Skip navigation

Observations on Mac OS/Safari Malware problem

867 Views 4 Replies Latest reply: May 21, 2011 1:03 PM by andyBall_uk RSS
dmccollam Calculating status...
Currently Being Moderated
May 20, 2011 10:15 PM

Just a couple of data points on the recent spat of anti-virus "malware" problem.

 

1) I believe the malware is embedded in compromised images linked to by legitimate web sites:

    In my initial case, just going to CNN.com produced the malware redirection ("attempt").  (I immediately force quit Safari.)

    In the second case, scrolling through a series of images at MSNBC.com produced the same "attempt".  (Again, I force quit.)

2) In my case, the "Open "safe" files ..." preference has been unchecked from day one.  So that might be the source of the malware intrusion.

3) if you force quit Safari or quit Safari *without taking any responsive action*, I think all you need do is completely delete (trash + empty trash) the automatically downloaded MACDefender.zip (the malware installer, name varies a bit) file placed in your default download location  (documents? downloads?).

 

Don

  • Klaus1 Level 8 Level 8 (43,415 points)
    Currently Being Moderated
    May 21, 2011 1:41 AM (in response to dmccollam)

    Malware spreads through search engines like Google via a method known as "SEO poisoning." The sites are designed to game search engine algorithms and show up when users search for certain topics.

     

    You may find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Privacy, useful:

     

    https://discussions.apple.com/docs/DOC-1848

    Regarding MacScan, First update the MacScan malware definitions before scanning. You can also contact their support team for any additional support - macsec@securemac.com

    Security of OS X generally:

     

    http://www.apple.com/macosx/security/

     

    http://www.nsa.gov/ia/_files/os/applemac/I731-007R-2007.pdf

     

    Security Configuration for Version 10.5 Leopard:

     

    http://images.apple.com/server/macosx/docs/Leopard_Security_Config_2nd_Ed.pdf

     

    This Blog entry is also worth a read:

     

    http://blog.damballa.com/?p=1055

     

    UPDATES:

    Another source of malware, apart from sites like Facebook and Hotmail, is the Android Marketplace:

    More than 50 applications available via the official Android Marketplace have been found to contain a virus.

    Analysis suggests that the booby-trapped apps may have been downloaded up to 200,000 times. The apps are also known to be available on unofficial Android stores too. Once a booby-trapped application is installed and run, the virus lurking within, known as DroidDream, sends sensitive data, such as a phone's unique ID number, to a remote server. It also checks to see if a phone has already been infected and, if not, uses known exploits to bypass security controls and give its creator access to the handset. This bestows the ability to install any code on a phone or steal any information from it.

    Remote removal of the booby-trapped apps may not solve all the security problems they pose. The remote kill switch will not remove any other code that may have been dropped onto the device as a result of the initial infection.

    Moreover, more than 99% of Android phones are potentially leaking data that, if stolen, could be used to get the information they store online.

    http://www.bbc.co.uk/news/technology-13422308

    The data being leaked is typically used to get at web-based services such as Google Calendar.

    The open nature of the Android platform was a boon and a danger, and as Facebook have already discovered it is also a very attractive criminal playground.

    http://www.bbc.co.uk/news/technology-12633923

    How safe is your smartphone?

    Smartphones and social networking sites are likely to become the next big target for cyber criminals, according to a security industry report.

    Symantec's annual threat analysis warns that the technologies are increasingly being used to spread malicious code.

    Users of Facebook, Twitter and Google's mobile operating system, Android, are said to be particularly vulnerable.

    In several cases, the security holes were exploited and used to install harmful software on Android handsets - suggesting that criminals now view smartphone hacking as a potentially lucrative area.

    At least six different varieties of malware were discovered hidden in applications that were distributed through a Chinese download service.

    Several pieces of malware were also found on iPhones, however only devices that had been "jailbroken" to bypass Apple's security were affected.

    The company's process of pre-vetting all new applications is believed to have spared its devices from a major attack.

    The company estimates that one in six links posted on Facebook pages are connected to malicious software.

    http://www.bbc.co.uk/news/technology-12967254

     

    to which Facebook has responded:

     

    "Facebook and Internet security company Web of Trust (WOT) will provide Facebook users with a feature that protects them against dubious Web links, the companies said this week.

    When a Facebook user clicks on a link that leads to a page with a poor reputation rating given by the WOT community, the user will receive a warning message. Typically, the sites with a poor reputation are known for phishing, untrustworthy content, fraudulent services or other scams."

     

    http://www.macworld.co.uk/news/index.cfm?olo=email&NewsID=3279603

    Newly discovered malicious software dubbed "MACDefender" takes aim at users of the Mac OS X operating system by automatically downloading a file through JavaScript. But users must also agree to install the software, leaving the potential threat limited.

     

    The new MACDefender malware was first noted on April 30, 2011 by users of the Apple Support Communities, and was highlighted by antivirus company Intego. If the right settings are enabled in Apple's Safari browser, MACDefender can be downloaded to a system after a user clicks a link while searching the Internet.

     

    "When a user clicks a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file," Intego said. "In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open 'safe' files after downloading in Safari, for example), will open."

     

    However, users must still agree to install the malware after it downloads. After the ZIP file is extracted, users are presented with the "MACDefender Setup Installer," at which point they must agree to continue and provide an administrator password.

     

    Because of the fact that users must agree to install the software and provide a password, Intego categorized the threat with MACDefender as "low."

     

    Users on Apple's support forums advise killing active processes from the application using the Mac OS X Activity Monitor. MACDefender can then be deleted from the Applications folder by dragging it into the trash.

     

    The malware is not to be confused with MacDefender, the maker of geocaching software including GCStatistic and DTmatrix. The company noted on its site it is not affiliated with the malware.

     

    Malware spreads through search engines like Google via a method known as "SEO poisoning." The sites are designed to game search engine algorithms and show up when users search for certain topics.

     

    The latest threat to  the Mac OS is the Weyland-Yutani BOT, which is described as a DIY crimewave kit that supports web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow.  'Form grabbing' is a way of collecting passwords:

     

    http://www.csis.dk/en/csis/blog/3195/

    Additional reading:

     

    "Antivirus Software On Your Mac: Yes or No?"

     

    http://gigaom.com/apple/antivirus-software-on-your-mac-yes-or-no/

    20" 2.1GHz iSight iMac G5,, Mac OS X (10.5.8), iLife 9 but iMovie 6, QTPro 7.6.9, Safari 5.0.5
  • andyBall_uk Level 6 Level 6 (17,575 points)
    Currently Being Moderated
    May 21, 2011 1:03 PM (in response to dmccollam)

    I'd check your dns servers, Don - what you describe isn't  typical of macdefender variants I've seen, albeit that it could have changed tack.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.