While browsing the Internet tonight, I clicked on a newspaper link and received an Apple Alert that a Trojan was detected on my MacBook Pro. My iPhoto was open in a separate window. All photo counts on the albums were flashing and bright red and white. And a file kept appearing in my downloads. I added the files to the trash and secure emptied it.
How can I be sure that my MacBook is not infected with a Trojan virus?
Macbook Pro, Mac OS X (10.6.4)
No, I've decided to wait. I'm convinced it was a fake screen and nothing was installed. If I have any problems, I'll install the anti-virus software provided by my ISP. I believe it's Norton or McAfee... If that doesn't work then I'll try the Freeware you mentioned.
Thanks.
Eeew, yuck... avoid Norton certainly. It's got a bad rep for causing crashes and other such nastiness. Don't know a lot about McAfee on the Mac. Even though ClamXav is free, that doesn't make it low quality. It's what I recommend first and foremost, with the free Sophos Anti-Virus for Mac Home Edition running second. The fact that they're both free is nice, but more importantly, they're good and won't screw up your machine.
ds store wrote:
Yes, Apple still uses a keyboard firmware, but I'm guessing it needs to be accessed via root access (sudo window with Admin password), which a piece of malware with a more long term objective could possibly achieve if it waits for a sudo window to open.
Changing the contents of Apple (& most other product) firmware requires more than just root access or waiting for "a sudo window to open," whatever that is supposed to mean. You are looking at this as if the malware has already defeated OS level security & is "inside the fort," so to speak. That is much, much harder to do than you seem to think. For instance, not all processes will run with sudo access; in fact some processes won't even run with root user access unless the machine is booted into single user mode.
Getting inside the fort is the key to all malware. For instance, the botnet attack you referred to relied on yet another trojan, the lure of pirated software, & just like the current example, it could do nothing until a user invited it into the fort.
P.S. Thomas will probably have posted yet another better explanation of this stuff by the time I get this message posted (I've got other stuff going on that makes prompt replies difficult), but like my last one, I'll let it stand as reinforcement of what he probably already has said by now.
Phyllis A. King wrote:
No, I've decided to wait. I'm convinced it was a fake screen and nothing was installed. If I have any problems, I'll install the anti-virus software provided by my ISP. I believe it's Norton or McAfee... If that doesn't work then I'll try the Freeware you mentioned.
Thanks.
Yes, stay away from Norton! Stay away from any anti-virus that installs a continuous running process.
The reason is this, Apple is a top down controlling company, meaning they take steps utilizing their control with Software Update to make rather radical changes to OS X.
Thiird party software that is very controlling of system processes like Norton expect the operating system to remain the same, so when Apple goes and rolls out a change, it breaks Norton and sometimes OS X as well!
Trust me, the free ClamXav is all you need, they were just here in another thread to get a copy of this malware so they can identify it and update their anti-malware definitions file.
You run ClamXav when you want too, it's not a continuous controlling entity that breaks when Apple rolls out a OS X update.
Also, OS X rarely EVER gets any malware. This is a extremely RARE event and my second one in 24 years of using Mac's.
You don't need a constant, always on anti-malware that can't detect what it doesn't know, it just wastes your processor power and slows down your computer.
1: Run the clamXav, clean the traces of the Trojan off. Your done.
To keep from getting hit again:
1: Install Firefox and the NoScript Add-on, open the Firefox Customize Toolbar and drag the Noscript button to the toolbar.
NoScript is the best "web cop" software available, as you surf, if you need the scripts or plug-ins to work on a page, just click the button to allow them, after you have established trust with them.
Firefox pops a huge downloads window in front of you BEFORE the download occurs, if you need more protection, install the Public Fox add-on and set a password on the downloads.
You should also install WOT add-on (Web of Trust) if a site is bad, WOT will palce a huge warning in front of you before you dowload or visit a hositle web site the internet community at large knows about.
Once again, I second what Thomas said about V software -- it's getting to be a habit! 😁
The only difference is I recommend Sophos over ClamXav. The reason is Sophos is a major worldwide vendor of commercial grade AV software with a full time staff & extensive resources devoted to detecting malware as soon as possible after it appears "in the wild." Not to belittle the efforts of ClamXav's developer, which are prodigious, but Sophos runs a network of "honey pots" that basically are baited traps designed to attract malware, which gives it an edge for early detection that is hard to beat. It may only be 24 or 48 hours difference, but that plus its highly refined Mac interface makes it my first choice, if not by a lot.
R C-R wrote:
... "a sudo window to open," whatever that is supposed to mean....
Super User Do / Root user, a limited access window opportunity a Administer can use for system level changes, it's invoked by using the Admin password, like when Software Update is used. it closes after 5 minutes.
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ man8/sudo.8.html
It's a typical feature of Unix/Linux operating systems, except in Linux a "key" symbol is placed on the desktop panel (aka Finder) showing the "sudo window" of access is open to notify the user to be extra careful during this time.
OS X might handle things differntly, either not requiring the sudo notification, or they just decided their user base didn't need to know.
I consider it a attack vector, if malware is running in user space and injects it's code into running application memory while it has a "sudo window" of opportunity exists, it likely could gain root access.
ds store wrote:
Stay away from any anti-virus that installs a continuous running process.
Note that this is not the same thing as "on access" scanning, which does include a background process loaded into system space that could be considered a continuously running process. Many OS level processes are implemented the same way, so this by itself is nothing to be concerned about.
For example Sophos runs a background process so its on access scanner can detect, well, access to files that might be infected before they are opened, & another one to run its automatic malware definition updating feature. But these processes do not attempt to control anything except what they are designed to do & as far as I can tell follow all of Apple's developer guidelines to the letter, meaning the likelihood of their presence interfering with normal OS operation or updates is not likely. That has proven true for me: I have not turned off or otherwise disabled Sophos for any update of any software (Apple or third party) since I began using it last November, & nothing unusual has happened with any of them.
I know what sudo is. I also know the 'attack vector' of malware running in user space gaining a "sudo window" of opportunity by somehow 'injecting' its code into protected system space reserved for a running sudo process is not possible unless the OS has already been so utterly & completely compromised that there would be no point to it -- the machine would already be so completely controlled by the malware that it could do anything it wanted.
Regardless, you are missing the most important point in all this: the hard part is getting the malware into the system. That's the fort. If you can get inside it you can do a lot, but that is a very difficult "if" to accomplish.
Message was edited by: R C-R
I assume(d) that since
A) downloads are exported to the download manager and
B) I have to confirm incoming internet traffic with every launch of the app, that
C) I'm quite secure from installing any hazardous software.
Of course, you're right and there may be trickier and smarter malware now and in the future. I do watch my steps and I won't play around with something that isn't as simple as a Trojan.
And why wouldn't my firewall notice the Trojan - masked as application - asking for internet access and first ask me confirmation? So from what you guys say, I understand that the firewall - blocking unauthorized internet access - can be or is evaded by this piece of malware? Well then Apple has a good point in turning it off as standard setting, worthless crap 😝
*For the record, I don't think/claim to know more than any of you, feel free to educate me so I can educate others 🙂
And if I was to stumble upon anything useful about this Trojan or the Trojan itself I'll let you know.
Firewalls can protect against against attacks from outside programs against ports on your computer that are controlled by vulnerable software. This was common in the case of Windows and is one way that a computer can be infected without any action on the part of the user. As far as I know Macs have no such vulnerabilities.
What a firewall can't protect against is an action invoked by software on your Mac, such as a Web download. In that case all the firewall could tell is that your Web browser was downloading something, which could be a component of a Web page, a legitimate installer, or an installer of malware. But the firewall can't tell the difference between these.
Trojans by definition don't "ask for access".
Okay, thanks, will keep that in mind 🙂
So in my case when a web download is detected and an extern download app is started which doesn't automatically continue the downloading, I'm still protected from the sneaky download as it uses the download app. Or is there a way for Trojans to install itself in the background without using the (Safari) download manager?
/___sbsstatic___/migration-images/migration-img-not-avail.png
I don't use any "extern download app", so it's hard for me to comment.
For a trojan to be installed on your Mac, its installer has to be downloaded one way or another, then run on your Mac.
A Firewall protects the 65,535 ports (gates) on a computer by acting like a switch, on or off.
However with the web, it's mostly all going through port 80, and of such a dizzying amount of varying degree's of sites, connections etc that it's nearly impossible to control.
So the bad stuff sneaks through with the good.
A small malware file loads in a millisecond on broadband connections, the user might not even see the downloads window.
The problem is Safari doesn't confirm with the user before a download occurs with a opt out option, other browsers do.
That's the only change Safari needs to make and all these trojans will go away. 🙂
This little popup windows business where you "downloaded this file at 10:39 AM on Friday the 13th, 2011" has about much meaning as asking me what I had for lunch a week ago. 😀
ds store wrote:
The problem is Safari doesn't confirm with the user before a download occurs with a opt out option, other browsers do.
That's the only change Safari needs to make and all these trojans will go away.
Not true. As long as users can be tricked into downloading & installing them, trojans will not go away.
I assume(d) that since
A) downloads are exported to the download manager and
B) I have to confirm incoming internet traffic with every launch of the app, that
C) I'm quite secure from installing any hazardous software.
A) There is no download manager. Sounds like you are using some third-party app for this, but unless it has AV software built-in, it won't provide you any real protection. And even with AV software, there would be an interval when the malware first appeared where it wouldn't be recognized, so you can't assume this makes you safe.
Further, from the screen shot you provided of your download manager, looks like it does torrents, which are a hotbed of illegal software and thus malware. I'm not sure whether you're actually using torrents, but if you are, it would be amusingly ironic if you felt your download manager kept you safe against malware when it is exposing you to a greater danger.
B) If you give connections to your web browser access through the firewall, you give them all access. Why would you think that a web page, downloaded through port 80 via Safari, would be any different to the firewall than an app, downloaded through port 80 via Safari? It isn't.
And why wouldn't my firewall notice the Trojan - masked as application - asking for internet access and first ask me confirmation?
Because the firewall does not screen outgoing connections. A firewall is designed to prevent an external hacker from accessing your machine through some forgotten port left open. If you want something that blocks outgoing connections, get Little Snitch.
Well then Apple has a good point in turning it off as standard setting, worthless crap
That's like saying that a hammer is worthless crap because it won't tighten a bolt. Use the right tool for the right job.
Trojan detected message while using Safari
