We are getting a screen indicating that there are 71 items that need attention as part of an Apple Security Alert. The screen indicates that it is part of Apple Security Center. It asks to click ok to remove the offending objects (virus, malware). Is this legitimate apple software or will it introduce a virus?
iMac, Mac OS X (10.6.7)
My wife just called me about this same thing from her Hotmail account. She tells me it popped up totally on it's own. At first, she clicked on "remove all" button. The downloads window opened, and downloaded the MacProtector.mpkg. She then realized that it might be malware, so she called me and didn't do anything else. I had her close out Safari, but when she re-opened Safari, an installation prompt came up to install the MacProtector.mpkg file. So i just had her put it in the trash and empty it.
My question is
a) is that sufficient?
b) if not, if we go into the time machine and restore to an earlier date, will that ensure we don't have any malware?
Thanks.
As long as it never got installed, deleting the MacProtector.mpkg file is all you have to do. You do not need to restore to an earlier date in TM. See the coverage of the MacDefender outbreak on my blog for more details.
* Disclaimer: links to my pages may give me compensation.
Bearclaww89 wrote:
is the something better to do other then force quit?
First, make certain that you have unchecked "Open 'safe' files after downloading" in Safari Preferences->General. With that done you can simply close the window and trash the .zip file that was downloaded to the Downloads file. About the only other choice you have is to turn off "Enable JavaScript" in Safari Preferences->Security which will prevent the auto-download, but will disable features on other web pages that you may find useful.
Or, use Firefox with the Add-ons NoScript and WOT. NoScript will keep JavaScript disabled until you know you want to "Allow" the site and then it will still block third party scripts, which you can selectively allow. Many sites will work just fine with JS disabled. Takes some getting used to, but well worth it. I wouldn't go out into the Internet jungle without either of these. WOT gives ratings on the safety of sites.
Linc Davis wrote:
It already displays nasty pictures. I see no reason to assume that future versions won't delete files, and then blame the deletions on imaginary viruses, while offering to remove those viruses. This guy needs to ratchet up the pressure to make a quick score before the vic wises up.
The whole point of the nasty pictures is the same as the fake scan: to convince users to install & run the malware payload ASAP without thinking too hard about what's going on. But once the payload is installed, there is no reason for a more capable, evolved version to keep drawing attention to itself.
The long term goal is to make as much money as possible off the thing. The author has to know that a lot of users will reconsider what they have done after sending their credit card info & will dispute the payment and/or cancel the card, & thus that it won't produce much revenue. What will produce continuing revenue is info gleaned from the user's files (including info added long after they have forgotten about the initial attack) and stealthy bot-net control of the computer. Even email addresses mined from the address book or sent messages can be & regularly are sold to spammers, since they are known good ones.
I'm not trying to freak out anybody with this. There is no indication that the current version of the trojan can do any of this, or even that it can be made clever enough to bypass all the security features already in the OS. Much more importantly, you have to install the trojan or it cannot do anything.
MadMacs0 wrote:
First, make certain that you have unchecked "Open 'safe' files after downloading" in Safari Preferences->General.
Note that this is neither necessary nor effective. If you are using Safari, the zipped file will download when you view the bogus web page whether or not this option is checked. In fact, another copy will download whenever you click anywhere on the web page, at least with some variants of the page. The only difference is with the option on, the file will be unzipped & Installer.app will launch, ready to install the payload.
However, unless & until you allow the installation to complete, the trojan can do nothing. You can download the installer package file, zipped or unzipped, a dozen times & unless you install one of them, the worst that happens is you lose a small amount of hard drive space until you delete the files (both zipped & unzipped if both are present).
the zipped file will download when you view the bogus web page whether or not this option is checked.
Yes, but some people are reporting this problem as appearing after an Apple software update. When questioned, it turns out to have simply been the trojan's installer, but when it popped up automatically they assumed it was an official update. The difference may be insignificant to a savvy user, but it is NOT insignificant to many people.
When questioned, it turns out to have simply been the trojan's installer, but when it popped up automatically they assumed it was an official update.
And that's the point I'm trying to make about trojans. It's pretty simple: people can be tricked if they aren't on their guard for unusual behavior. It would be hard not to associate the web page's fake virus scan with the sudden & immediate appearance of Installer.app offering to install something suspiciously related to that -- if they were thinking calmly & clearly.
But they aren't thinking calmly & clearly because the bogus web page (not the malware itself) is fiendishly clever at causing panic that provokes immediate action to counter the non-existant threat of their Macs already being infected. OMG!!!
Even if the malware wasn't automatically downloaded, the ruse is good enough to convince panicked users that they need to do something ASAP, & what could be more convenient than downloading & installing the app whose web page was kind enough to alert them to this emergency?
The attack vector is purely psychological. But it is effective, especially so because so many Mac users believe they are immune to any sort of malware threat. That makes the result of the bogus scan much more shocking than it otherwise would be. But it is the panic it causes that makes it a successful exploit. That will remain true whether or not the malware is downloaded automatically.
Bearclaww89 wrote:
Hey did it look like this? Every time I see it I force quit safari. Pops up all the time in google images which is annoying when i am doing work. Is it something to be worried about or just ignore and keep force quitting. Also is the something better to do other then force quit?
Thanks guy
1: Download NoobProof
http://www.hanynet.com/noobproof/
2: Start the program, give it your admin password (to NoobProof not the trojan 😉)
3: Dismiss the Wizard and a window will pop up with Blacklist button on the left side, click it.
4: On both the left and right sides, click the "+" and add the IP addresses: 69.50.201.198 (the malware download location) and 178.17.162.163 (the site your on)
5: Click Ok and then in the next window click "Start Firewall"
6: If it's already started, stop it and then start it again for the changes to take effect.
If it appears on a domain name, you can do a Who Is and get the IP address that way too.
It's a game of Whack a Mole, but at least you won't be hit by the same site twice.
I recommend using Firefox and the Add-ons: NoScript, Ad Block Plus, WOT and even the Public Fox (set a password for the downloads)
R C-R wrote:
However, unless & until you allow the installation to complete, the trojan can do nothing. You can download the installer package file, zipped or unzipped, a dozen times & unless you install one of them, the worst that happens is you lose a small amount of hard drive space until you delete the files (both zipped & unzipped if both are present).
Yes I'm familiar with your feeling on this and previously commented that I see your point, but from discussing it with a few other users and thinking it over for a couple of days, I think we'll have to agree to disagree. Neither you nor I represent the average user, and our behavior is not necessarily going to be emulated by everybody, so for all the folks that haven't learned that they cannot blindly click buttons because it's the only one available, I feel inclined to protect them against themselves.
ds store wrote:
4: On both the left and right sides, click the "+" and add: 69.50.201.198 and 178.17.162.163
Neither of those sites are currently active, but I'm certain they could return at any time. Also, I've seen at least two other IP's that have been used: 69.50.201.182 and 69.50.201.190. I'm certain there are more.
MadMacs0 wrote:
ds store wrote:
4: On both the left and right sides, click the "+" and add: 69.50.201.198 and 178.17.162.163
I've seen at least two other IP's that have been used: 69.50.201.182 and 69.50.201.190. I'm certain there are more.
Looks like have to alter the instructions to block that whole IP range then.
Possibly the whole 178.17.162.163 range as well.
Thanks. 🙂
WZZZ wrote:
Or, use Firefox with the Add-ons NoScript and WOT. NoScript will keep JavaScript disabled until you know you want to "Allow" the site and then it will still block third party scripts, which you can selectively allow.
That reminds me of something I don't believe has been mentioned. There is a Safari Extension called "JavaScript Blacklist" which can be configured to add additional sites in a similar manner to what ds store recommended.
I just got this again. Second time this week (meaning past two days.)
This time at http://178.17.163.163/45960a995d92e7f8bd64692123a83ed3fc65e7a568b08303
I didn't copy the IP the first time.
So "178.17.163.163" if you don't have it already. I see you already had "178.17.162.0/24" and "178.17.162.163"... very similar. I don't know exactly how IPs count up per computer and such, so I'm posting it anyway. lol
FWIW, a whois.ripe.net query on 178.17.163.163 shows that the IP range 178.17.160.0 - 178.17.175.255 is registered to I.C.S. Trabia-Network S.R.L., a web hosting company based in the Republic of Moldova.
A portion of the response to that query:
address: I.C.S. Trabia-Network S.R.L.
address: str. V. Pircalab 52
address: 2012 Chisinau
address: Republic of Moldova
phone: +373 (22) 844-844
fax-no: +373 (22) 844-509
abuse-mailbox: abuse@trabia.net
remarks:
remarks: ++++++++++++++++++++++++++++++++++++++++++++++++++++
remarks: | I.C.S. Trabia-Network S.R.L. |
remarks: | Abuse Department |
remarks: ++++++++++++++++++++++++++++++++++++++++++++++++++++
remarks: | |
remarks: | This inet(6)num object is protected by our abuse |
remarks: | department. Our IRT (Incident Response Team) is |
remarks: | reachable 24 hours a day. |
remarks: | |
remarks: | If you observe any abusive usage of an IP within |
remarks: | this inet(6)num range, contact us please in the |
remarks: | following ways: |
remarks: | |
remarks: | Phone: +373 (22) 844-844 |
remarks: | Fax: +373 (22) 844-509 |
remarks: | E-Mail: abuse@trabia.net |
remarks: | |
remarks: | In case you need a direct response, please feel |
remarks: | free to call us 24/7 a day at +373 (22) 844-844. |
remarks: | E-Mail/Fax is getting monitored regularly by our |
remarks: | staff and being answered within 1 business day. |
remarks: | |
remarks: ++++++++++++++++++++++++++++++++++++++++++++++++++++
is apple security center safe?
