Apple Event: May 7th at 7 am PT
We are getting a screen indicating that there are 71 items that need attention as part of an Apple Security Alert. The screen indicates that it is part of Apple Security Center. It asks to click ok to remove the offending objects (virus, malware). Is this legitimate apple software or will it introduce a virus?
iMac, Mac OS X (10.6.7)
lol ok thanks, wil c if i can find that clamxav in aus. wow worse than useless - bumr 😟
surprisingly i got that from the apple store - so a lil dissapointed!
If you really got it from an Apple Store, tell us which one so we can notify them.
Linc, not sure if Mailinator allows attachments, but I've just sent along a class dump of the MacProtector variant of the malware.
It might be of interest to anyone who wants to try and disassemble the trojan (which, being written in Obj-C, is kind enough to mark all of it's procedure entry points when disassembled).
Enjoy
Linc, not sure if Mailinator allows attachments, but I've just sent along a class dump of the MacProtector variant of the malware.
It doesn't, but I wouldn't be able to do anything with that information anyway. Someone else, maybe.
I went back and checked - the file was a .txt, so it was just in-lined (nice feature in this case). Anyone interested can copy-paste it. Hopefully it will be useful to someone.
Cheers.
Same deal, here's a current shot
but we have intego virus barrier x6 so why didnt it get picked up?
Intego or you may not have updated its malware defintions. You can't really trust AV programs to protect you. They give people a false sense of security.
It appears it may be "phoning home," contacting its author with some data -- no idea what -- from infected machines. I would change important passwords immediately and never use the same password for different occasions.
how do i know its really gone?
I don't know which directions you followed to remove this (I'll give you mine, below), but you probably got everything; it's not that complicated to remove. You could do a full drive scan with ClamXav. They appear to be staying on top of this. But this thing keeps using different names, so don't know if that leaves holes in ClamX.
http://www.clamxav.com/download.php
If you gave your credit card #, contact them and dispute the charges and cancel the card ASAP.
-------------
First, restart in Safe Boot by holding the Shift key down at the chime. Or, alternatively, open Activity Monitor in Utilities, set to Active Processes, find the program and force quit it. This will keep it from running, but only temporarily, so you can remove it.
1. Drag the MacSecurity program -- or whatever it's called; it keeps using different names -- MAC Defender, MacProtector, MacKeeper 911, Apple Security Center (installed in the Applications folder by default) to the Trash. Empty the Trash.
2. Remove item of same name from the Login Items for your Account in the OS X System Preferences (if it exists).
3. Go to your Home folder Library>Preferences and Application Support (may not be anything there, but check just in case) and search for any files with one of the above names and trash them. Empty the trash.
4. If you use Safari, go to Preferences>General and UNCHECK "Open "safe" files after downloading. Keep that unchecked.
Linc Davis wrote:
If you want anti-virus software, use ClamXav -- nothing else.
If you want to use anti-virus software, you might consider Sophos Anti-Virus for Mac Home Edition as an alternative to ClamXav. It is also free, does not slow down your Mac appreciably, & comes from a respected company that provides commercial quality anti-virus software to businesses worldwide.
Sophos is very aggressive about detecting new malware threats as soon as possible after they appear "in the wild." It maintains its own proprietary threat detection network, located in several data centers around the world, while ClamXav depends mostly on user reports. This gives it a small edge in how quickly it can publish malware definitions: often less than 24 hours pass before the AV client software is updated to detect a new threat.
I just sent you an e-mail with a link I got today for the attached alert. Thank goodness for this forum or I very well could've installed something.
Just to be clear, it doesn't appear that I got a link such as a pop-up or anything like that. I was on my Hotmail account and suddenly it turned into the link per my previous attached screenshot (attached again below)
I had no idea what it was or whether it was legit but proceeded to click "remove all". It then saved some file onto my computer. I then Googled "Apple Security Center" and got this forum which probably saved me a lot of grief. I never installed the downloaded file. I'm hoping that was enough to save me. Nevertheless, I downloaded ClamXav and did a scan just in case.
My advice is to stop using hotmail. It's infested with spam and scammers. You are not the first to get hit with this in this manner from hotmail
Anyone who wants to block the IP to this malware site can do it very easy GUI friendly way:
1: Download NoobProof
http://www.hanynet.com/noobproof/
2: Start the program, give it your admin password (to NoobProof not the trojan 😉)
3: Dismiss the Wizard and a window will pop up with Blacklist button on the left side, click it.
4: On both the left and right sides, click the "+" and add: 69.50.201.198
5: Click Ok and then in the next window click "Start Firewall"
6: If it's already started, stop it and then start it again.
Test: Paste 69.50.201.198 into the browser URL and press enter, should get a "Cannot display the page"
I'd thought this server would have been taken offline by now. 😟
It appears it may be "phoning home," contacting its author with some data -- no idea what
I've posted the packets that were transmitted in some experimentation with MacProtector here:
Further analysis of MacProtector
* Disclaimer: links to my pages may give me compensation.
Thanks for all the good work. From your blog.
I don’t know what data was sent, perhaps someone experienced with packet sniffing could test and let us know. (Edit: I took a shot at collecting the data in Wireshark, and the relevant packets can be seen here. None of it looks particularly disturbing to me, but I’m far from an expert at network packet analysis.
Would you, perhaps, want to forward that on for further analysis? This was the URL MadMacs0 from ClamX provided.
virustotaldotcom
EDIT: Please see my recent post replying to MadMacs0. I took the liberty of referring him to your blog and the packets dump.
https://discussions.apple.com/thread/3049657?answerId=15176922022#15176922022
I also gave him a link to this thread.
Message was edited by: WZZZ
is apple security center safe?
