While browsing the Internet tonight, I clicked on a newspaper link and received an Apple Alert that a Trojan was detected on my MacBook Pro. My iPhoto was open in a separate window. All photo counts on the albums were flashing and bright red and white. And a file kept appearing in my downloads. I added the files to the trash and secure emptied it.
How can I be sure that my MacBook is not infected with a Trojan virus?
Macbook Pro, Mac OS X (10.6.4)
Carolyn Samit wrote:
Not true at all. I've advised numerous users to follow these instructions with positive results.
Linc is right Carolyn, it's mutated into MacSecurity and other variants.
It's also, by this OP's post, gotten a bit stronger and attacking other programs it seems.
A outdated article with one set of known simple cure instructions isn't enough now, the malware might leave more vicious parts behind with the new variants.
Malware writers are likely reading the results of their attacks online to gauge effectiveness and planning counter strategies.
However with ClamXav on the case, can do a much better job of removing all traces of the infection as they can trace all what the program does. If we can find out where it is. 🙂
Under OS X 10.6, in the Security panel of System Preferences there's an option to "Require a password to unlock each System Preferences pane". At least if that's set, there's no way for software to add a login item without a password.
If you looked at the permissions settings of the things in the /Applications and /Library folders you'd notice that many of them are owned by "system".
Linc, I'm so sorry, unfortunately I cleared my browser history before your post. I can tell you this much about what I was doing. I was searching in Google. I keyed in the search parameters "Donaldsonville ga car accident". Because my sister-in-law's step daughter was in a tragic accident there.
I clicked the very first link that was returned "Two Fatalities in Crash (Brinson)...." I was immediately presented with the Apple Alert window but I can't remember what options were presented there but upon clicking the "okay?", "cancel?" link, the download file appeared, 4 times in my downloads... This was very very convincing, so I could see why someone would go ahead and run the installer. I just never do.
I've checked the Activity Monitor to ensure that there is no MacDefender process running and that is fine.
I've also removed the "Open safe files" election in Safari - > Preferences - > General.
Thank you for the compliment, I work in IT so I know a little of what to watch for and to definitely not to open download files from which I don't know the origin. I'm just not that familiar with Mac yet, so I appreciate as much help as I can get.
🙂 Thank you William. I feel more secure already.
Under OS X 10.6, in the Security panel of System Preferences there's an option to "Require a password to unlock each System Preferences pane". At least if that's set, there's no way for software to add a login item without a password.
I'm afraid that's not correct. Locking the Accounts preference pane doesn't prevent a user from using it to edit his own login items. Even if it did, he -- or a rogue process running with his privileges -- could edit the corresponding property list directly, without going through the preference pane. The process could also add a user LaunchAgent, which wouldn't appear in any preference pane, and, if the file were invisible, wouldn't appear in the Finder either.
If you looked at the permissions settings of the things in the /Applications and /Library folders you'd notice that many of them are owned by "system".
/Applications is still writable by the admin group, and third-party applications installed by dragging are owned by UID 501. Many items in /Library are group-writable, including Internet Plug-Ins. I had to look at my installer receipts to find this out, because I've been overriding the default permissions for years.
Thank you, and I'm sorry for your family's loss. I was unable to find the trojan on that page, which doesn't mean it wasn't there. I'll keep looking.
I'm sorry for your loss..
I found the "Two Fatalities in Crash (Brinson)...." forum you mentioned and opened it multiple times, but nothing was triggered automatically. Nor did an ad do anything, neither by hovering over it. Turned the firewall (and stealth mode) off and yet nothing happened. I've enabled the Folx plug-in (download manager), so any launched download has to be confirmed first as it will be redirected to the Folx application.
Firewall back-on, let's try it in Chrome.. Ah, okay well this opens a popunder to MacKeeper. Nothing there. I was actually thrilled to catch my first OS X trojan/virus/whatever lol.
Well, if you fear anything could happen to your Mac, don't. Even with the firewall turned off there's nothing to fear out there. And congratulations on killing the trojan 😝
Well, if you fear anything could happen to your Mac, don't.
Things definitely can happen if people are careless, as they may be if they accept blithe assurances of safety.
Even with the firewall turned off there's nothing to fear out there.
The firewall doesn't protect you from downloading a trojan. Not in the slightest. If you think it does, you may have more to fear than you realize.
No, I think it blocks unauthorized / unasked contact with my computer. I do like it rather on than off. But my last lines had nothing to do with the rest, I didn't base it on 'not finding the trojan' 🙂
Maybe I should've put it on top..
Linc Davis wrote:
For such software there is some limited opportunity for mischief but, depending on settings, malware in that situation wouldn't be able to to install itself as a login item.Why not? No special privileges are needed to add a login item.
But this malware can't "install itself," period. Users still have to initiate that action by clicking the "Install" button in Installer.app. This is also why it doesn't matter much if 'open safe files' is on or off in Safari. Either way, users still have to hit the "Install" button before the malware package can do anything.
Linc Davis wrote:
/Applications is still writable by the admin group, and third-party applications installed by dragging are owned by UID 501.
Not necessarily by UID 501. That is just the UID of the first user account created. It is usually left as an admin account but if there is more than one user account on the Mac, some other user account might have admin status & the 501 account changed to a regular one or even deleted. Third party apps are usually owned by whatever admin user account installed them.
Bubbelz wrote:
...Firewall back-on, let's try it in Chrome.. Ah, okay well this opens a popunder to MacKeeper. Nothing there. I was actually thrilled to catch my first OS X trojan/virus/whatever lol....
Guess I should remind people again.
There are "dark corners" on all Mac's that unless you know about them and can address them
DO NOT RUN MALWARE ON YOUR MAC !
It's NOT a simple matter of scanning for malware, these "dark corners" are not addressed
c booting off the installer disk, erasing 35x and TimeMachine / clone restoring / installing OS X fresh has no effect!
The malware CAN COME BACK !
This particular piece of malware is getting stronger as the authors adjust their code.
Hey Linc,
Got a link to it in this thread (didn't test it)
https://discussions.apple.com/thread/3042885?start=15&tstart=0
Server seems to be down.
booting off the installer disk, erasing 35x and TimeMachine / clone restoring / installing OS X fresh has no effect!
The malware CAN COME BACK !
So you've said before, but the only evidence you have given was a theoretical firmware exploit on a specific Apple keyboard. Do you have other information that we are unaware of? Because I'm not aware of any real-world Mac malware that behaves as you describe.
This particular piece of malware is getting stronger as the authors adjust their code.
I have not seen any evidence of that, and I've been actively playing with this thing. You seem to be basing that on Phyllis' statement:
All photo counts on the albums were flashing and bright red and white.
This sounds to me like the fake AV web site's display of areas on the computer that are supposedly infected:
Note the red-and-white numbers that, on a live site, would flash. Phyllis, was this the kind of thing you saw?
Trojan detected message while using Safari
