What is ft.exe doing in my downloads folder ?

You probably visited a web site that initiated an automatic download of some sort of malware. Good news that's it's an .exe file, which is a Windows program that cannot in any way run in OS X. Just delete it.

While you're at it, open your web browser and turn off Java in the preferences (leave JavaScript on). That will make it far, FAR more difficult for any kind of automatic file transfers to occur.

notsomightymouse wrote:

Also can I just check that you mean turn of the 'Enable Java' option in Safari->Preferences->Security, and leave 'Enable JavaScript' enabled ?

Correct.

(interestingly I can no longer log on to the Apple Communities from my MAC - I log on and it just return Welcome page. If I log on from my Windows Laptop I can get in. Would this be anything to do with the 'Enable Java' de selection on my MAC.

No, the Apple sites don't use Java (they do use JavaScript).

Check that you haven't blocked cookies.

How secure are MACs these days -my Missing Manual book, which is a couple of years old say they are bullet proof and there is no need to run cirus checkers etc.

Have a look at this;

http://www.reedcorner.net/mmg/

There have been recently a number of attacks aimed at Macs and it's reasonable to assume that more will follow as the platform becomes more widespread.

I still wouldn't contemplate any of the intrusive AV software out there.

something 'arrived' midday as well as the earlier ft.exe

More than likely, the download was prompted by the same method the Flashback Java exploit used, which is why I had you turn off Java in the browser's preferences.

What such sites do is attack by using Java to initiate a Java applet on your computer. That in turn downloads the payload they really want to get on your system; which would probably be the cause of two separate downloads.

How secure are MACs these days -my Missing Manual book, which is a couple of years old say they are bullet proof and there is no need to run virus checkers etc.

noondaywitch pretty much already nailed it. I have never yet seen the need to install AV software on my Macs. All current Mac exploits are in one of three categories.

The older and more common type are Trojans (though there isn't even many of these). The perps try to get you to install malware on your system by making it sound like something you would want, or need. Until you initiate the installation, they can't do a thing.

The newer ones are jumping on the Flashback bandwagon and trying the Java end-around. Since Java is already running (if you have it on), they don't need to talk you into running an app, the browser will just do it.

The last and actually most prevalent is torrent downloads. That "free" copy of Photoshop you installed? There's no telling what else ended up on your system. The crooks pack these torrents with extra packages of stuff you definitely don't want on your system. Keyloggers, backdoors, etc. When you give any installer your admin password to install the software, it doesn't need to ask you again for the pieces you weren't expecting. The simple solution there of course is to never, ever download software from file sharing sites.

There are many forms of ‘Malware’ that can affect a computer system, of which ‘a virus’ is but one type, ‘trojans’ another. Using the strict definition of a computer virus, no viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions. The same is not true of other forms of malware, such as Trojans.

You may find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful:

https://discussions.apple.com/docs/DOC-2435

The User Tip (which you are welcome to print out and retain for future reference) seeks to offer guidance on the main security threats and how to avoid them.

More useful information can also be found here:

http://www.reedcorner.net/mmg/

something 'arrived' midday as well as the earlier ft.exe

More than likely, the download was prompted by the same method the Flashback Java exploit used, which is why I had you turn off Java in the browser's preferences.

Actually, Flashback and other exploits that take advantage of Java vulnerabilities don't need to download anything to the Downloads folder, and they typically don't. So that would not have been my top guess, though of course turning off Java is a very good thing to do regardless.

More likely, this was just something automatically downloaded by some malicious JavaScript embedded in a site. Perhaps it uses a Windows or Internet Explorer vulnerability to get installed, or perhaps it just hopes the user will find it in Downloads and run it. In any case, though, the OP's Mac is perfectly safe, as has been said already.

Thanks for the clarification, Thomas. I wasn't quite sure if such Java exploits download the applet to the computer using it (just as it does images and other web content), or if the applet runs from the remote server the page is on.

Generally, there are two ways this sort of thing works. One is that there is a Java vulnerability that allows the Java applet to write files wherever it likes, and it will put a file in the user's LaunchAgents folder that will keep some other executable (that it writes elsewhere) running. (Flashback's installer, for some variants, would also ask for an admin password and, if provided, write files into apps like Safari. This was not necessary, though, and if the password was not given, it would fall back on the LaunchAgents behavior.)

The other way it works is that the Java applet uses social engineering to trick you into approving its access to your computer. Once that access has been granted by the user, the same trick applies (writing files and adding a LaunchAgent).

So nothing ever needs to be put in the Downloads folder, and in fact, that would be something they'd want to avoid doing so as not to tip off the user.

Just to add, since the Flashback, besides disabling Java.app (it was always disabled in the browser) I have ~/Library/LaunchAgents locked from sudo chflags uchg and have done a sudo chown root on that folder, making root the owner. This absoutely prevents any malware getting written there, where simply locking it from the Finder wouldn't -- just in case they find some other way of getting into that folder besides through a Java applet.

These things keep coming via Java. There was the OSX/Crisis and then the vulnerability in Java 7.

Note: the OSX/Crisis was using (or creating it if it wasn't there) ~/Library/ScriptingAdditions. I have that locked up tight too (had to make it first, since I didn't have it.)

Message was edited by: WZZZ

-- just in case they find some other way of getting into that folder besides through a Java applet.

Or, perhaps more realistically, if I absolutely must run a Java applet at some point.