Previous 1 2 3 4 5 Next 137 Replies Latest reply: Dec 4, 2011 2:41 PM by thomas_r. Go to original post Branched to a new discussion.
  • Gary P Level 4 Level 4 (1,395 points)

    Yes, BestMacAntivirus2011.mpkg.zip is the one I saw as well. And you can find it by spending too much time on a Google Images page.

  • MadMacs0 Level 5 Level 5 (4,500 points)

    I help Mark Allan, the developer of ClamXav, with tech support.  He's also responsible for coding up clamav database signatures for the Mac OS X community.  Currently, the database does not contain a signature for this as the AV community seems reluctant to share, so we must fend for ourselves and need your help.  If you have any of the files associated with this would you please upload it to the clamav site and the VirusTotal community site.

     

    TIA, -Al-

  • Moof666 Level 1 Level 1 (80 points)

    Lin Davis:

    You did not mention authentication. How does an app get into the Applications folder and the Login Items without the user's password authority?

  • MadMacs0 Level 5 Level 5 (4,500 points)

    We've got what we need now, so expect database update shortly.

     

    -Al-

  • ds store Level 7 Level 7 (30,315 points)

    MadMacs0 wrote:

     

    We've got what we need now, so expect database update shortly.

     

    -Al-

     

    Big thanks to you and your ClamXav team, Clamd and ClamWin.

     

     

    Great work Linc !! 

     

     

    Wonder if the lady who answers the phone for a refund is named Doris?

     

    Doris, Boris....a cat named Moris?

     

     

    Is there a way slightly advanced users can block IP 69.50.214.53? 

  • ds store Level 7 Level 7 (30,315 points)

    Ok, found a relatively easy GUI way to block the IP.

     

     

    Download NoobProof Firewall, skip the wizard.

     

    http://www.hanynet.com/noobproof/

     

    You'll end up with a screen with a BlackList button the left.

     

    New window appears, on the right enter the IP you want to block, 69.50.214.53, OK

     

    Mainscreen > Start Firewall.

     

    Tools Menu > Install Startup Script

     

     

    Warning, messing with Firewall settings can seriously undermine your computers security, cause it to not function correctly.

     

    If you don't know, leave it alone. Look but don't touch. Read a book on the subject first.

     

     

    Also this is no guarranty to block the malware, it only blocks all incoming connections from that IP address.

  • Linc Davis Level 10 Level 10 (154,560 points)

    If you have any of the files associated with this would you please upload it to the clamav site and the VirusTotal community site.

     

    I deleted the files. There's a link to the page I got them from in the Mailinator mailbox mentioned at the beginning of this topic. The message is still there as of now, but it will be deleted soon. If you're not familiar with Mailinator, see its home page for an explanation of how it works.

  • WZZZ Level 6 Level 6 (12,660 points)
  • etresoft Level 7 Level 7 (26,235 points)

    For most users, no password is needed to install an application or add a Login Item. That is the root of my malware on a Mac is mostly paranoia. Just because you download and install a Trojan on a Mac doesn't mean your system is really compromised. The Trojan is like any other application. When you don't want it anymore, just delete it. It is only when you hand over your password that you need to be worried.

  • Linc Davis Level 10 Level 10 (154,560 points)

    You did not mention authentication. How does an app get into the Applications folder and the Login Items without the user's password authority?

     

    First of all, I didn't authenticate or run the installer. I extracted the files from the BOM manually. The Installer does ask for an admin password, and I should have checked to see whether it installs anything as SUID root, but I forgot to do that. Maybe somebody else will fill in that detail. Edit: I'm pretty sure SUID doesn't work for Aqua executables in 10.6, though it does work for POSIX executables. There were none of the latter in the archive I had.

     

    Most Mac users run all the time in their administrator account, a mistake that Apple does everything to encourage. They can install applications system-wide by drag-and-drop, no authentication necessary.

     

    Authentication is never needed to modify the user's login items. They're stored in a preference file in his home directory.

  • ds store Level 7 Level 7 (30,315 points)

    WZZZ wrote:

     

    http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/

     

    Yes, a hosts file addition is another excellent level of protection.

     

    I've been running a rather large one for many years.

     

    This is my source

     

    http://winhelp2002.mvps.org/hosts.txt

     

    However the "127.0.0.1 local host" line must be first deleted (from this file only), and then all "127.0.0.1" instances changed to "0.0.0.0" for OS X to use it without side complications. Find and Replace in Text Edit works very well.

     

    Once that's completed, then the dangerous part starts. Editing the actual /etc/hosts file.

     

    Text Wrangler "Open File By Name" works rather easy: /etc/hosts

     

    Next move, not to touch anything one see's in the file, rather add some returns to the bottom and copy/paste the contents of the modified Text Edit file.

     

    Save and enter the Admin password and zillions of web garbage is automatically blocked.

     

    However, that portion of the /etc/hosts file that one added needs to be updated time to time to stay on top of the nasties.

     

    Block a line? add "#" to the front.

     

    Block a site?  "0.0.0.0 www.facebook.com"

     

    Easy as that, good for the kids, until they find out about web proxies, but there's OpenDNS for that.

     

    Again, play careful, your on your own.

  • chavinvega Level 1 Level 1 (0 points)

    If you just boot into SafeBoot.  By holding down Shift Key when restarting the machine.

    Then go into Applications Folder > Choose MacDeFender.app > Move to Trash (In Safe Mode).

    Then restart normally and then reset Safari.

     

    It removes it and your fine.

  • ds store Level 7 Level 7 (30,315 points)

    WZZZ wrote:

     

    Add it to /etc/hosts

     

    http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/

     

    Actually, you can't block IP's in the /etc/hosts

     

    What adding a "0.0.0.0 www.facebook.com" to the /etc/hosts file does is resolves the IP address of 0.0.0.0 (nothing) instead of the IP provided by your Domain Name Server (either your ISP or OpenDNS or GoogleDNS etc)

     

    So if "www.facebook.com" IP is nothing, nothing is what your computer connects to.

     

    It only works on Domains, not IP addresses.

     

    The OS X Firewall can block IP addresses, but it's complicated to use for GUI fed types.

     

    Thus I found WaterRoof and NoobProof, as other OS X GUI Firewall configs have fallen away somewhat.

  • thomas_r. Level 7 Level 7 (29,950 points)

    For those who are interested, I have posted complete details on my experiences with this trojan here:

     

    http://www.reedcorner.net/?p=82

     

    I also included an excerpt from one of Linc's posts here, with his permission.

  • WZZZ Level 6 Level 6 (12,660 points)

    ds store wrote:

     

    WZZZ wrote:

     

    Add it to /etc/hosts

     

    http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/

     

    Actually, you can't block IP's in the /etc/hosts

     

    What adding a "0.0.0.0 www.facebook.com" to the /etc/hosts file does is resolves the IP address of 0.0.0.0 (nothing) instead of the IP provided by your Domain Name Server (either your ISP or OpenDNS or GoogleDNS etc)

     

    So if "www.facebook.com" IP is nothing, nothing is what your computer connects to.

     

    It only works on Domains, not IP addresses.

     

    The OS X Firewall can block IP addresses, but it's complicated to use for GUI fed types.

     

    Thus I found WaterRoof and NoobProof, as other OS X GUI Firewall configs have fallen away somewhat.

    Yeah, thought of that after I posted. Too bad there isn't a usable domain name coming up for that IP.

     

    Is that just a server that comes up with a whois for 69.50.214.53? What would the relationship be between that outfit registered in Phoenix and this malware author?

Previous 1 2 3 4 5 Next