We are getting a screen indicating that there are 71 items that need attention as part of an Apple Security Alert. The screen indicates that it is part of Apple Security Center. It asks to click ok to remove the offending objects (virus, malware). Is this legitimate apple software or will it introduce a virus?
iMac, Mac OS X (10.6.7)
Bearclaww89 wrote:
is the something better to do other then force quit?
First, make certain that you have unchecked "Open 'safe' files after downloading" in Safari Preferences->General. With that done you can simply close the window and trash the .zip file that was downloaded to the Downloads file. About the only other choice you have is to turn off "Enable JavaScript" in Safari Preferences->Security which will prevent the auto-download, but will disable features on other web pages that you may find useful.
Or, use Firefox with the Add-ons NoScript and WOT. NoScript will keep JavaScript disabled until you know you want to "Allow" the site and then it will still block third party scripts, which you can selectively allow. Many sites will work just fine with JS disabled. Takes some getting used to, but well worth it. I wouldn't go out into the Internet jungle without either of these. WOT gives ratings on the safety of sites.
Linc Davis wrote:
It already displays nasty pictures. I see no reason to assume that future versions won't delete files, and then blame the deletions on imaginary viruses, while offering to remove those viruses. This guy needs to ratchet up the pressure to make a quick score before the vic wises up.
The whole point of the nasty pictures is the same as the fake scan: to convince users to install & run the malware payload ASAP without thinking too hard about what's going on. But once the payload is installed, there is no reason for a more capable, evolved version to keep drawing attention to itself.
The long term goal is to make as much money as possible off the thing. The author has to know that a lot of users will reconsider what they have done after sending their credit card info & will dispute the payment and/or cancel the card, & thus that it won't produce much revenue. What will produce continuing revenue is info gleaned from the user's files (including info added long after they have forgotten about the initial attack) and stealthy bot-net control of the computer. Even email addresses mined from the address book or sent messages can be & regularly are sold to spammers, since they are known good ones.
I'm not trying to freak out anybody with this. There is no indication that the current version of the trojan can do any of this, or even that it can be made clever enough to bypass all the security features already in the OS. Much more importantly, you have to install the trojan or it cannot do anything.
MadMacs0 wrote:
First, make certain that you have unchecked "Open 'safe' files after downloading" in Safari Preferences->General.
Note that this is neither necessary nor effective. If you are using Safari, the zipped file will download when you view the bogus web page whether or not this option is checked. In fact, another copy will download whenever you click anywhere on the web page, at least with some variants of the page. The only difference is with the option on, the file will be unzipped & Installer.app will launch, ready to install the payload.
However, unless & until you allow the installation to complete, the trojan can do nothing. You can download the installer package file, zipped or unzipped, a dozen times & unless you install one of them, the worst that happens is you lose a small amount of hard drive space until you delete the files (both zipped & unzipped if both are present).
the zipped file will download when you view the bogus web page whether or not this option is checked.
Yes, but some people are reporting this problem as appearing after an Apple software update. When questioned, it turns out to have simply been the trojan's installer, but when it popped up automatically they assumed it was an official update. The difference may be insignificant to a savvy user, but it is NOT insignificant to many people.
When questioned, it turns out to have simply been the trojan's installer, but when it popped up automatically they assumed it was an official update.
And that's the point I'm trying to make about trojans. It's pretty simple: people can be tricked if they aren't on their guard for unusual behavior. It would be hard not to associate the web page's fake virus scan with the sudden & immediate appearance of Installer.app offering to install something suspiciously related to that -- if they were thinking calmly & clearly.
But they aren't thinking calmly & clearly because the bogus web page (not the malware itself) is fiendishly clever at causing panic that provokes immediate action to counter the non-existant threat of their Macs already being infected. OMG!!!
Even if the malware wasn't automatically downloaded, the ruse is good enough to convince panicked users that they need to do something ASAP, & what could be more convenient than downloading & installing the app whose web page was kind enough to alert them to this emergency?
The attack vector is purely psychological. But it is effective, especially so because so many Mac users believe they are immune to any sort of malware threat. That makes the result of the bogus scan much more shocking than it otherwise would be. But it is the panic it causes that makes it a successful exploit. That will remain true whether or not the malware is downloaded automatically.
Bearclaww89 wrote:
Hey did it look like this? Every time I see it I force quit safari. Pops up all the time in google images which is annoying when i am doing work. Is it something to be worried about or just ignore and keep force quitting. Also is the something better to do other then force quit?
Thanks guy
1: Download NoobProof
http://www.hanynet.com/noobproof/
2: Start the program, give it your admin password (to NoobProof not the trojan 😉)
3: Dismiss the Wizard and a window will pop up with Blacklist button on the left side, click it.
4: On both the left and right sides, click the "+" and add the IP addresses: 69.50.201.198 (the malware download location) and 178.17.162.163 (the site your on)
5: Click Ok and then in the next window click "Start Firewall"
6: If it's already started, stop it and then start it again for the changes to take effect.
If it appears on a domain name, you can do a Who Is and get the IP address that way too.
It's a game of Whack a Mole, but at least you won't be hit by the same site twice.
I recommend using Firefox and the Add-ons: NoScript, Ad Block Plus, WOT and even the Public Fox (set a password for the downloads)
R C-R wrote:
However, unless & until you allow the installation to complete, the trojan can do nothing. You can download the installer package file, zipped or unzipped, a dozen times & unless you install one of them, the worst that happens is you lose a small amount of hard drive space until you delete the files (both zipped & unzipped if both are present).
Yes I'm familiar with your feeling on this and previously commented that I see your point, but from discussing it with a few other users and thinking it over for a couple of days, I think we'll have to agree to disagree. Neither you nor I represent the average user, and our behavior is not necessarily going to be emulated by everybody, so for all the folks that haven't learned that they cannot blindly click buttons because it's the only one available, I feel inclined to protect them against themselves.
ds store wrote:
4: On both the left and right sides, click the "+" and add: 69.50.201.198 and 178.17.162.163
Neither of those sites are currently active, but I'm certain they could return at any time. Also, I've seen at least two other IP's that have been used: 69.50.201.182 and 69.50.201.190. I'm certain there are more.
MadMacs0 wrote:
ds store wrote:
4: On both the left and right sides, click the "+" and add: 69.50.201.198 and 178.17.162.163
I've seen at least two other IP's that have been used: 69.50.201.182 and 69.50.201.190. I'm certain there are more.
Looks like have to alter the instructions to block that whole IP range then.
Possibly the whole 178.17.162.163 range as well.
Thanks. 🙂
WZZZ wrote:
Or, use Firefox with the Add-ons NoScript and WOT. NoScript will keep JavaScript disabled until you know you want to "Allow" the site and then it will still block third party scripts, which you can selectively allow.
That reminds me of something I don't believe has been mentioned. There is a Safari Extension called "JavaScript Blacklist" which can be configured to add additional sites in a similar manner to what ds store recommended.
Ok, same NoobProof instructions as above except the blacklist subnet range in/out is:
69.50.201.0/24
178.17.162.0/24
Keep posting those IP's 🙂
Your privacy is very important to Apple and we take numerous precautions to safeguard your personal information against loss, theft, and misuse, as well as unauthorized access, disclosure, alteration, and destruction. I prefer resetting of password every week and not disclosing to any one.
The following page outlines, in detail, how Apple protects your information:
Apple Privacy Policy
The "Apple Security Center" is a fake that is in no way associated with Apple the Company that you sited.
I just got this again. Second time this week (meaning past two days.)
This time at http://178.17.163.163/45960a995d92e7f8bd64692123a83ed3fc65e7a568b08303
I didn't copy the IP the first time.
So "178.17.163.163" if you don't have it already. I see you already had "178.17.162.0/24" and "178.17.162.163"... very similar. I don't know exactly how IPs count up per computer and such, so I'm posting it anyway. lol
is apple security center safe?
