An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 1 of 2 1 2 >
Topic Options
#15621 - 05/18/11 10:37 AM MacDefender malware
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
I've taken some screen shots and also extracted the audio alert from it so you can identify it or work with someone over the phone to identify it.

http://vftp.net/mac_disasters/malware/macdefender/

It's also been seen named MacProtector and MacSecurity

After the windows are closed they will pop up again shortly, and if you don't buy it within some time it will start automatically opening gay porn sites in your default web browser. It also appears to clear web history during installation, making it tricky to figure out where the user downloaded it from. Initially there's a green shield icon up in the menubar by the clock, but it turns red when it "finds its first virus", and remains in the menubar even when the windows are closed, so that's the easiest thing to look for.
_________________________
I work for the Department of Redundancy Department

Top
#15631 - 05/19/11 09:49 AM Re: MacDefender malware [Re: Virtual1]
jchuzi Online


Registered: 08/04/09
Loc: New York State
_________________________
Jon

OS 10.14.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#15658 - 05/20/11 06:36 AM Re: MacDefender malware [Re: Virtual1]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Virtual1
After the windows are closed they will pop up again shortly, and if you don't buy it within some time...

Thanks for this post.

Just so I'm clear.....when you say "after the windows are closed", do you mean using the top left Red button from the row of three? If so, what's a better procedure to avoid the redirection? Computer re-start?

ryck
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Carbon Copy Clone on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#15661 - 05/20/11 07:29 AM Re: MacDefender malware [Re: ryck]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
it's not a redirect. it does a url open via the os, causing the default web browser to spontaneously open a web page. (random gay porn sites appear to be what the malware prefers to show you) If the web browser is not open, it will be launched.

I'm surprised this hasn't been included in the "this application will damage your computer" dialog from the OS X installer.
_________________________
I work for the Department of Redundancy Department

Top
#15703 - 05/24/11 12:06 PM Re: MacDefender malware [Re: Virtual1]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
The Russians who do the Windows version of this malware tend to package the installers in ways that make them difficult for Windows antivirus software to detect them; for example, the install files may be randomly encrypted with a different key each time they are downloaded, or may be padded with random information. That means the file's signature is different every time it's downloaded, so Windows antivirus programs can't recognize the file by its signature.

I have not looked at the Mac version of the malware, but it is possible that it uses similar techniques to evade the Mac 'This application may damage your computer' warning.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#15707 - 05/24/11 02:27 PM Re: MacDefender malware [Re: tacit]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
it's very basic, though I would expect it to evolve. It may be a case of where apple is considering its options before starting the inevitable update war with them.
_________________________
I work for the Department of Redundancy Department

Top
#15711 - 05/24/11 04:11 PM Re: MacDefender malware [Re: Virtual1]
alternaut Offline

Moderator

Registered: 08/04/09
_________________________
alternaut moderator

Top
#15712 - 05/24/11 07:50 PM Re: MacDefender malware [Re: alternaut]
hftech Offline


Registered: 05/24/11
Loc: San Diego
I am a newbie just registered a few minutes ago. Looking for info on macdefender malware. Just removed it from my wifes Mac Book. She never installed it, just couldn't delete it from the application folder. Real irritating with the porn pop-ups. Thanks again for the link.
Thanks,hftech

Top
#15713 - 05/24/11 10:18 PM Re: MacDefender malware [Re: hftech]
artie505 Online


Registered: 08/04/09
Hi, and welcome to FineTunedMac. smile

I'm happy to hear that you found what you were looking for so quickly.

Stick around, learn some stuff, maybe have some fun, and please point your friends in need in our direction.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15717 - 05/25/11 12:57 PM Re: MacDefender malware [Re: artie505]
jchuzi Online


Registered: 08/04/09
Loc: New York State
_________________________
Jon

OS 10.14.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#15718 - 05/25/11 02:49 PM Re: MacDefender malware [Re: jchuzi]
dkmarsh Online

Moderator

Registered: 08/04/09

I don't understand this story. AFAICR, any software package I've installed using OS X's Installer.app has required me to authenticate with an adminstrator pasword even when I am logged into an adminstrator account.

Has this changed under OS X 10.6, or have I somehow enabled a higher level of security at some past juncture...or am I just plain misremembering?
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#15719 - 05/25/11 04:14 PM Re: MacDefender malware [Re: dkmarsh]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Dk my experience is exactly the same as yours for any and all apps that use the OS X installer and that incudes OS X 10.6.7. However, there is no password required to install drag and drop apps so I suppose that if one were determined enough it would be possible to craft a downloader that could perform the equivalent of a drag and drop install.

I don't know about you but I am turning off the "Open 'Safe' files after downloading" option in Safari — at least until Apple releases the promised security patch.
_________________________
joemikeb • moderator

Top
#15720 - 05/25/11 04:40 PM Re: MacDefender malware [Re: joemikeb]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: joemikeb
I don't know about you but I am turning off the "Open 'Safe' files after downloading" option in Safari — at least until Apple releases the promised security patch.

Isn't that the prudent thing to do by default? It's the first Safari setting I disabled years ago and I'm not about to change that, regardless of any Apple patches. shocked
_________________________
alternaut moderator

Top
#15721 - 05/25/11 05:30 PM Re: MacDefender malware [Re: joemikeb]
dkmarsh Online

Moderator

Registered: 08/04/09

From the INTEGO SECURITY MEMO:

Originally Posted By: blog.intego.com
If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.

Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account...can install software in the Applications folder, a password is not needed.

We can't all be right. crazy
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#15725 - 05/26/11 01:47 PM Re: MacDefender malware [Re: dkmarsh]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: dkmarsh

I don't understand this story. AFAICR, any software package I've installed using OS X's Installer.app has required me to authenticate with an adminstrator pasword even when I am logged into an adminstrator account.


Not all of them. The ones that come from Apple do, but it's just a checkbox in PackageMaker. See figure 2-3 in the PackageMaker User Guide.

But an intruder doesn't need to use Apple's System Installer. They can install files directly, anywhere they have write access. That's why I've always advised doing your normal web browsing from a non-admin account. That doesn't make you completely safe (since they still have write access to almost your entire home folder), but it does limit the scope of what they can do.

And I've also advised that merely creating a new admin account and demoting your old account to Standard (i.e., non-admin) isn't usually enough. Many applications that you installed while you were still admin are owned by you, and you retain write permission to them, so malware running as you can still infect them with viruses.

Thus you need to at least revoke your ownership of everything inside /Applications (and probably /Library also). Do it from Terminal; Finder should not be trusted to handle permissions. Finder should not even be trusted to tell you what permissions you have. (Finder doesn't even mention the execute bits, ignores most ACLs, and only paraphrases the ones it does tell you about. It also will not normally tell you anything at all about the files inside application packages, nor let you adjust their permissions.)

For example, suppose you have a user named "you". "you" used to be an admin, but no longer. When "you" were an admin, you installed the SurfWriter application by drag-copying it from a disk image into /Applications. Here's what that application looks like.

Code:
drwxrwxr-x+  root  admin  /Applications
drwxr-xr-x-  you   admin      Surfwriter.app
drwxr-xr-x-  you   admin          Contents
-rwxr--r---  you   admin              Info.plist
drwxr-xr-x-  you   admin              MacOS
-rwxr-xr-x-  you   admin                  SurfWriter
drwxr-xr-x-  you   admin              Resources
-rwxr-?r-?-  you   admin                  ... lots of other stuff ...

/Applications/SurfWriter.app/Contents/MacOS/Surfwriter is the actual executable. The system knows it's the actual executable because the Info.plist says so. The execute bits inside the Resources subdirectory will be set or cleared at the whim of the vendor. (If the vendor set permissions using Finder, there'll be way too many execute bits. Even Apple software comes with execute bits set on non-executable files.)

Suppose you downgrade "you" to a Standard account, and even use Finder to make it read-only, and changed the owner to "boss" (your new admin account). Finder will change the permissions to
Code:
drwxrwxr-x+  root  admin  /Applications
dr-xr-xr-x-  boss  admin      Surfwriter.app
drwxr-xr-x-  you   admin          Contents
-rwxr--r---  you   admin              Info.plist
drwxr-xr-x-  you   admin              MacOS
-rwxr-xr-x-  you   admin                  SurfWriter
drwxr-xr-x-  you   admin              Resources
-rwxr-?r-?-  you   admin                  ... lots of other stuff ...


In other words, Finder changes the permissions only on the package folder /Applications/SurfWriter.app itself, not its contents. (And it's been many releases since Finder would even let you change the owner.)

Since you still have write permission on /Applications/SurfWriter.app/Contents/MacOS, any malware running as you is free to do any of the following:
  • Overwrite the SurfWriter executable, to replace it with a virus or to add a virus to it.
  • Install a virus as a separate file inside MacOS, and modify Info.plist (assuming you still have write access) to mark that as the main executable. The virus can do its deed, and then fork/exec the real executable so the user is blithely unaware that anything has changed.
  • If it can't modify Info.plist, it can still rename the SurfWriter executable to "SurfWriter " (appending a space), and install the virus under the old SurfWriter name. The virus operates as before, except that after the fork/exec it'll show up in Activity Monitor under the new name. It would take a very astute observer to notice the extra space.
The virus installer just scans your /Applications folder, looking for any application where it has write permission to the MacOS subfolder. (It always has read/execute access, or the application would be un-launchable.)

The installed virus can wait until the day some admin launches SurfWriter, at which time it can spread to any application whose MacOS folder is admin-writeable (i.e, a whole lot of apps). The safest applications are the ones that are writeable only by root. Apple installs most but not all of their apps this way. (FaceTime and iTunes, to name just two, are admin-writeable. Fortunately, they're code-signed.) Writeable by only root and/or admin is the bare minimum you should insist on for all applications.

But even running as non-admin doesn't make you completely safe. The virus installer could copy applications whole from /Applications into a hidden folder in your home folder (or in /Users/Shared). The copy would be writeable, and all the same tricks would apply. The remaining step is to modify the user-specific copy of the Launch Services database to make the copied app the designated opener of assorted document types. It does make you safer, though. Only that user is infected, and there's no mechanism for spreading the infection to other user accounts. The virus could occasionally phone home checking for updates, so it could rapidly exploit new weaknesses as they're discovered.

The attacker's main hurdle is getting that first piece of chosen code to run on your machine. To do that, he has to either exploit a security hole in your browser or one of its plugins (I'm looking at you, Adobe), or download a malicious file to your computer and trick you into opening it.

Only the clumsiest attacker has ever needed a password.

The weak link in security is, and always has been, the user. As long as humans operate computers, no amount of software can make the computers unhackable.

Top
#15727 - 05/26/11 03:33 PM Re: MacDefender malware [Re: ganbustein]
artie505 Online


Registered: 08/04/09
Fascinating post. Thanks. smile

The sad thing is that we've reached the point at which we need to, as opposed to should, know this stuff. frown
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15823 - 05/31/11 11:52 PM Re: MacDefender malware [Re: artie505]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Here's something else that's good to know......Apple has released another Snow Leopard Security Update and it addresses MacDefender. When I went to their site to read about it, I saw:

Description: The OSX.MacDefender.A definition has been added to the malware check within File Quarantine. Information on File Quarantine is available in this Knowledge Base article: The Article

ryck


Edited by ryck (05/31/11 11:56 PM)
Edit Reason: Additional Info
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Carbon Copy Clone on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#15829 - 06/01/11 10:56 AM Re: MacDefender malware [Re: ryck]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: ryck
Here's something else that's good to know......Apple has released another Snow Leopard Security Update and it addresses MacDefender.


I noticed that update available today and followed the provided link for additional information, but Apple doesn't say a word about the reason for the update, simply saying that as a matter of policy they don't go into details about their security updates. But i've seen them do it in the past, usually giving credit to the people the bring bugs to their attention. But I'd bet this was handled entirely internally.
_________________________
I work for the Department of Redundancy Department

Top
#15830 - 06/01/11 11:10 AM Re: MacDefender malware [Re: Virtual1]
artie505 Online


Registered: 08/04/09
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15836 - 06/01/11 04:35 PM Re: MacDefender malware [Re: Virtual1]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Virtual1
I noticed that update available today and followed the provided link for additional information, but Apple doesn't say a word about the reason for the update....

I think we must have got to different places. When I went to this page I found this advice:

Malware removal


Available for: Mac OS X v10.6.7, Mac OS X Server v10.6.7


Impact: Remove the MacDefender malware if detected

Description: The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed.

Anyway, in addition to Apple's Security update, I've also done a complete HD inspection with Sophos and it didn't find anything.

ryck


Edited by ryck (06/01/11 04:38 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Carbon Copy Clone on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#15843 - 06/01/11 08:50 PM Re: MacDefender malware [Re: artie505]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Originally Posted By: artie505

And following that article are over 130 comments which make for amusing reading. Apparently cNet is awash with Windows sheeple all too anxious to denigrate Macdom that they don't even grok the difference between a trojan and a virus. Ironically enough, it is precisely that ignorance (and fear/expectation) on which this trojan feeds: "Your Mac has a 'virus' so install our software now."

lulz

Top
#15844 - 06/02/11 03:12 AM Re: MacDefender malware [Re: Hal Itosis]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Just curious…

Where is the file location for the malware definitions?

Were I to received a "pushed" definition update (while getting my beauty rest), would I also receive an alert advising of same?
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15845 - 06/02/11 06:30 AM Re: MacDefender malware [Re: Pendragon]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Originally Posted By: Pendragon
Just curious…

Where is the file location for the malware definitions?

i haven't investigated, but my guess would be down in /var somewhere.


Originally Posted By: Pendragon

Were I to received a "pushed" definition update (while getting my beauty rest), would I also receive an alert advising of same?

doubtful... the SafeBrowsing.db cache gets updated daily with nary a twitter.

Top
#15846 - 06/02/11 09:31 AM Re: MacDefender malware [Re: Hal Itosis]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Thanks Hal.

Still, it does seem a bit odd that one must assume the definitions are/were properly updated, rather than having confirmation to that end.
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15849 - 06/02/11 10:48 AM Re: MacDefender malware [Re: Pendragon]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: Pendragon
Where is the file location for the malware definitions?

/System/Library/CoreServices/CoreTypes.bundle/Contents/XProtect.plist


Top
Page 1 of 2 1 2 >

Moderator:  alternaut, dkmarsh, joemikeb