We are getting a screen indicating that there are 71 items that need attention as part of an Apple Security Alert. The screen indicates that it is part of Apple Security Center. It asks to click ok to remove the offending objects (virus, malware). Is this legitimate apple software or will it introduce a virus?
iMac, Mac OS X (10.6.7)
i can not see it running at the moment. how do i know its really gone?
If you found the trojan and deleted it, it's gone.
...we have intego virus barrier x6 so why didnt it get picked up?
Because that product is worse than useless. I recommend you uninstall it. If you want anti-virus software, use ClamXav -- nothing else.
Linc, not sure if Mailinator allows attachments, but I've just sent along a class dump of the MacProtector variant of the malware.
It might be of interest to anyone who wants to try and disassemble the trojan (which, being written in Obj-C, is kind enough to mark all of it's procedure entry points when disassembled).
Enjoy
Linc, not sure if Mailinator allows attachments, but I've just sent along a class dump of the MacProtector variant of the malware.
It doesn't, but I wouldn't be able to do anything with that information anyway. Someone else, maybe.
but we have intego virus barrier x6 so why didnt it get picked up?
Intego or you may not have updated its malware defintions. You can't really trust AV programs to protect you. They give people a false sense of security.
It appears it may be "phoning home," contacting its author with some data -- no idea what -- from infected machines. I would change important passwords immediately and never use the same password for different occasions.
how do i know its really gone?
I don't know which directions you followed to remove this (I'll give you mine, below), but you probably got everything; it's not that complicated to remove. You could do a full drive scan with ClamXav. They appear to be staying on top of this. But this thing keeps using different names, so don't know if that leaves holes in ClamX.
http://www.clamxav.com/download.php
If you gave your credit card #, contact them and dispute the charges and cancel the card ASAP.
-------------
First, restart in Safe Boot by holding the Shift key down at the chime. Or, alternatively, open Activity Monitor in Utilities, set to Active Processes, find the program and force quit it. This will keep it from running, but only temporarily, so you can remove it.
1. Drag the MacSecurity program -- or whatever it's called; it keeps using different names -- MAC Defender, MacProtector, MacKeeper 911, Apple Security Center (installed in the Applications folder by default) to the Trash. Empty the Trash.
2. Remove item of same name from the Login Items for your Account in the OS X System Preferences (if it exists).
3. Go to your Home folder Library>Preferences and Application Support (may not be anything there, but check just in case) and search for any files with one of the above names and trash them. Empty the trash.
4. If you use Safari, go to Preferences>General and UNCHECK "Open "safe" files after downloading. Keep that unchecked.
Linc Davis wrote:
If you want anti-virus software, use ClamXav -- nothing else.
If you want to use anti-virus software, you might consider Sophos Anti-Virus for Mac Home Edition as an alternative to ClamXav. It is also free, does not slow down your Mac appreciably, & comes from a respected company that provides commercial quality anti-virus software to businesses worldwide.
Sophos is very aggressive about detecting new malware threats as soon as possible after they appear "in the wild." It maintains its own proprietary threat detection network, located in several data centers around the world, while ClamXav depends mostly on user reports. This gives it a small edge in how quickly it can publish malware definitions: often less than 24 hours pass before the AV client software is updated to detect a new threat.
Anyone who wants to block the IP to this malware site can do it very easy GUI friendly way:
1: Download NoobProof
http://www.hanynet.com/noobproof/
2: Start the program, give it your admin password (to NoobProof not the trojan 😉)
3: Dismiss the Wizard and a window will pop up with Blacklist button on the left side, click it.
4: On both the left and right sides, click the "+" and add: 69.50.201.198
5: Click Ok and then in the next window click "Start Firewall"
6: If it's already started, stop it and then start it again.
Test: Paste 69.50.201.198 into the browser URL and press enter, should get a "Cannot display the page"
I'd thought this server would have been taken offline by now. 😟
It appears it may be "phoning home," contacting its author with some data -- no idea what
I've posted the packets that were transmitted in some experimentation with MacProtector here:
Further analysis of MacProtector
* Disclaimer: links to my pages may give me compensation.
Thomas and I have exchanged emails on some of this and I check his site twice a day, but had not checked yet tonight, so thanks for pointing it out.
Mostly we discussed the need for a more limited forum to share information without helping the malware developers out there. I know the commercial guys do this, but folks at our level cannot be part of it.
I'm afraid packet dumps aren't my area of expertise. I do have Wireshark and have run a few captures, but was quickly overwhelmed but the sheer volume of it and understood maybe 10% of it, if that.
I did provide a comment back to Thomas that those two text files appear to be output files for Terminal commands ps and df. I can only guess they are used to convince the user that it is really doing something by referencing things that can be easily verified. I agree with Thomas that such info would not be useful.
I was almost certain that it was phoning home when I took a look at the first version and found an IP that wasn't previously associated with distributing the Trojan. One of the early reports also speculated this. Unfortunately I don't yet have an Intel Mac, so my analysis ability on this is quite limited.
I don't think that VirusTotal is going to help us with this one. They run most AV engines against submitted files to see which ones match existing signatures. Community volunteers independently evaluate submissions and express their opinions as to which are threats of what kind and similarity to known malware. Vendors have access to the files and are free to develope signatures or not, as they choose. I don't know that any of these are in the business of monitoring outgoing communications. That's where firewalls and software such as Little Snitch work best.
Thomas,
Had a look at your packet dump. Frame 10 appears to be the application phoning home - the "affid" and "data" content in the HTTP string suggests that a php automatic form filler-style authenticated login is being used at their end (nice to see they're thinking about security.../sarcasm)
Frame 12 is missing, so I don't know what was requested from the other end, for which frame 13 is the HTTP 200 OK response. However frame 15 appears to be the other end sending back a cookie (probably the session authentication for the login from frame 10) so it's probably just more of the same.
Frames 77 onwards are a pretty standard tear down of the session.
Was there anything in frames 17 - 76? If not (for example if that was traffic to other legitimate destinations filtered out by you selection statements) then I'd suggest that no data was transmitted. However,that doesn't mean it won't in future versions of the malware. This could very well be evidence of an incremental evolution of the system (make sure we can connect in this version, send some data in the next, then start trying to rape the hard drive after that...?)
Just my two cents.
Cheers.
I have no doubt that this trojan won't evolve to do more once it gets into the computer, but is there any reason to think it can do anything at all unless it is installed & run?
From all I have read & from my own limited experimentation, its only attack vector is the same as any other Mac trojan: it must trick the user into installing & running it before it can do anything malicious.
Regardless, it is unlikely it will intentionally be evolved into anything that deletes user files or displays nasty pictures. Serious malware authors are not in this for glory or the sheer joy of annoying Mac users. They are criminals interested only in profit, & the more stealthy they can make the infection, the better they can maximize that.
Regardless, it is unlikely it will intentionally be evolved into anything that deletes user files or displays nasty pictures.
It already displays nasty pictures. I see no reason to assume that future versions won't delete files, and then blame the deletions on imaginary viruses, while offering to remove those viruses. This guy needs to ratchet up the pressure to make a quick score before the vic wises up.
I captured everything for a short period of time - I don't really know enough about Wireshark to be able to filter the output. I still have that raw file saved, but the copy I uploaded had all transactions to other addresses removed. Perhaps I trimmed too much? I don't know enough to be able to say. Here's frame 12, let me know if that looks related or unrelated...
No. Time Source Destination Protocol Info 12 20.275374000 fe80::ec5b:d9b6:74d5:5b47 ff02::c SSDP M-SEARCH * HTTP/1.1 Frame 12 (208 bytes on wire, 208 bytes captured) Ethernet II, Src: IntelCor_49:7c:94 (00:27:10:49:7c:94), Dst: IPv6mcast_00:00:00:0c (33:33:00:00:00:0c) Internet Protocol Version 6 User Datagram Protocol, Src Port: 52461 (52461), Dst Port: ssdp (1900) Hypertext Transfer Protocol 0000 33 33 00 00 00 0c 00 27 10 49 7c 94 86 dd 60 00 33.....'.I|...`. 0010 00 00 00 9a 11 01 fe 80 00 00 00 00 00 00 ec 5b ...............[ 0020 d9 b6 74 d5 5b 47 ff 02 00 00 00 00 00 00 00 00 ..t.[G.......... 0030 00 00 00 00 00 0c cc ed 07 6c 00 9a 34 42 4d 2d .........l..4BM- 0040 53 45 41 52 43 48 20 2a 20 48 54 54 50 2f 31 2e SEARCH * HTTP/1. 0050 31 0d 0a 48 6f 73 74 3a 5b 46 46 30 32 3a 3a 43 1..Host:[FF02::C 0060 5d 3a 31 39 30 30 0d 0a 53 54 3a 75 72 6e 3a 4d ]:1900..ST:urn:M 0070 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 icrosoft Windows 0080 20 50 65 65 72 20 4e 61 6d 65 20 52 65 73 6f 6c Peer Name Resol 0090 75 74 69 6f 6e 20 50 72 6f 74 6f 63 6f 6c 3a 20 ution Protocol: 00a0 56 34 3a 49 50 56 36 3a 4c 69 6e 6b 4c 6f 63 61 V4:IPV6:LinkLoca 00b0 6c 0d 0a 4d 61 6e 3a 22 73 73 64 70 3a 64 69 73 l..Man:"ssdp:dis 00c0 63 6f 76 65 72 22 0d 0a 4d 58 3a 33 0d 0a 0d 0a cover"..MX:3....
Linc Davis wrote:
Regardless, it is unlikely it will intentionally be evolved into anything that deletes user files or displays nasty pictures.
It already displays nasty pictures. I see no reason to assume that future versions won't delete files, and then blame the deletions on imaginary viruses, while offering to remove those viruses. This guy needs to ratchet up the pressure to make a quick score before the vic wises up.
Ransomware AES-256 even...TimeMachine? isn't that a EUID 0 process?
I agree that the attack vector is still the same. I see the risks increasing if this is capable of calling out, however. You're absolutely correct that malware authors want to maximize both stealth and profit - accordingly here are the risks I see:
1. Communications are on HTTP port 80. This is unlikely to ever be filtered by any firewall software (unlikely as in...never). It's also always going to be permitted outbound through proxies. It's just one of those protocols that no one can live without. So the trojan has an unimpeded communication channel. Also, the format of the HTTP protocol is so loose that almost anything can be put in an HTTP payload. Sounds pretty stealthy to me.
2. If the web server on the other end is being written using "standard" technologies like php, then as long as it works, the "capital" involved in building it and the communication protocols to this malware is invested. It makes sense to use it (from their POV). Also, the comms protocol is probably generic, not OS X specific. Although we haven't seen it here (for obvious reasons), I wouldn't be surprised if there are Windows variants of this malware making the rounds. Especially since the first version of this trojan used badly designed "Windows-like" imagery. It sounds like the start of an infrastructure for a botnet C2 channel.
3. If the trojan is making authenticated logins to a server, then it can (via its HTTP tunnel) pass just about any traffic. It's possible for the server's owner to simply leave commands on the server for each infected host to retrieve and execute after login (a la the Browser Exploitation Framework). If a person is logged into the server, the HTTP tunnel could be used to establish a reverse shell and execute commands in real-time.
In many ways, this reminds me of the early days of the Zeus botnet (circa 2007), when the developers were testing its capabilities, before the big explosion of infected PCs in 2009. In this case, of course, we appear to have the advantage of not being Windows...which should prevent fully automated installation and privilege escalation - which is a good thing!
However, considering how many new threads are still showing up on the boards daily, plus the fact that only some percentage of people who install this thing are going to show up and ask questions...it's impossible to estimate how many infected Macs are out there...could be a few dozen or a few thousand. And if the id numbers in the login are somehow being assigned linearly...then based on Thomas' packet capture there are at least 37000 of them. That's profit for a bot-farmer. Hopefully one of these callbacks doesn't result in a keylogger downloading...
This one looks like a Windows Peer Name Resolution request on an IPv6 multicast segment...probably not related....
Hm, so I looked at frames 11 and 13 again, and they appear to be identical - or rather frame 11 appears to be the same as the start of frame 13, but cut off. 13 is then the correct ack to frame 10. Which doesn't change anything from my previous look, really.
BTW, Wireshark has a nice feature under its "Analyze" menu - following streams. Depending on the version you use, there might by only one option, or several for following TCP, UDP and SSL streams. It makes identifying and saving a conversation much easier, as the filter query is automatically built and applied simultaneously.
But for the moment, it still appears the same - a simple "Hi! Here I am!" call to a central server.
I hope this guy doesn't discover double fast-flux anytime soon...
is apple security center safe?
