These Defender/Protector infections; how many are Safari related? All of them?

People with all browsers are affected. The only thing unique to Safari is the Open "safe" files after downloading option, which evidently considers a .mpkg file to be safe. Thus, on Safari, Apple's installer opens that installer package automatically, but it's important to note that no third-party code gets run until you have clicked Install and provided your administrator password. Of course, there have been numerous people tricked into thinking this was an official Apple update, so many folks think that .mpkg files should no longer be considered safe by Safari.

One Chrome almost-victim here.

https://discussions.apple.com/thread/3048064?answerId=15219569022#15219569022

Except for the downloads notification, the absence of an "open safe files default" and if they're using NoScript -- and, then, only if they don't "allow" a site that's been hacked with this -- don't think FF users have any intrinsic protection.

A lot of people don't mention the browser they're using.

About a month ago I clicked on a link which then started with a message that Mozilla had detected a virus and looked as if it was running a scan. (I use Firefox). I realized at the time that what it appeared to be scanning were windows files which I of course don't have and Mozilla doesn't do scans. But it was still scary enough. Didn't download anything or install anything and came right to this forum for help and reassurance, which I got. I also went to the Firefox support forum and several other people had similar experiences. We were perhaps luckier that it was so obviously a scam. I am more cautious now than ever. I don't think the browser matters. Caution is my keyword now.

Laverne's mom

Yes there was one Firefox victim that I know of.

The difference with Firefox say a user clicks the fake JavaScript window to close it and initiates a download, Firefox will ask before starting the download what to do with it and a option to cancel. This immediately alerts the user something fishy is going on.

Most people realizing it's a Trojan site download will just cancel the download and move on, why we don't here much from Firefox users.

Safari on the other hand just downloads the file, then OS X checks with the user AFTER the fact and perhaps a day or two later when the user thinks to themselves "What's this in my downloads folder...?" OS X says "You downloaded this file such and such day and time.."

I don't know about anyone else, but my memory isn't that good that I bother to remember exact days and times when I clicked a particular download link or not.

Problem with driveby downloads, fast connections, Safari's automatic and small downloads window is one likely won't see the download occur, especially if they click on the bigger window, making the downloads window go to the rear.

What if the malware download snuggles in with real downloads?, or god forbid, uses it's same name as a legitimate download on the installer?

Here is a example:

https://secure.wikimedia.com/tricklink

Now look in your downloads folder for file named: osx-pl2303.kext.zip

Firefox users won't get tricked by the link above because a window appear and not allow the download unless the user agree's.

Another thing, the download doesn't have a good description identifying what it is before you run it, it just says "osx-pl2303.kext.zip" some people will know it's a kext file, so people's tendency is to click to see what it is.

It's a Prolific PL-2303 driver for 64 bit Mac OS X by the way from Apple, a small file to demonstrate.

So is the rash of Trojan downloads a issue related to Safari?

Lets say the way Safari is makes it easier to get Trojans on a Mac than other browsers that warn of a download before commencing.

Since most Mac users use the browser that comes bundled with a new machine, or out of severe loyalty to Apple, will get hit more often by these Trojans.

A bit off-topic, but does anyone know if this thing is coded to only install on an Intel? And, can it jump to a browser on a PPC? (but not install on the machine, itself.)

Is it picky about the user agent it encounters?

I've looked through all the posts on the PPC iMac and Tiger Forums (I don't think I found anything in the latter) since it appeared, but couldn't confirm that people reporting it were actually using PPC Macs. Their "Products" were just "iMac" or something just as vague and useless.

Every version of this malware is Intel only, so there's no threat on an old PPC machine. The web site would pop up and the download would happen, I would assume, but the app wouldn't be able to function there.

Thanks. Answered also in my duplicate topic, Several Trojan Questions.