An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 1 of 2 1 2
MacDefender malware
#15621 05/18/11 05:37 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
I've taken some screen shots and also extracted the audio alert from it so you can identify it or work with someone over the phone to identify it.

http://vftp.net/mac_disasters/malware/macdefender/

It's also been seen named MacProtector and MacSecurity

After the windows are closed they will pop up again shortly, and if you don't buy it within some time it will start automatically opening gay porn sites in your default web browser. It also appears to clear web history during installation, making it tricky to figure out where the user downloaded it from. Initially there's a green shield icon up in the menubar by the clock, but it turns red when it "finds its first virus", and remains in the menubar even when the windows are closed, so that's the easiest thing to look for.


I work for the Department of Redundancy Department
Re: MacDefender malware
Virtual1 #15631 05/19/11 04:49 PM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: MacDefender malware
Virtual1 #15658 05/20/11 01:36 PM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
Originally Posted By: Virtual1
After the windows are closed they will pop up again shortly, and if you don't buy it within some time...

Thanks for this post.

Just so I'm clear.....when you say "after the windows are closed", do you mean using the top left Red button from the row of three? If so, what's a better procedure to avoid the redirection? Computer re-start?

ryck


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: MacDefender malware
ryck #15661 05/20/11 02:29 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
it's not a redirect. it does a url open via the os, causing the default web browser to spontaneously open a web page. (random gay porn sites appear to be what the malware prefers to show you) If the web browser is not open, it will be launched.

I'm surprised this hasn't been included in the "this application will damage your computer" dialog from the OS X installer.


I work for the Department of Redundancy Department
Re: MacDefender malware
Virtual1 #15703 05/24/11 07:06 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
The Russians who do the Windows version of this malware tend to package the installers in ways that make them difficult for Windows antivirus software to detect them; for example, the install files may be randomly encrypted with a different key each time they are downloaded, or may be padded with random information. That means the file's signature is different every time it's downloaded, so Windows antivirus programs can't recognize the file by its signature.

I have not looked at the Mac version of the malware, but it is possible that it uses similar techniques to evade the Mac 'This application may damage your computer' warning.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: MacDefender malware
tacit #15707 05/24/11 09:27 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
it's very basic, though I would expect it to evolve. It may be a case of where apple is considering its options before starting the inevitable update war with them.


I work for the Department of Redundancy Department
Re: MacDefender malware
Virtual1 #15711 05/24/11 11:11 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1


alternaut moderator
Re: MacDefender malware
alternaut #15712 05/25/11 02:50 AM
Joined: May 2011
Offline

Joined: May 2011
I am a newbie just registered a few minutes ago. Looking for info on macdefender malware. Just removed it from my wifes Mac Book. She never installed it, just couldn't delete it from the application folder. Real irritating with the porn pop-ups. Thanks again for the link.
Thanks,hftech

Re: MacDefender malware
hftech #15713 05/25/11 05:18 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Hi, and welcome to FineTunedMac. smile

I'm happy to hear that you found what you were looking for so quickly.

Stick around, learn some stuff, maybe have some fun, and please point your friends in need in our direction.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: MacDefender malware
artie505 #15717 05/25/11 07:57 PM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: MacDefender malware
jchuzi #15718 05/25/11 09:49 PM
Joined: Aug 2009
Likes: 3
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 3

I don't understand this story. AFAICR, any software package I've installed using OS X's Installer.app has required me to authenticate with an adminstrator pasword even when I am logged into an adminstrator account.

Has this changed under OS X 10.6, or have I somehow enabled a higher level of security at some past juncture...or am I just plain misremembering?



dkmarsh—member, FineTunedMac Co-op Board of Directors
Re: MacDefender malware
dkmarsh #15719 05/25/11 11:14 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
Dk my experience is exactly the same as yours for any and all apps that use the OS X installer and that incudes OS X 10.6.7. However, there is no password required to install drag and drop apps so I suppose that if one were determined enough it would be possible to craft a downloader that could perform the equivalent of a drag and drop install.

I don't know about you but I am turning off the "Open 'Safe' files after downloading" option in Safari — at least until Apple releases the promised security patch.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: MacDefender malware
joemikeb #15720 05/25/11 11:40 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: joemikeb
I don't know about you but I am turning off the "Open 'Safe' files after downloading" option in Safari — at least until Apple releases the promised security patch.

Isn't that the prudent thing to do by default? It's the first Safari setting I disabled years ago and I'm not about to change that, regardless of any Apple patches. shocked


alternaut moderator
Re: MacDefender malware
joemikeb #15721 05/26/11 12:30 AM
Joined: Aug 2009
Likes: 3
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 3

From the INTEGO SECURITY MEMO:

Originally Posted By: blog.intego.com
If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.

Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account...can install software in the Applications folder, a password is not needed.

We can't all be right. crazy



dkmarsh—member, FineTunedMac Co-op Board of Directors
Re: MacDefender malware
dkmarsh #15725 05/26/11 08:47 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: dkmarsh

I don't understand this story. AFAICR, any software package I've installed using OS X's Installer.app has required me to authenticate with an adminstrator pasword even when I am logged into an adminstrator account.


Not all of them. The ones that come from Apple do, but it's just a checkbox in PackageMaker. See figure 2-3 in the PackageMaker User Guide.

But an intruder doesn't need to use Apple's System Installer. They can install files directly, anywhere they have write access. That's why I've always advised doing your normal web browsing from a non-admin account. That doesn't make you completely safe (since they still have write access to almost your entire home folder), but it does limit the scope of what they can do.

And I've also advised that merely creating a new admin account and demoting your old account to Standard (i.e., non-admin) isn't usually enough. Many applications that you installed while you were still admin are owned by you, and you retain write permission to them, so malware running as you can still infect them with viruses.

Thus you need to at least revoke your ownership of everything inside /Applications (and probably /Library also). Do it from Terminal; Finder should not be trusted to handle permissions. Finder should not even be trusted to tell you what permissions you have. (Finder doesn't even mention the execute bits, ignores most ACLs, and only paraphrases the ones it does tell you about. It also will not normally tell you anything at all about the files inside application packages, nor let you adjust their permissions.)

For example, suppose you have a user named "you". "you" used to be an admin, but no longer. When "you" were an admin, you installed the SurfWriter application by drag-copying it from a disk image into /Applications. Here's what that application looks like.

Code:
drwxrwxr-x+  root  admin  /Applications
drwxr-xr-x-  you   admin      Surfwriter.app
drwxr-xr-x-  you   admin          Contents
-rwxr--r---  you   admin              Info.plist
drwxr-xr-x-  you   admin              MacOS
-rwxr-xr-x-  you   admin                  SurfWriter
drwxr-xr-x-  you   admin              Resources
-rwxr-?r-?-  you   admin                  ... lots of other stuff ...

/Applications/SurfWriter.app/Contents/MacOS/Surfwriter is the actual executable. The system knows it's the actual executable because the Info.plist says so. The execute bits inside the Resources subdirectory will be set or cleared at the whim of the vendor. (If the vendor set permissions using Finder, there'll be way too many execute bits. Even Apple software comes with execute bits set on non-executable files.)

Suppose you downgrade "you" to a Standard account, and even use Finder to make it read-only, and changed the owner to "boss" (your new admin account). Finder will change the permissions to
Code:
drwxrwxr-x+  root  admin  /Applications
dr-xr-xr-x-  boss  admin      Surfwriter.app
drwxr-xr-x-  you   admin          Contents
-rwxr--r---  you   admin              Info.plist
drwxr-xr-x-  you   admin              MacOS
-rwxr-xr-x-  you   admin                  SurfWriter
drwxr-xr-x-  you   admin              Resources
-rwxr-?r-?-  you   admin                  ... lots of other stuff ...


In other words, Finder changes the permissions only on the package folder /Applications/SurfWriter.app itself, not its contents. (And it's been many releases since Finder would even let you change the owner.)

Since you still have write permission on /Applications/SurfWriter.app/Contents/MacOS, any malware running as you is free to do any of the following:
  • Overwrite the SurfWriter executable, to replace it with a virus or to add a virus to it.
  • Install a virus as a separate file inside MacOS, and modify Info.plist (assuming you still have write access) to mark that as the main executable. The virus can do its deed, and then fork/exec the real executable so the user is blithely unaware that anything has changed.
  • If it can't modify Info.plist, it can still rename the SurfWriter executable to "SurfWriter " (appending a space), and install the virus under the old SurfWriter name. The virus operates as before, except that after the fork/exec it'll show up in Activity Monitor under the new name. It would take a very astute observer to notice the extra space.
The virus installer just scans your /Applications folder, looking for any application where it has write permission to the MacOS subfolder. (It always has read/execute access, or the application would be un-launchable.)

The installed virus can wait until the day some admin launches SurfWriter, at which time it can spread to any application whose MacOS folder is admin-writeable (i.e, a whole lot of apps). The safest applications are the ones that are writeable only by root. Apple installs most but not all of their apps this way. (FaceTime and iTunes, to name just two, are admin-writeable. Fortunately, they're code-signed.) Writeable by only root and/or admin is the bare minimum you should insist on for all applications.

But even running as non-admin doesn't make you completely safe. The virus installer could copy applications whole from /Applications into a hidden folder in your home folder (or in /Users/Shared). The copy would be writeable, and all the same tricks would apply. The remaining step is to modify the user-specific copy of the Launch Services database to make the copied app the designated opener of assorted document types. It does make you safer, though. Only that user is infected, and there's no mechanism for spreading the infection to other user accounts. The virus could occasionally phone home checking for updates, so it could rapidly exploit new weaknesses as they're discovered.

The attacker's main hurdle is getting that first piece of chosen code to run on your machine. To do that, he has to either exploit a security hole in your browser or one of its plugins (I'm looking at you, Adobe), or download a malicious file to your computer and trick you into opening it.

Only the clumsiest attacker has ever needed a password.

The weak link in security is, and always has been, the user. As long as humans operate computers, no amount of software can make the computers unhackable.

Re: MacDefender malware
ganbustein #15727 05/26/11 10:33 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Fascinating post. Thanks. smile

The sad thing is that we've reached the point at which we need to, as opposed to should, know this stuff. frown


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: MacDefender malware
artie505 #15823 06/01/11 06:52 AM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
Here's something else that's good to know......Apple has released another Snow Leopard Security Update and it addresses MacDefender. When I went to their site to read about it, I saw:

Description: The OSX.MacDefender.A definition has been added to the malware check within File Quarantine. Information on File Quarantine is available in this Knowledge Base article: The Article

ryck

Last edited by ryck; 06/01/11 06:56 AM. Reason: Additional Info

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: MacDefender malware
ryck #15829 06/01/11 05:56 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Originally Posted By: ryck
Here's something else that's good to know......Apple has released another Snow Leopard Security Update and it addresses MacDefender.


I noticed that update available today and followed the provided link for additional information, but Apple doesn't say a word about the reason for the update, simply saying that as a matter of policy they don't go into details about their security updates. But i've seen them do it in the past, usually giving credit to the people the bring bugs to their attention. But I'd bet this was handled entirely internally.


I work for the Department of Redundancy Department
Re: MacDefender malware
Virtual1 #15830 06/01/11 06:10 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: MacDefender malware
Virtual1 #15836 06/01/11 11:35 PM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
Originally Posted By: Virtual1
I noticed that update available today and followed the provided link for additional information, but Apple doesn't say a word about the reason for the update....

I think we must have got to different places. When I went to this page I found this advice:

Malware removal


Available for: Mac OS X v10.6.7, Mac OS X Server v10.6.7


Impact: Remove the MacDefender malware if detected

Description: The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed.

Anyway, in addition to Apple's Security update, I've also done a complete HD inspection with Sophos and it didn't find anything.

ryck

Last edited by ryck; 06/01/11 11:38 PM.

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: MacDefender malware
artie505 #15843 06/02/11 03:50 AM
Joined: Sep 2009
Offline

Joined: Sep 2009
Originally Posted By: artie505

And following that article are over 130 comments which make for amusing reading. Apparently cNet is awash with Windows sheeple all too anxious to denigrate Macdom that they don't even grok the difference between a trojan and a virus. Ironically enough, it is precisely that ignorance (and fear/expectation) on which this trojan feeds: "Your Mac has a 'virus' so install our software now."

lulz

Re: MacDefender malware
Hal Itosis #15844 06/02/11 10:12 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Just curious…

Where is the file location for the malware definitions?

Were I to received a "pushed" definition update (while getting my beauty rest), would I also receive an alert advising of same?


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: MacDefender malware
Pendragon #15845 06/02/11 01:30 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
Originally Posted By: Pendragon
Just curious…

Where is the file location for the malware definitions?

i haven't investigated, but my guess would be down in /var somewhere.


Originally Posted By: Pendragon

Were I to received a "pushed" definition update (while getting my beauty rest), would I also receive an alert advising of same?

doubtful... the SafeBrowsing.db cache gets updated daily with nary a twitter.

Re: MacDefender malware
Hal Itosis #15846 06/02/11 04:31 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Thanks Hal.

Still, it does seem a bit odd that one must assume the definitions are/were properly updated, rather than having confirmation to that end.


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: MacDefender malware
Pendragon #15849 06/02/11 05:48 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: Pendragon
Where is the file location for the malware definitions?

/System/Library/CoreServices/CoreTypes.bundle/Contents/XProtect.plist


Page 1 of 2 1 2

Moderated by  alternaut, dkmarsh, joemikeb 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.038s Queries: 65 (0.029s) Memory: 0.7145 MB (Peak: 0.9001 MB) Data Comp: Zlib Server Time: 2024-03-28 11:52:09 UTC
Valid HTML 5 and Valid CSS