Previous 1 2 3 4 Next 137 Replies Latest reply: Dec 4, 2011 2:41 PM by thomas_r. Go to original post Branched to a new discussion.
  • WZZZ Level 6 Level 6 (12,670 points)

    Absolutely! I wouldn't use any browser that didn't allow me the kind of JS filtering that NoScript affords. That's why I stopped using Safari some years ago and went to Firefox almost exclusively. Didn't know about Public Fox.

  • etresoft Level 7 Level 7 (26,425 points)

    It is even easier than that. In Safari, go to Preferences > General > uncheck "Open 'safe' files after downloading"

  • WZZZ Level 6 Level 6 (12,670 points)

    That's if you insist on using Safari. And, there are other browser based threats that Firefox with NoScript will protect you against that Safari won't.

     

    People have, for years, been warning, even screaming, about the Safari default "open "safe" files...and Apple does nothing about it. Maybe, this time Apple will listen.

  • ds store Level 7 Level 7 (30,315 points)

    etresoft wrote:

     

    It is even easier than that. In Safari, go to Preferences > General > uncheck "Open 'safe' files after downloading"

     

    Easier, but not safer.

     

    A driveby Trojan downloads can hide themselves among other downloads with legitimate names and be accidentally installed.

     

    Public Fox will stop any download and ask for a password, alerting you to the download before it starts.

     

     

    And WZZZ is correct, there are a lot of web based nasties out there that NoScript protects against.

     

    The site isn't pretty, but that doesn't matter what this Add-on does for safer browsing.

     

    http://noscript.net/

  • SteveAMP Level 1 Level 1 (0 points)

    Actually, in this case the .zip opens to the installer package but does not automatically run the installer. My wife ran into the MACDefender on Saturday and stopped clicking on anything once she realized that something was fishy. Two installer packages were in her downloads file but nothing had been installed. I had her force quit Safari and the pop-up and have now trashed (and emptied the trash) the two installer packages.

  • ds store Level 7 Level 7 (30,315 points)

    WZZZ wrote:

     

    People have, for years, been warning, even screaming, about the Safari default "open "safe" files...and Apple does nothing about it. Maybe, this time Apple will listen.

     

    Apple didn't do anything with "safe files" the last time a exploit used this avenue of attack.

     

    Safari has been hacked in mere seconds at each annual Pwn2Own contest for the last few years running.

     

    One could jailbreak a iOS device simply by visiting a web page.

     

    There is something else they didn't fix apparantly in Mac's, far worse and non-user unrecoverable if one gets exploited and the malware targets this area, but I'm not mentioning it on a public forum.

     

    Lets just say you don't want to run any malware on your Mac, even for fun, unless you have system level experience.

  • Linc Davis Level 10 Level 10 (155,810 points)

    I wouldn't use any browser that didn't allow me the kind of JS filtering that NoScript affords.

     

    Safari does allow it, with the JavaScript Blacklist extension. Not that one in user a hundred would know that, anymore than he'd know about Firefox extensions.

  • etresoft Level 7 Level 7 (26,425 points)

    ds store wrote:

     

    Safari has been hacked in mere seconds at each annual Pwn2Own contest for the last few years running.

    Please don't bring up that junk. People are confused enough. There is zero validity to any of those hacking contests. They are just disinformation.

  • WZZZ Level 6 Level 6 (12,670 points)

    Linc Davis wrote:

     

    I wouldn't use any browser that didn't allow me the kind of JS filtering that NoScript affords.

     

    Safari does allow it, with the JavaScript Blacklist extension. Not that one in user a hundred would know that, anymore than he'd know about Firefox extensions.

    Not even close. NoScript is far more than a blacklist. Why don't you visit the NoScript site to see for yourself.

     

    http://noscript.net/features

  • WZZZ Level 6 Level 6 (12,670 points)

    Even better, try it yourself.

  • Gary P Level 4 Level 4 (1,395 points)

    To experience the attack, just click on a bunch of Google Image Search results until you stumble over it.

  • ds store Level 7 Level 7 (30,315 points)

    etresoft wrote:

     

    There is zero validity to any of those hacking contests. They are just disinformation.

     

    Ok, your right. 

  • WZZZ Level 6 Level 6 (12,670 points)
  • ds store Level 7 Level 7 (30,315 points)

    The Weyland-Yutani BOT supports web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow. The webinjects templates are identical to the ones used in Zeus and Spyeye.

     

    CSIS eCrime Unit is in possession of videos documenting both the admin panel and its functionality as well as the builder itself. Both video clips prove this kit to be fully operational already. This v1.0 of the BOT has a license price for the complete kit equal to 1,000 WMZ/LR.

     

    CSIS finds this crimekit to be quite disturbing news since MacOS previously to some degree has been spared from the increasing amount of malware which has haunted Windows-based systems for years. This could have resulted in a false sense of security that might make Mac OS user especially vulnerable to a sudden and highly sophisticated attack.

     

    Well I guess I better the advertsing done, rent some retail floor space, hire security guards and crowd control people with walkies, because the money is about to flow...

     

     

    Also it looks like MacDefender has hit a bender,  no more reports and likely some torts.

  • Linc Davis Level 10 Level 10 (155,810 points)

    I found the trojan. I will shortly send a mail to the above-named Mailinator mailbox with the link. The message will be deleted after a few hours. In case it's not clear, that link is to a malware page. Do not visit the link unless you know what you're doing.

     

    I analysed the trojan only superficially. I didn't run the installer because I wasn't motivated to take the necessary precautions. Instead, I extracted the package contents manually and ran them in an unprivileged account, which I then deleted.

     

    The archive that I downloaded was named "BestMacAntivirus2011.mpkg.zip." The package installs only the application MacDefender.app. It also runs a shell script that launches the application.

     

    When launched, the application adds itself to the user's login items and writes a preference file, ~/Library/Preferences/com.alppe.md.plist.plist. It doesn't modify any other user files. It runs as a multi-threaded 64-bit process and doesn't spawn any subprocesses. It contacts a server at the address 69.50.214.53, which is in a netblock assigned to "atjeu publishing, llc" of Phoenix, AZ. A hosting service seems to operate out of that network. The registrant's contact name is given by whois as "Vasilev, Boris."

     

    The application is localized in two languages, English and Russian.

     

    The bundle identifier is "com.alppe.spav.plist". That's a Java-style MIB, not a filename. The indicated domain is registered anonymously in Australia and is represented by a parking page.

     

    The application really does scan the Applications folder and flags a number of executables variously as "Rootkit," "Worm," "Troyan," (sic) and so forth. After the scan completes, the main window closes, but the application doesn't exit. It loads some objectionable pages in Safari, as has been reported, and installs a menu item. There is no Quit menu and the only way to get rid of it is to terminate the process with kill(1) or Activity Monitor.

     

    So to summarize, the trojan can be removed simply by killing the process "MacDefender" in Activity Monitor, deleting the application and the preference file, and removing the login item. There would also be a receipt in /var/db/receipts if you ran the installer, which I didn't.

Previous 1 2 3 4 Next