36 AM in response to etresoft

With the default Safari settings, just downloading this file will unzip it and start the installer.


I agree, that happens, and it shouldn't. I don't agree that the quarantine attribute on installer packages is simply ignored. The package is checked against some sort of database of known trojans. Neither MACDefender nor your test package is in that database.

May 2, 2011 10:51 AM in response to Linc Davis

The package is checked against some sort of database of known trojans. Neither MACDefender nor your test package is in that database.

As well as in the database of any of the AV programs. A clear illustration of the uselessness of AV -- especially ones that purport to do active scanning -- if you are unlucky enough to be among the first (including the first OS X virus in the wild, if and when that appears.)


All those programs, right now, are staring at this thing with their mouths wide open.

May 2, 2011 10:51 AM in response to Linc Davis

The malware "MacDefender" is a "driveby download" utilizing Javascript.


It's rather simple to defeat this from occuring:


1: Download Firefox 4.0


2: Install the NoScript Add-on


3: Install the Public Fox Add-on.


4: Hit the Toolbar Customize and drag the "Temp Allow All This page" NoScript button to the Toolbar


5: Setup Public Fox to require a password before a download occurs.


As you surf the web with NoScript, all "scripts" including JavaScript, will be turned off by default.

If you trust the site and need scripts to run, click the Temp Allow button.


If your Public Fox pops up with asking for your password, you know you got a driveby download, cancel it and notify the website owner.


"Public Fox" is searchable at Mozilla as "Public Fox"

MacDefender trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.