Cat and mouse with Trojan begins

Just don't be stupid. No games required.

I use FireFox and I have it set up to block redirects. Since MacDefender redirects you to it's page when you click on the link, wouldn't that mean it can't even get you to it's site?

When I came face-to-face with it I was on Safari, so it redirected me, but the settings that I have on FireFox block it by default and I need to manually allow each redirect.

WZZZ wrote:

... I find it interesting how quickly the scammer responded. I imagine he thinks he can stay ahead of the game long enough each day, or whatever it takes for Apple to update its definitions, to survive.

It will be interesting to see how quickly Apple updates the definitions, & what the response to that is. To make it worthwhile for the malware creator to keep at it, enough people will have to take the bait & supply their credit card numbers to offset the costs of keeping malicious IP addresses live, plus justify any risks of arrest & prosecution for fraud.

The costs aren't high & the risk of prosecution is low, assuming the perpetrator(s) are in a country that doesn't actively go after that kind of crime, or one that cooperates with countries that do.

OTOH, there are only so many cheap IP providers to choose from, many are in the U.S. & other countries that do take collusion to commit fraud seriously, & Apple has a very aggressive legal department. Plus, the number of Mac users that haven't heard about the scam should continue to dwindle.

Beyond that, an increasing number of us have decided, even before this trojan arrived, that it was time to start using third party anti-virus software. That means the malware will have to deal with several different sets of detection mechanisms & definitions to maximize the payoff.

I'm guessing the perp won't give up, but neither will the malware be very profitable.

Just don't install it and don't worry about it. If a real virus ever does show up for MacOSX, you will know about it. Until then, by acting as if this trojan is at all dangerous, you are doing the malware author's work for them. Why should they bother writing a virus when they get the such a dandy return in cash and fear from a tiny investment in this simple application that is little more than an AppleScript.

I could write an application and call it "serendipity" or something and have it pop up random websites. I could charge $99 for it and sell it through the Mac App Store. Other than the name of the application and nature of the websites it displayed, it would be no different than this trojan. There is no way for Apple to ever detect and prevent this. The malware can be changed an infinite number of times but Apple's malware definition list would eventually grow large enough to consume all of your disk space.

The only answer is for Mac users to simply not install it. Until Mac users realize they are immune to viruses, they will forever be plagued by antivirus software - both "legitimate" and "fake", there is no difference really.

etresoft wrote:

Until Mac users realize they are immune to viruses, they will forever be plagued by antivirus software - both "legitimate" and "fake", there is no difference really.

Nonsense. Your across-the-board low opinion of legitimate anti-malware only adds to the confusion. Apple long ago acknowledged that these products add a layer of protection users may want or need. Snow Leopard now has a build-in malware detection mechanism somewhat like that of the legitimate third party products.

If it is a contest between your opinion & Apple's, Apple wins hands down -- period.

Clearly it isn't a matter of opinion. Even an amateurish malware effort such as MacDefender is able to make fools out of all anti-malware vendors - from Sophos to Norton, and now Apple. That isn't opinion, it is objective evidence. Apple needs to get out of the anti-malware business if they know what is good for them. There is no profit to be had and only ridicule to be earned.

It isn't just Apple users that need to come to grips with what malware on the Mac is truly about. Apple seems as clueless as its users. They cannot win this fight by relying on the tools of Windows anti-malware war. Apple needs to Thin Different. They need to abandon the default Admin user entirely. Force all but power users into the Mac App Store. Anyone who opts out does so at their own risk. It works great for iOS, it will work great on the Mac too. Apple needs to make Lion nothing more than iOS with the Finder and documents. That will be a successful strategy. Until they do that, they are just wasting their time and encouraging the malware authors.

Apple seems as clueless as its users.

That's a very illuminating statement. It really puts a lot into perspective with regard to some of your other statements.

Force all but power users into the Mac App Store. Anyone who opts out does so at their own risk. It works great for iOS

That would be a disaster akin to the licensing fiasco of the 90s. That model works for the iOS because there's no other reasonable choice. Many people are actually willing to jailbreak their devices, with all the implications that entails, just so they can get stuff not available on the App Store. I'm not overly impressed with the Mac App Store, and its approval system is completely inadequate to act as the sole software supplier for a platform that is more than just an iPad with a keyboard.

etresoft wrote:

Clearly it isn't a matter of opinion. Even an amateurish malware effort such as MacDefender is able to make fools out of all anti-malware vendors - from Sophos to Norton, and now Apple. That isn't opinion, it is objective evidence.

More nonsense. For example, Sophos had updated its definitions within 24 hours of the appearance "in the wild" of each of the variants -- by the time you read about them, they are already in the definitions database.

besides, your statement was that there is really no difference between the anti-malware products & the malware. You have presented zero evidence to support that claim.

Thomas A Reed wrote:

Apple seems as clueless as its users.

That's a very illuminating statement. It really puts a lot into perspective with regard to some of your other statements.

I don't follow. How so?

The Mac malware threat is fundamentally different from that on PCs. There are no viruses. There are only installers and applications that are essentially no different than any other installers and applications. The malware authors can continue to change it forever. I wasn't joking about my CGI that could spit out a unique MacDefender clone with each web hit. The hardest part of that scheme is that a Mac would be needed to generate the installer. That requires a fairly sophisticated mastery of Apple's notoriously hard-to-use PackageMaker. It would also require installing a Mac (or hackintosh) malware server in a co-location hosting provider. Therefore, such a CGI script is very unlikely.

The Mac environment and community are much different than those of the PC. I think using tactics from the PC malware arena is a bad move. That essentially has Apple (or any other Mac anti-virus tool) doing the same thing on the Mac that they do with Windows. That means they are the same, doesn't it? What's next? Malware removal appointments at Apple Store Genius Bars? With this strategy, there is nowhere for Apple to go but down to the same level as Windows. In the minds of the consumer, they will be no different.

I figure it had to happen sooner or later. Apple has been on a real winning streak lately. Nobody can keep that up forever. If they keep this up it will be their first real bomb. They can only hope the non-iOS market dries up fast enough so that nobody remembers.

Force all but power users into the Mac App Store. Anyone who opts out does so at their own risk. It works great for iOS

That would be a disaster akin to the licensing fiasco of the 90s.

Me and Apple's financial reports strongly disagree. Apple's customers have clearly shown 1) they can get along fine without admin permissions, and 2) they can't handle those permissions to begin with. The only question that remains is how to port that model to a desktop environment.

I think it could be something as simple as a checkbox (unchecked by default) that says "grant admin privileges" during the OS install. If the user checks it, they get a nasty warning "Your machine will be at risk from malware, incompatible 3rd party software, loss of data, and significant light leakage - Are you sure?" That should be sufficient to scare away those people who are at risk from malware.

R C-R wrote:

More nonsense. For example, Sophos had updated its definitions within 24 hours of the appearance "in the wild" of each of the variants -- by the time you read about them, they are already in the definitions database.

And how often do Sophos users check for updated database entries? Every 24 hours? That's 48 hours of vulnerability. How many Google image searches happen every 48 hours? This malware can be scripted. The build scripts can be setup to run every 24 hours to build and distribute a new version of the Trojan.

That reminds me of something I remember from history class. In 1945, the Japanese Kamakaizes were sinking a ship once a week. That sounds pretty bad. But the US shipyards were building a new ship every 24 hours. The war was over. You can't fight math.

besides, your statement was that there is really no difference between the anti-malware products & the malware. You have presented zero evidence to support that claim.

The business model of both groups is to take money from people who are afraid of viruses that don't exist. I suppose it isn't true to say there is "no difference" between the two. MacDefender just pops up a few web sites. Anti-virus software uses kernel modules that are far more invasive, reduce performance, reduce stability, and put the user at risk of problems during software update. MacDefender actually seems less harmful that "legitimate" anti-virus software. It installs no kernel modules so there is no performance or stability hit. It is just an application so it will probably run great in Lion. It probably has a better upgrade price too.

etresoft wrote:

And how often do Sophos users check for updated database entries?

By default, Sophos automatically checks for updates once an hour. Users don't have to do anything.

The business model of both groups is to take money from people who are afraid of viruses that don't exist.

Sophos home edition is free, as is ClamXav.

Anti-virus software uses kernel modules that are far more invasive, reduce performance, reduce stability, and put the user at risk of problems during software update.

Sophos has been running on my Macs since last November & I have not bothered to disable it for any of the OS or any other updates I have installed since then, all of which have installed flawlessly. Sophos processes use 0% of the CPUs most of the time, about 1 to 2% for the brief interval the on-access scanner checks files when they are accessed, & at most about 50% of one CPU during the on-demand scan when it is set to scan inside archives & compressed files. The on-demand scanner only needs to be used once to verify that no malware preexists on connected drives. It can take up to several hours to fully scan a drive full of large & compressed files, but it is only slightly longer than it would take just to decompress & read the same files.

There has never been even a hint of instability while using the software.

etresoft wrote:

Force all but power users into the Mac App Store. Anyone who opts out does so at their own risk. It works great for iOS, it will work great on the Mac too.

Dictatorship by closed loop system. Sheer madness.

I don't own an iPhone and never will as long as it's locked in to the iOS App Store.

I don't have the App store on my Mac, nor will I ever have.

Force all but power users into the Mac App Store. Anyone who opts out does so at their own risk. It works great for iOS, it will work great on the Mac too.

All we need now is a quick definition of "power users" and we're off. Should be an easy sell too. "See, on the Mac we have two kinds of User. Those who pass etresoft's test and can be allowed install whatever they like on their computer and the rest (who, incidentally, don't get to use apps made by Adobe and Microsoft)"

Yes, as a Marketing Campaign that really sells itself.

As a suggestion it's up there with Bill Gate's solution for Spam a few years back: Charge for every email you send.

Regards

TD