Trojan detected message while using Safari

ds store wrote:

This particular piece of malware is getting stronger as the authors adjust their code.

There is no evidence that this is true. Everyone seems to be getting the same piece of malware, typically as a zipped file. The adjustments are a few changes in the name of the unzipped installer package and/or the app name plus a few other cosmetic changes.

It is only getting stronger in the sense that it is a trojan being tweaked to look more legitimate or different from other versions of the same payload. It still requires direct user interaction to be installed & to be removed from quarantine (typically by supplying an admin password at install time).

It is just a trojan, not magic. It won't survive its parts being deleted, & won't magically come back unless users restore an infected backup with it already installed or visit the same or another bogus web page.

At this point, its most serious effect is creating hysteria among users & a lot of vague nonsense about what it can do or where it can lurk without direct user action.

To repeat, it is just a trojan. It must trick users into installing it to have any effect. It has no other, more powerful vector of attack. It is not a new type of attack, just one with a more polished look than Mac users are used to seeing.

In that case, that's just part of the scam, designed to scare you into proceeding with the installation.

EDIT: What Thomas said.

Thomas A Reed wrote:

booting off the installer disk, erasing 35x and TimeMachine / clone restoring / installing OS X fresh has no effect!

The malware CAN COME BACK !

So you've said before, but the only evidence you have given was a theoretical firmware exploit on a specific Apple keyboard. Do you have other information that we are unaware of? Because I'm not aware of any real-world Mac malware that behaves as you describe.

This particular piece of malware is getting stronger as the authors adjust their code.

I have not seen any evidence of that, and I've been actively playing with this thing. You seem to be basing that on Phyllis' statement:

Again Thomas, you have taken my post completely out of context.

ds store wrote:

It's also, by this OP's post, gotten a bit stronger and attacking other programs it seems.

You can't take people's reports at face value. They are confused to begin with and this thread isn't helping.

You said that "The malware CAN COME BACK !" I said I was not aware of any Mac malware that could do that, and asked you to provide more information. What context am I missing? If I am incorrect, educate me.

R C-R wrote:

It is only getting stronger in the sense that it is a trojan being tweaked to look more legitimate or different from other versions of the same payload. It still requires direct user interaction to be installed & to be removed from quarantine (typically by supplying an admin password at install time).

Right, it does look like it's attacking the Finder, how else can it display red circles in a Finder window?

Or is this just a fake image displayed?

It is just a trojan, not magic. It won't survive its parts being deleted, & won't magically come back unless users restore an infected backup with it already installed or visit the same or another bogus web page.

At this point, its most serious effect is creating hysteria among users & a lot of vague nonsense about what it can do or where it can lurk without direct user action.

To repeat, it is just a trojan. It must trick users into installing it to have any effect. It has no other, more powerful vector of attack. It is not a new type of attack, just one with a more polished look than Mac users are used to seeing.

Malware evolves, and there is a element of risk of re-infection if the keyboard firmware isn't re-flashed also if the malware gets to the Firmware.scap file which would likely require a hard drive extraction to zero out.

I'm trying to warn the less compentant away from "playing" with malware on their Mac's if it wasn't so obvious.

What might be harmless looking now might not be the case in the next version of the malware.

Thomas A Reed wrote:

You said that "The malware CAN COME BACK !" I said I was not aware of any Mac malware that could do that, and asked you to provide more information. What context am I missing? If I am incorrect, educate me.

Right now the malware appears to be what it is, but that might not be the case later on.

It has the potential, in FUTURE REVISONS to be far more deadly than what it appears to be at present.

Script kiddies are already passing this thing around and altering it to be more deadlier as we speak.

Rouge code can alter other OS X applications, like ones that require your admin password for instance, and then gain root access, where it can infect the keyboard firmware and EFI. Making eradication much more difficult than a simple reinstall.

I'm trying to discourage those who don't have any malware experience to avoid "playing" with any sort of malware on their Mac's because the illusion that one can simply take a few easy steps to delete it is in it's self, a attack vector from a social engineering standpoint.

Obviuosly if you have the competance to examine the code line for line, then it's not a issue for you personally.

My post was directed at the youngster who thought his firewall was enough protection 🙂

Phyllis A. King wrote:

😍 Where have you all been all my life!!! Thank you! BTW, the numbers were flashing and changing. It looked so authentic. It even fooled my husband, who was sitting there looking at my screen. It was his first time seeing an attempted attack. He does not use the computer at all 😉... Very interesting reaction... LOL!

Have you downloaded and installed the free ClamXav to quarratine this infection?

Remember to add all your connected drives to the source list and update your definitions before running the scan or else the malware will be missed.

http://www.clamxav.com/

it does look like it's attacking the Finder, how else can it display red circles in a Finder window?

Or is this just a fake image displayed?

It's a fake. Note the screenshot I posted somewhere above... that looks nothing like my actual sidebar, but that's what shows on my machine. My home folder is not named "computer", even on the test accounts I have used to examine the trojan, I don't have a "work" folder anywhere AFAIK (too generic a name for my taste) and I don't use Dropbox.

there is a element of risk of re-infection if the keyboard firmware isn't re-flashed also if the malware gets to the Firmware.scap file which would likely require a hard drive extraction to zero out.

The only mention I have been able to find regarding the keyboard firmware exploit was nearly two years ago (first week of August 2009). No mention whatsoever since then, and no trojans are exploiting it, if it even still exists in current hardware. At least one security expert would have discovered that if they were. Similarly, no trojans exist that get into the Mac's firmware. If that were to happen, it would be bad, but I suspect it won't. It's too much effort for very little reward. It's so much easier to just write a simple trojan and fool maybe 1% of the people downloading it into paying you $99, then sit back and watch the cash roll in. Why bother with firmware hacks that can keep a Mac infected and provide back-door access, keylogging, etc... then you have to spend time and effort sifting through all that data looking for something you can use. It's the difference between convincing people to mail you broken gold jewelry in hopes of a big payment versus breaking into individual houses and searching for jewelry. Nobody would do the latter if it required substantial investments of time and energy to even begin to comprehend how it's done.

I'm trying to discourage those who don't have any malware experience to avoid "playing" with any sort of malware

Nobody here is recommending that.

My post was directed at the youngster who thought his firewall was enough protection

A firewall isn't protection against malware at all, any more than a security system and locked doors are protection against a mail-bomb. To talk about how dangerous malware could potentially be at some point in the future is not a logical rebuttal to such claims.

Thomas A Reed wrote:

It's a fake. Note the screenshot I posted somewhere above... that looks nothing like my actual sidebar, but that's what shows on my machine. My home folder is not named "computer", even on the test accounts I have used to examine the trojan, I don't have a "work" folder anywhere AFAIK (too generic a name for my taste) and I don't use Dropbox.

Whew, that's a relief!! 😀

The only mention I have been able to find regarding the keyboard firmware exploit was nearly two years ago (first week of August 2009). No mention whatsoever since then, and no trojans are exploiting it, if it even still exists in current hardware..

Yes, Apple still uses a keyboard firmware, but I'm guessing it needs to be accessed via root access (sudo window with Admin password), which a piece of malware with a more long term objective could possibly achieve if it waits for a sudo window to open.

Similarly, no trojans exist that get into the Mac's firmware. If that were to happen, it would be bad, but I suspect it won't. It's too much effort for very little reward. It's so much easier to just write a simple trojan and fool maybe 1% of the people downloading it into paying you $99, then sit back and watch the cash roll in....

Right, but just the scareware vector isn't a only revune source, compromised Mac's also have bot net value.

http://arstechnica.com/apple/news/2009/04/evidence-suggests-first-zombie-mac-bot net-is-active.ars

ds store wrote:

Right, it does look like it's attacking the Finder, how else can it display red circles in a Finder window?

Or is this just a fake image displayed?

It is just a browser page that fakes a Finder window. It doesn't do that all that well (since among other things it can only guess what is in a user's sidebar) but it is convincing enough if you aren't that familiar with the Mac GUI or aren't paying close enough attention to notice things like the fact that the app shown in the menu bar is the browser & not Finder.

It is a TROJAN !!! It has no way of doing anything unless & until it convinces a user to install it. Without that, the most malicious thing it can do is take up a few MB of HD space.

In terms of the attack vector, it can't "evolve" into anything "more deadlier," with or without any alterations script kiddies add to it. In more general terms, it most certainly can't do exotic stuff like get into keyboard firmware & lurk there ready to reinfect the system because a) there is nowhere near enough room in the keyboard's onboard storage to hold a copy of the code, even if it was highly compressed, b) there is no mechanism by which the OS would retrieve the code & run or install it, & c) it would have to somehow bypass a number of security API's built into the OS even if a) & b) were not true.

It most certainly would not survive a hard drive erase, if that is what you mean by "a hard drive extraction." Files live on hard drives, not in firmware, & the OS is quite picky about how it performs firmware updates for hardware (which for peripherals it identifies early in the startup process from product & vendor ID's that are burned into ROM).

Don't get me wrong. The OS is not bulletproof. It isn't inconceivable that some really clever malware author could find an attack vector that did not require the "help" of users to do malicious things. But that would require far, far more sophisticated methods of attack than any variants of this type of malware (an ordinary trojan) could manage. Saying that the author could evolve this into something that could is like saying that someone who built a good bicycle could evolve it into a rocket ship to take people to the moon.