Skip navigation

MacDefender trojan

28368 Views 137 Replies Latest reply: Dec 4, 2011 2:41 PM by thomas_r. RSS
  • Gary P Level 4 Level 4 (1,395 points)
    Currently Being Moderated
    May 2, 2011 10:40 PM (in response to Linc Davis)

    Yes, BestMacAntivirus2011.mpkg.zip is the one I saw as well. And you can find it by spending too much time on a Google Images page.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    May 2, 2011 11:57 PM (in response to Linc Davis)

    I help Mark Allan, the developer of ClamXav, with tech support.  He's also responsible for coding up clamav database signatures for the Mac OS X community.  Currently, the database does not contain a signature for this as the AV community seems reluctant to share, so we must fend for ourselves and need your help.  If you have any of the files associated with this would you please upload it to the clamav site and the VirusTotal community site.

     

    TIA, -Al-

  • Moof666 Level 1 Level 1 (70 points)
    Currently Being Moderated
    May 3, 2011 2:09 AM (in response to Linc Davis)

    Lin Davis:

    You did not mention authentication. How does an app get into the Applications folder and the Login Items without the user's password authority?

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    May 3, 2011 2:27 AM (in response to MadMacs0)

    We've got what we need now, so expect database update shortly.

     

    -Al-

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    May 3, 2011 4:41 AM (in response to MadMacs0)

    MadMacs0 wrote:

     

    We've got what we need now, so expect database update shortly.

     

    -Al-

     

    Big thanks to you and your ClamXav team, Clamd and ClamWin.

     

     

    Great work Linc !! 

     

     

    Wonder if the lady who answers the phone for a refund is named Doris?

     

    Doris, Boris....a cat named Moris?

     

     

    Is there a way slightly advanced users can block IP 69.50.214.53? 

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    May 3, 2011 6:09 AM (in response to ds store)

    Ok, found a relatively easy GUI way to block the IP.

     

     

    Download NoobProof Firewall, skip the wizard.

     

    http://www.hanynet.com/noobproof/

     

    You'll end up with a screen with a BlackList button the left.

     

    New window appears, on the right enter the IP you want to block, 69.50.214.53, OK

     

    Mainscreen > Start Firewall.

     

    Tools Menu > Install Startup Script

     

     

    Warning, messing with Firewall settings can seriously undermine your computers security, cause it to not function correctly.

     

    If you don't know, leave it alone. Look but don't touch. Read a book on the subject first.

     

     

    Also this is no guarranty to block the malware, it only blocks all incoming connections from that IP address.

  • WZZZ Level 6 Level 6 (11,880 points)
  • etresoft Level 7 Level 7 (23,905 points)
    Currently Being Moderated
    May 3, 2011 6:08 AM (in response to Moof666)

    For most users, no password is needed to install an application or add a Login Item. That is the root of my malware on a Mac is mostly paranoia. Just because you download and install a Trojan on a Mac doesn't mean your system is really compromised. The Trojan is like any other application. When you don't want it anymore, just delete it. It is only when you hand over your password that you need to be worried.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    May 3, 2011 6:24 AM (in response to WZZZ)

    WZZZ wrote:

     

    http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/

     

    Yes, a hosts file addition is another excellent level of protection.

     

    I've been running a rather large one for many years.

     

    This is my source

     

    http://winhelp2002.mvps.org/hosts.txt

     

    However the "127.0.0.1 local host" line must be first deleted (from this file only), and then all "127.0.0.1" instances changed to "0.0.0.0" for OS X to use it without side complications. Find and Replace in Text Edit works very well.

     

    Once that's completed, then the dangerous part starts. Editing the actual /etc/hosts file.

     

    Text Wrangler "Open File By Name" works rather easy: /etc/hosts

     

    Next move, not to touch anything one see's in the file, rather add some returns to the bottom and copy/paste the contents of the modified Text Edit file.

     

    Save and enter the Admin password and zillions of web garbage is automatically blocked.

     

    However, that portion of the /etc/hosts file that one added needs to be updated time to time to stay on top of the nasties.

     

    Block a line? add "#" to the front.

     

    Block a site?  "0.0.0.0 www.facebook.com"

     

    Easy as that, good for the kids, until they find out about web proxies, but there's OpenDNS for that.

     

    Again, play careful, your on your own.

  • chavinvega Level 1 Level 1 (0 points)
    Currently Being Moderated
    May 3, 2011 6:25 AM (in response to Linc Davis)

    If you just boot into SafeBoot.  By holding down Shift Key when restarting the machine.

    Then go into Applications Folder > Choose MacDeFender.app > Move to Trash (In Safe Mode).

    Then restart normally and then reset Safari.

     

    It removes it and your fine.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    May 3, 2011 6:36 AM (in response to WZZZ)

    WZZZ wrote:

     

    Add it to /etc/hosts

     

    http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/

     

    Actually, you can't block IP's in the /etc/hosts

     

    What adding a "0.0.0.0 www.facebook.com" to the /etc/hosts file does is resolves the IP address of 0.0.0.0 (nothing) instead of the IP provided by your Domain Name Server (either your ISP or OpenDNS or GoogleDNS etc)

     

    So if "www.facebook.com" IP is nothing, nothing is what your computer connects to.

     

    It only works on Domains, not IP addresses.

     

    The OS X Firewall can block IP addresses, but it's complicated to use for GUI fed types.

     

    Thus I found WaterRoof and NoobProof, as other OS X GUI Firewall configs have fallen away somewhat.

  • thomas_r. Level 7 Level 7 (26,960 points)
    Currently Being Moderated
    May 3, 2011 7:51 AM (in response to Linc Davis)

    For those who are interested, I have posted complete details on my experiences with this trojan here:

     

    http://www.reedcorner.net/?p=82

     

    I also included an excerpt from one of Linc's posts here, with his permission.

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    May 3, 2011 9:04 AM (in response to ds store)

    ds store wrote:

     

    WZZZ wrote:

     

    Add it to /etc/hosts

     

    http://osxdaily.com/2007/03/19/block-access-to-specified-sites-by-modifying-etch osts/

     

    Actually, you can't block IP's in the /etc/hosts

     

    What adding a "0.0.0.0 www.facebook.com" to the /etc/hosts file does is resolves the IP address of 0.0.0.0 (nothing) instead of the IP provided by your Domain Name Server (either your ISP or OpenDNS or GoogleDNS etc)

     

    So if "www.facebook.com" IP is nothing, nothing is what your computer connects to.

     

    It only works on Domains, not IP addresses.

     

    The OS X Firewall can block IP addresses, but it's complicated to use for GUI fed types.

     

    Thus I found WaterRoof and NoobProof, as other OS X GUI Firewall configs have fallen away somewhat.

    Yeah, thought of that after I posted. Too bad there isn't a usable domain name coming up for that IP.

     

    Is that just a server that comes up with a whois for 69.50.214.53? What would the relationship be between that outfit registered in Phoenix and this malware author?

1 2 3 4 5 ... 10 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (4)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.