Mail virus and Trojan issues

Disreguard.

Memoire wrote:

I have a high end virus detection running on my Mac.

Any reason not to name it?

Recently I have had many Spam emails with attachments. The attachments had viruses or trogans, most likely Windows ones.

So when you say mostly, were any of them Mac malware or just some sort of phishing e-mail?

When I marked them as 'Junk' there was no issue, then I deleted the Junk mail. When I rebuilt the mail boxes recently the virus checker picked up the viruses in the attachments.

It sounds like you didn't let the "high end virus detection" delete any of those e-mails, correct? You deleted them all using your e-mail client application. Otherwise you get mailbox index corruption and have to rebuild the mailbox.

I've given some thought about the attachment business, but haven't had a chance to check my questions out. Since all "attachments" actually arrive on your hard drive embedded into the e-mail as mime encoded sections, I don't think they get stored separately until / unless you open or save them. There is an attachment folder, but I don't know that it contains all the "attachments" in e-mail you haven't done something with. If you choose to view embedded graphics, are they then stored in that folder or simply decoded on the fly?

And after they appear in the Attachments folder, are they still linked to the message so that they are removed when the e-mail is deleted?

I suspect if I knew the answer to those questions I could answer yours, but I've never had time to play with it.

Recently I have had many Spam emails with attachments.

That is entirely normal, and I have never yet heard of any Mac malware being distributed via e-mail. Those were undoubtedly all Windows malware or phishing attempts.

When I rebuilt the mail boxes recently the virus checker picked up the viruses in the attachments.

My suspicion would be that your AV software prevented those files from being deleted properly when you emptied the junk mail folder. Some AV software I have tested will prevent deletion of malicious files; to delete, you have to use the AV software to remove the threat, which generally isn't a good idea when it comes to e-mail. (It can corrupt the mailbox index.)

1) the recent information about 650,000 Mac's worldwide being effected with flashback trojan, should basically have eliminated the thought that there is no necessity to use virus detection on Macs or at least have concerns about attack potential.

Not really. Most of those infections occurred after Apple had already released security updates that would have prevented infection. And Mac OS X includes some basic malware protection. For more on this topic, see my Mac Malware Guide. (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

A good friend recently had an virus attack on his iPad

Not unless he has jailbroken his iPad. There is no malware that affects any iOS devices at this time, unless said device has been jailbroken. The closed nature of iOS, which prevents any third-party code from executing unless it comes from the App Store, has proven to be an effective barrier to malware. There is malware for jailbroken iOS devices. One reason among many not to jailbreak your iPad!

Yep probably what happened to mine but there is no one intellegent enough to help me

Memoire wrote:

2) Why there was no issue until I tried to rebuild the mailboxes, basically meaning if you just 'erase junk mail' any future potential risk to Macs could be dormant or active, still on the HD. 'Erase junk mail' means the data is still in the mailboxes/HD, just not shown in mail, perhaps just the file headers removed.

The Mail trash works just like the Finder trash. It sits in the Trash bin until you empty it.

It could just be a matter of time before Macs become a more active target, as most users are complascent about the potential for viruses and trojans, there are strong myths that Macs are safe against such attacks.

Macs are safe against such attacks. Flashback was a one-time anomaly that used an exploit in Oracle's (née Sun Microsystems) Java and the tradition of always including Java. Apple likes to re-evaluate those traditions and removed Java last year. The Mac's architecture makes it inherently more secure than either Windows or Linux. It is getting even more secure. The only real risk is users being tricked into installing malware. Apple will be closing that hole in Mountain Lion with Gatekeeper.

A good friend recently had an virus attack on his iPad that Apple technitians at the Genious bar were all interested in and they reported it back to Apple headquarters. So I think personally the time for complacency is over.

There are no Mac viruses. There is no iOS malware of any kind. Your friend probably had a jailbroken device. All bets are off then as jailbreaking is actually installing a virus on purpose. The only reason to do that is to run pirated software, an excellent way to acquire viruses on any platform.

Memoire wrote:

The virus attack that my friend had on his iPad, the iPad2 is a WIfi version. The attack was also via email, was reported to Apple by the manager of the Apple store whose Genius bar my friend visited, my friend was told it had been reported to Apple via Apple's internal system for such reports. I doubt that the Apple store manage would have said it was a virus if it wasn't; most of the staff from the genius bar were also interested in this too it seems.

As others have said, there is to date no malware for iOS except on jailbroken devices. One possibility that comes to mind for your friend could have been a link in an email that pointed him to a website crafted to exploit a Safari vulnerability. There have been a few of those on OS X, though I'm not sure about on iOS. That wouldn't be a virus, however; it might be termed a trojan. It's generally a bad idea on any platform to click on links in strange emails.

The report I read said Apple released the security update because the large number of Mac's were reported by various virus software companies to have been infected.

That's not entirely accurate. The first variant of Flashback that was capable of installing itself relied on a Java vulnerability that Apple had already patched. The next variant used an unpatched vulnerability. Apple released a Java update the very next day to close that vulnerability. Then, a little more than a week later, they released the removal tools. Apple certainly did not wait until large numbers of Macs were infected before doing anything.

I doubt that the Apple store manage would have said it was a virus if it wasn't

I don't share your certainty. First of all, you're reporting this to us third-hand. There's a more than reasonable possibility that your friend didn't understand what the techs were telling him, or that he didn't report it accurately to you, or you didn't understand what he said. Secondly, I have, unfortunately, very little confidence in anything the Apple Geniuses say. Some of them are knowledgeable, but some of them are not, and have been known to tell people some pretty dumb things. We don't know which species of Genius your friend talked to.

Bottom line: unless he jailbroke his iPad, he did not have malware. Period. There simply isn't any malware out there for the iOS, except for jailbroken devices, because of the sandboxing restrictions in iOS. No code is allowed to execute except what comes through the App Store, which is exactly what jailbreaking is meant to change.

So after almost 3 decades of using Macs with out caring too much I am starting to become nervous that this is only a matter of time before a serious threat arrises.

Anything is possible, and certainly you should remain vigilant against being tricked into installing something you shouldn't. However, beyond such tricks, it's unlikely we'll see another Flashback for a while. Flashback was the first thing in ten years capable of installing itself on a Mac, and that security hole is now closed (if you keep your Mac properly updated). It's always possible some other vulnerability might be discovered, but that's fairly unlikely, and the Flashback incident shows that updating your machine in a timely fashion will do a lot to keep you safe.

See my Mac Malware Guide for more on this topic.

(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

he was told the emails were a virus attack

That's pure nonsense, unless the manager meant that they were meant to attack Windows machines running an insecure e-mail client like Outlook. As I have already said, an iPad that has not been jailbroken cannot run code from a source such as e-mail. It sounds like those e-mails may have been malformed in some way, and the fact that they could not be opened or deleted was probably the interesting part, meaning that however they were malformed was causing the iPad to fail to properly handle them. That needed to be reported to Apple to be fixed.

Bottom line, there really, truly is no malware whatsoever for non-jailbroken iOS devices. Period.

I need to find out more about the function of the 'Erase Junk Mail' command and what actually takes place; I feel the data is still on the HD and only rebuilding the mailboxes removes these email files.

What normally happens when you erase junk mail is that it gets erased, attachments and all, as one would expect. It's not very complicated. Also, note that rebuilding the mailboxes doesn't do anything to remove files, it simply forces Mail to rebuild the message list.

As I said before, it was undoubtedly your anti-virus software interfering with Mail's ability to delete those attachments. I tested Sophos for a while, and it did exactly that - it worked at a very low level to prevent any access to files it deemed to be malware, including preventing deletion. You could only delete such files by either disabling it temporarily or by telling it to delete them (which isn't a very good idea when it comes to e-mail messages, as that can corrupt the mailbox index).

Memoire wrote:

I need to find out more about the function of the 'Erase Junk Mail' command and what actually takes place; I feel the data is still on the HD and only rebuilding the mailboxes removes these email files. Thus your previous response that the Virus program will take precedence to remove any virus attachments. As I said previously, I realise these are Windows related; but I don't want to be surprised on the day they are not; things are changing so rapidly now. I am unsure why Asia has less Spam, and Europe has so much; I don't know the situation in the USA. But I feel in Europe extreme vigilance is necessary.

I was able to partially replicate your findings. I duplicated a message that contained the Eicar test malware and marked it as Junk which moved it to the junk folder. When I checked I could see the message, but the attachment had not been separately saved. I rebuilt the Junk folder and the attachment then showed up in the Attachments folder. Using Erase Junk Mail eliminated both the message and the attachment.

I tried again but this time I just did an Erase Junk Mail first and then rebuilt the mailbox, but the attachment did not show up.

So I still cannot explain what happened in your case. Do you use a separate Junk folder or just keep them in your inbox? Not sure how that could make any difference.

how come the virus detection kicks in only later when the Rebuild mailboxes command is executed, after the Erase Junk Mail command? It means that somehow the infected file remains after the Erase Junk Mail command is executed; then the infected file is activated in some way when the rebuild command is executed and the virus detection picks up thsi activity.

I don't think you've said yet what anti-virus software you're using, but that's exactly the behavior I would expect from Sophos, based on my testing. Sophos has what is called an "on-access" scanner, meaning that it checks files when there is an attempt to read or write them. It does not constantly scan files on your hard drive, which is quite resource-intensive and wasteful.

So, as soon as the malicious attachment gets written to a file by Mail, Sophos would detect it and would then prevent all access to that file. No process will be able to open it, move it, copy it, rename it or even delete it. That means Mail will be unable to delete that attachment when it empties the junk mailbox. The message will have been removed, but the attachment will remain hidden in the ~/Library/Mail folder. It will remain, but since it is no longer associated with any messages, you'll never know it's still there.

Later, when you rebuild that mailbox, Mail will look through all the files in that folder, and in so doing will "touch" the malicious file again, bringing Sophos' attention back to the file.

If you're not using Sophos, your AV software may be behaving in a similar manner.

Glad I could help!