Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

New Trojan Horses

Last night, I made the mistake of downloading an app called "Wine" and "Winebottler". These are apps that allow Windows programs to be played on Macintosh without installing Windows. I ended up with 13 new OSX Trojan Horses on my Macintosh. These apps kept on installing add ons to the iTunes Store. I knew I was in trouble immediately, I guess, by instinct.I had also installed Wineskin for the same purpose, but I don't think that was the problem as I found no Trojan Horses associated with this app. I had my security set to download from App Store and Trusted Developers only. I am now going to upgrade my security to download from App Store only now, but I don't know for sure if that will help.


Luckily, I had Kaspersky on my Mac, and it kept on finding Trojan Horses on a full scan. I had firevault on and iCloud on. I am wondering now if my iCloud account is infected. I am currently erasing my whole hard drive and reinstalling. I will not turn on iCloud until I get some advice. For those that are unaware, I know we are in a cyberwar. I don't know where these apps originated, but I wanted the community to know this. I've used Macintosh since the first day it was available in 1984. I've never had troubles with viruses and Trojan Horses like this, except for two that were found by Kaspersky a couple of months ago and were easily found, isolated and disinfected. Not these. Most were easily disinfected: all but two. I had to restart the computer and Kaspersky got rid of them. Kaspersky is a great program, but I wasn't sure if it got rid of everything, which led me to erase and reinstall.


Please inform my about how secure iCloud is against attached viruses or should I delete my account.

Mac Pro, Mac OS 9.2.x, Mac Pro 4.1

Posted on Feb 5, 2014 10:12 AM

Reply
24 replies

Feb 5, 2014 10:23 AM in response to straycat23

Thanks for the heads up. I think hackers are starting to realize how important Apple IDs are in getting unauthorized in app and itune purchases.


Can you give anyore details on the itune add ons that they installed? I love 3rd party add ons to Apple products, but I wasn't aware iTunes had add ons beyond visualizations. Good to know what to watch out for.


Why don't you use bootcamp instead of Wine and WInebottler to play WIndows games? It might be safer keeping Windows app off your Mac OS if they are targetting Mac uses with trojans.

Feb 5, 2014 10:43 AM in response to straycat23

I think you were misunderstanding what was happening. I sincerely doubt those were trojans.


Here is your requested advice. Antivirus does more harm than good on a Mac. Don't reinstall it. Turn on iCloud. If you want to play games, there are many available in the Mac App Store and many thousands more for iOS devices in the App Store. You don't need to run Windows.

Feb 5, 2014 2:15 PM in response to straycat23

I think you are putting way too much trust in antivirus. I trust the developers of Wine and Winebottler more than any antivirus.


The real question is where you downloaded Wine and Winebottler from. Did you download them directly from the developers or from some other site? Technically, they are open source software. Ergo, anyone has the legal right to repackage them with any kind of trojan, keylogger, adware, etc. and it is all 100% legal. Then, when you install with your admin password, you install all of that.


If that is what is going on, then relying on antivirus is a very poor strategy. It would be much better to 1) download from reputable sources and 2) don't hand over your admin password. Don't forget 3) you have a Mac, run Mac software. Download it from the Mac App Store and you'll have no trojans or need of protection.

Feb 5, 2014 3:34 PM in response to etresoft

etresoft wrote:


I think you are putting way too much trust in antivirus. I trust the developers of Wine and Winebottler more than any antivirus.


The real question is where you downloaded Wine and Winebottler from. Did you download them directly from the developers or from some other site? Technically, they are open source software. Ergo, anyone has the legal right to repackage them with any kind of trojan, keylogger, adware, etc. and it is all 100% legal. Then, when you install with your admin password, you install all of that.


If that is what is going on, then relying on antivirus is a very poor strategy. It would be much better to 1) download from reputable sources and 2) don't hand over your admin password. Don't forget 3) you have a Mac, run Mac software. Download it from the Mac App Store and you'll have no trojans or need of protection.

I downloaded from WineHQ.org. So were these real Trojans or not? Unfortunately, I can't copy the deleted file from backup storage on Kaspersky to show you.


I actually ran across 2 programs to run Wimdows programs on Mac. One was Wineskin, which apparently had no trojans attached, but was difficult for me to understand how to use and Wine which did apparently have trojans attached. I'm guessing WineHQ is the developer. As soon as I downloaded it and the Winebottler, I knew I had problems.


I took your earlier advice: left OS10.9.1 in place and turned iCloud back on. I hope I made the right decision. I did not delete Kaspersky because OSX did not delete the Trojan or prevent it from being downloaded. Kaspersky did. As far as I can tell WineHQ must be a trusted developer, because that is how my computer is set as I previously stated. I did not download these programs to play games. That's for Millenials. I downloaded these because Windows is a disaster, and I didn't want to load Windows on my computer. There are Windows programs that there is no equivalent in Mac.


I also deleted Adobe Flash Player as was advised in another thread. Now I can't see instructions in YouTube. Does the App Store have a recommended flash player to see You Tube?

Feb 5, 2014 3:38 PM in response to etresoft

". Don't forget 3) you have a Mac, run Mac software. Download it from the Mac App Store and you'll have no trojans or need of protection."


That's good advice but what a pity that such a lot of highly reputable apps such as Roxio Toast, Handbrake, Burn or Elgato EyeTV are not available from the App Store. That forces people to look elsewhere for the apps they need and i guess that sometimes they find them (or what purports to be them) in dangerous sites. Even if the App Store didn't actually stock the apps, it would be helpful if something like approved developers could be listed.

Feb 5, 2014 3:41 PM in response to straycat23

I downloaded from WineHQ.org. So were these real Trojans or not?


Since that's the official source for the open source Wine Windows emulator, it's most likely Kaspersky was reporting false positives.


I also deleted Adobe Flash Player as was advised in another thread.


That would serve no purpose other than removing the ability to run Flash videos within your web browser, as you discovered with YouTube. The only place you should ever install the Flash Player from is Adobe:


http://get.adobe.com/flashplayer/


Ignore any pop up from any other site that says you need to update the Flash player to view something. You would be downloading some other type of Trojan that has nothing to do with Flash.

Feb 5, 2014 3:58 PM in response to Kurt Lang

Kurt Lang wrote:


I downloaded from WineHQ.org. So were these real Trojans or not?


Since that's the official source for the open source Wine Windows emulator, it's most likely Kaspersky was reporting false positives.


I also deleted Adobe Flash Player as was advised in another thread.


That would serve no purpose other than removing the ability to run Flash videos within your web browser, as you discovered with YouTube. The only place you should ever install the Flash Player from is Adobe:


http://get.adobe.com/flashplayer/


Ignore any pop up from any other site that says you need to update the Flash player to view something. You would be downloading some other type of Trojan that has nothing to do with Flash.

Does Kaspersky do that? Why does the App Store allow the app to be sold? Is this the problem virus protection causes? False positives? Dang!


I guess I'll reinstall Adobe Flash Player form the Adobe Website. Thanks for the reply.

Feb 5, 2014 5:40 PM in response to straycat23

straycat23 wrote:


I downloaded from WineHQ.org.


I doubt that because WineHQ doesn't have any Mac versions of Wine available. They distribute Linux binaries and source. If you downloaded a Mac version, it must have come from somewhere else.


As soon as I downloaded it and the Winebottler, I knew I had problems.

Why?


I took your earlier advice: left OS10.9.1 in place and turned iCloud back on. I hope I made the right decision. I did not delete Kaspersky because OSX did not delete the Trojan or prevent it from being downloaded. Kaspersky did.

But you are in a catch-22 situation here. These forums are full of people reporting problems with computers and antivirus is a very common cause. By comparison, there are far fewer people reporting problems with trojans. Are these programs really trojans? And even if they are, would they cause as much trouble and be as difficult to remove as antivirus? I doubt it 🙂


As far as I can tell WineHQ must be a trusted developer, because that is how my computer is set as I previously stated.

I would definitely consider WineHQ to be trustworthy (more so than antivirus vendors) but they definitely do not have an Apple Developer ID that would enable them to distribute software past Gatekeeper. Someone malicious may have repackaged Wine, added trojans, and signed it with a Developer ID. The only way to address that problem is to identify where you got the software so that the illicit Developer ID can be revoked.


I did not download these programs to play games. That's for Millenials. I downloaded these because Windows is a disaster, and I didn't want to load Windows on my computer. There are Windows programs that there is no equivalent in Mac.


It doesn't matter why you downloaded them. If they are Windows programs, you are going to have to run Windows. Wine is a cool project, but very little software actually works on it.


I also deleted Adobe Flash Player as was advised in another thread. Now I can't see instructions in YouTube. Does the App Store have a recommended flash player to see You Tube?


Download Adobe Flash directly from Adobe and installer. Then download the Click2Flash Safari extension: http://hoyois.github.io/safariextensions/clicktoplugin/ so you can avoid Flash, if possible. If you ever get any Flash popup asking for an update, always close it - always. Then go to the Adobe Flash site yourself and see if there is an update and download it.

Feb 5, 2014 5:43 PM in response to bratman91

bratman91 wrote:


That's good advice but what a pity that such a lot of highly reputable apps such as Roxio Toast, Handbrake, Burn or Elgato EyeTV are not available from the App Store. That forces people to look elsewhere for the apps they need and i guess that sometimes they find them (or what purports to be them) in dangerous sites. Even if the App Store didn't actually stock the apps, it would be helpful if something like approved developers could be listed.

Not all applications are suitable for the Mac App Store. Apple actually does have a program for approved developers that are not in the Mac App Store. It is called the Developer ID program and the default Gatekeeper setting is to allow apps signed with a Developer ID. I am quite sure that the original poster has not encountered any Developer ID-signed apps.

Feb 5, 2014 6:22 PM in response to etresoft

etresoft wrote:



straycat23 wrote:




I downloaded from WineHQ.org.




I doubt that because WineHQ doesn't have any Mac versions of Wine available. They distribute Linux binaries and source. If you downloaded a Mac version, it must have come from somewhere else.


As soon as I downloaded it and the Winebottler, I knew I had problems.

Why?




I took your earlier advice: left OS10.9.1 in place and turned iCloud back on. I hope I made the right decision. I did not delete Kaspersky because OSX did not delete the Trojan or prevent it from being downloaded. Kaspersky did.



But you are in a catch-22 situation here. These forums are full of people reporting problems with computers and antivirus is a very common cause. By comparison, there are far fewer people reporting problems with trojans. Are these programs really trojans? And even if they are, would they cause as much trouble and be as difficult to remove as antivirus? I doubt it 🙂


As far as I can tell WineHQ must be a trusted developer, because that is how my computer is set as I previously stated.

I would definitely consider WineHQ to be trustworthy (more so than antivirus vendors) but they definitely do not have an Apple Developer ID that would enable them to distribute software past Gatekeeper. Someone malicious may have repackaged Wine, added trojans, and signed it with a Developer ID. The only way to address that problem is to identify where you got the software so that the illicit Developer ID can be revoked.


I did not download these programs to play games. That's for Millenials. I downloaded these because Windows is a disaster, and I didn't want to load Windows on my computer. There are Windows programs that there is no equivalent in Mac.


It doesn't matter why you downloaded them. If they are Windows programs, you are going to have to run Windows. Wine is a cool project, but very little software actually works on it.


I also deleted Adobe Flash Player as was advised in another thread. Now I can't see instructions in YouTube. Does the App Store have a recommended flash player to see You Tube?



Download Adobe Flash directly from Adobe and installer. Then download the Click2Flash Safari extension: http://hoyois.github.io/safariextensions/clicktoplugin/ so you can avoid Flash, if possible. If you ever get any Flash popup asking for an update, always close it - always. Then go to the Adobe Flash site yourself and see if there is an update and download it.

I downloaded the program from WineHQ. It's in my history. I went back and looked today. I don't think Linux has an iTunes version. I downloaded a program I didn't request that attached itself to iTunes. This is how I knew I had problems.


I appreciate all the advice: dismissive or not. It did give me confidence there's nothing wrong with my computer. I just don't have faith in Mac like I used to. I'm guessing that the trojans were not real, but I'm glad I had a device to delete the false positives, if for no other reason than it made me feel better. Any website can be attacked by hackers. Maybe that's what happened to WineHQ.

Apr 22, 2014 3:38 AM in response to straycat23

Hi Everyone.

Just a heads up. We had a very strange occurrance last night that has got me in a lot of trouble with my better half.

Apparently I was watching a ***** vid or a looking at pictures contained in my iCloud account.

We were in two separate locations - I was on my iMac minding my own business and my partner was elsewhere using her iPad which is linked (like most of my devices) to my iCloud account.


I have had a very heated and confusing discussion with her this morning when she accused me of the alleged offence - she made the assumption that I was viewing these images and doing what comes naturally as a result of such images. Pretty upsetting for both of us I am sure you will agree.


I have no idea how she could view these imagaes some distance away from me and I see nothing. I have scoured my photo streem on all but her device (she won't talk to me at the moment) I can not find any such images or video content.

No offenece to anyone that fits this description but M*stura*ting Hairy Brunettes are not my sort of thing and I would like to know how this could have happened.


On clue is that in the past I have downloaded Mackeeeper and I am being forever plagued by this window popping up and trying to persuade me to upgrade - not only that I can not be sure that all of my Flash Player updates have come from a trusted source.


I have posted this message on another thread to get coverage I and I would be grateful if anyone can shed any light on this.

Many thanks Rob

Apr 22, 2014 4:38 AM in response to robxl43

You can uninstall MacKeeper to get rid of the pop-ups.


Ordinarily I would suggest that everyone have their own iTunes/AppleID account. Otherwise, there are all kinds of problem with purchases made in one vs. the other. You can share iTunes information on a single machine, but it is a bit cumbersome. It is even more of a pain on iOS. Paid content like songs and apps are the biggest problem. But as you have discovered, free content like open Safari tabs in iCloud can also be problematic.


However, now that you have been discovered, making a case for separate iTunes/AppleID/iCloud accounts is going to be a very tough sell.

Apr 22, 2014 5:20 AM in response to robxl43

... I have scoured my photo streem on all but her device (she won't talk to me at the moment) I can not find any such images or video content.


Your Safari browsing history is available to all devices that use your iCloud ID. That might explain it. Offhand I do not recall how far back it goes.


You can always select "Private" in iOS (or "Private Browsing" in OS X) which will prevent other devices from populating open tabs and history.


MacKeeper is junk capable of wreaking great swaths of misery, but marital discord is a new one 😉 I doubt it is related to the phenomenon you describe.


I have posted this message on another thread to get coverage I and I would be grateful if anyone can shed any light on this.


You will elicit more responses if you post your own Discussion. Post a link to this one if you wish. To do that copy and paste the following


New Trojan Horses


... though your question has absolutely nothing to do with Trojans. It's another good reason to post your own Discussion. To do that click start a discussion.

Enjoy!


(just think clean thoughts)


😝

New Trojan Horses

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.