Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Mac Malware/poisoned images

Two detailed articles that go into greater depth of the malware attacking Mac users.



http://www.securelist.com/en/blog/6211/Rogueware_campaign_targeting_Mac_users


http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-p oison-google-image-search-results/




If your new to the party:


Mac targeted trojans are making their rounds mostly by poisoned images from Google.


The exploit depends upon Javascript, you can choose to turn it off in Safari preferences, however large portions of the web don't display or operate correctly without Javascript running.


A easier preventative option would be to use Firefox and the NoScript Add-on, use Firefox toobar customization to drag a NoScript button to the toolbar.


NoScript turns off all scripts and plug-ins by default, which you enable on a per site, per need, per visit type basis by clicking the NoScript button.


Firefox also has a pop-up window with a opt out before the downloads occurs, another safety step.


If you have click happy types types, it's advised to install the Public Fox ad-on as well, set a password on the broswer downloads.



If you have the trojan web page on your Mac's screen, simply use Apple Menu > Force Quit to quit the browser.


If you've downloaded but not run the installer, delete it immediatly from your downloads folder.


If you've installed the trojan and gave it your admin password, you need to backup your files to a external drive and c boot off the installer disk and Disk Utility > Erase with Zero your whole boot drive and reinstall OS X fresh, re-install all programs from original sources, scan your files with a AV software and then return them to your computer.


If you gave the AV software your credit card information, you need to call the credit card company and cancel the charge and freeze it. Assume your identity has been stolen and take appropriate action to defend your identity.


http://www.ftc.gov/bcp/edu/microsites/idtheft/



Some other advice:


Use only low amount debit/credit cards online with amounts your willing to risk losing.


Do not enable overdraft protection with these on line type cards.


Maintain the bulk of your funds in more secure, no user electronic access accounts (keep the blame for loss entirely on the bank)


Beware that banks and credit card companies like to increase your credit/debit card limits without notice.


If you lose a considerable amount of funds through a electronic means in your control, like a ATM, credit card, debit card or on line banking, expect a very long and tiresome legal battle to hopefully regain those funds and prove fault.



(note: I receive no compensation from mentioning these sites/article or their solutions, etc)

MacBook Pro, Mac OS X (10.6.7), 17" Quad XP, Vista, 7, Linux(s)

Posted on May 13, 2011 9:15 AM

Reply
100 replies

May 15, 2011 12:42 PM in response to R C-R

R C-R wrote:


Yes, I do. But do you know it is meant for hacking generic BIOS-based PC hardware so it can start up running OS X? Do you have any idea what it would do if applied to a real Apple Mac's hardware?


I'm asking you what the Firmware.scap file is, what does it contains and where is it located.


I already know part of my answer, I want to see what you know about it.


If it makes you feel any better & you actually do get infected, take your Mac down to as close to factory-new condition as you can manage, check every user & system setting file with whatever you like before reintroducing it into your shiny new system, & do whatever else you think is necessary to remove all real & theoretical traces of the malware.


Yes I will thank you. Malware is like bed bugs.


Ever have to eradicate bed bugs? How about mold? Ever eradicate a mold infested house?


You do either of these two things wrong, your house gets reinfected and all the money spend the first times are wasted.


So experts have gotten together and collaborated their experience as to make sure certain steps are performed so the eradication process is done right the first time.


Malware is a like that, right now I don't know if the Firmware.scap file or the keyboard firmware or any other location on a Mac is throughly eradicated the first time.


All I know is the Zero Erase and Install works on the hard drive, but it's not sufficient.


Apple hasn't had to deal with malware, I don't think they have any security level material in place to make sure a compromised machine is fully restored.

May 15, 2011 2:47 PM in response to ds store

ds store wrote:

I'm asking you what the Firmware.scap file is, what does it contains and where is it located.


I already know part of my answer, I want to see what you know about it.

If you want my help, start by sharing the part of the answer that you think you know. But please be careful about mentioning anything that would violate the Terms of Use, especially section 2.8.


But anyway, here is a hint: the file isn't located anywhere on a Mac.

May 15, 2011 5:56 PM in response to WZZZ

WZZZ wrote:


All this coy cat and mouse! Anyway, this is what I'm coming up with. It's right in there with the boot.efi


/usr/standalone/i386/Firmware.scap


/System/Library/Caches/com.apple.bootstamps/27F1A20D-21F4-356C-9177-8442B3128375 /:usr:standalone:i386:Firmware.scap


Yep:



ΩÜf;v

0@∑ µQû/≈†Pp PŸTìzh JDÅŒ ˆ ÿêfl_FVHˇéˇˇH”J  m„√îÇóK®W’(è„>(p| @f¯N $IBIOSI$ ROMEXT1.88Z.0002.B00.0710231738ˇˇ¯≠Ú2 ìfHûß!\è§6´Ä @™»‹¯í»‹ Ü»‹∏1c PÖfiΩ⁄‰õìA˚ΩÔ{fi¸}

S

J÷4äc #«

aHC



and....you forgot the "other" place, you know in disk0s1 🙂



guess that "bootstamp" is something for Mandatory Access Control feature of OS X.



Anyway here's a OS X Security PDF some might find interesting


http://images.apple.com/macosx/security/docs/MacOSX_Security_TB.pdf

May 16, 2011 2:24 AM in response to ds store

ds store wrote:

and....you forgot the "other" place, you know in disk0s1

As already mentioned, the EFI partition is not used when booting the system into OS X.

Anyway here's a OS X Security PDF some might find interesting

Did you read the part about the root account being disabled by default, OS X using less privileged system accounts for some system services and for software that requires specialized access to certain system components, sandboxing restricting access to system level services even for processes running as root, & so on?


You seem to have the impression that once this trojan is installed, it can do anything it wants. That is not true.

May 16, 2011 3:42 AM in response to R C-R

I give you just an example, probably this is not the case but it could be a possible scenario: the sudoers file modified during the installation process of the malware. You can read that on a security book written by the founders of the shamoo group (I'm not mentioning directly the title cause it would be an indirect advertisement).

Not to mention a possible rootkit install which will work at a kernel level.

That is why I personally think that the study shown on this board of this malware isn't complete, and in absence of an official Apple document it would be wiser to assume that the infected system is compromised not only at the level of the files installed by it. This, to me, means that people having this issue should at least re-install the latest Mac Os X Combo update at this stage of the incident.


As last reply to accuses moved to me like "why don't you do the tests, though?" I would just say that: we don't need to be chefs to understand the difference between a pasta with pesto sauce and pasta with tomato sauce.

May 16, 2011 4:16 AM in response to ds store

I honestly wish you would stop all this fear-mongering. It is pointless and is only making you look like more of a hypochondriac. malware does not want to do it in for the users, it is not profitable to destroy system, it is more profitable to skim data off the user without detection. I don't really care for how long you have been using a mac OS, you obviously know next to nothing about how security and exploitation works, yet you act like you do.



May 16, 2011 4:14 AM in response to Rayced

people having this issue should at least re-install the latest Mac Os X Combo update at this stage of the incident.


That's a laugh. I may disagree with ds store regarding his advice, but at least it would work. His advice is good for any unknown malware that might make it onto your system. Reinstalling a combo update would do absolutely nothing to eliminate malware. Please stop pretending to be an expert about something that you are not an expert about.

Mac Malware/poisoned images

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.