# "MacDefender" malware now attacking OSX systems



## Eeyore (Jul 16, 2009)

Latest news on a malware that has been targeting OSX systems.

http://news.cnet.com/8301-27080_3-20064394-245.html?tag=mncol;txt

And removal instructions are here:

http://download.cnet.com/8301-2007_4-20064445-12.html?tag=mncol;txt

This is something that has been hitting Windows users for a long time but now is appearing with more and more frequency on Apple systems. The Apple forums have been abuzz about the new frequency of attacks.

All the best.


----------



## Eeyore (Jul 16, 2009)

Good news! Apple has "admitted" that their Operating System is as vulnerable as Windows and will be providing a downloadable fix for OSX plus malware detection/removal tools specific to MacDefender.

http://www.computerworld.com/s/article/9217034/Apple_admits_Mac_scareware_infections_promises_cleaning_tool

Note: One quick way to help avoid this nasty mess in the first place is to open Safari, go into the "General" folder, and UNCHECK the box that says 'Open "safe" files after downloading-- "Safe" files include movies, pictures, sounds, PDF and text documents, and disk images and other archives.'

Did that to my MacBook Pro after reading about it in the Mac-forums. Until the fix comes out from Apple, this quick method may save some folks a nasty headache. 

All the best!


----------



## kindlemama (Jan 5, 2010)

Thanks for all the info, Eeyore.  Good to know! 


----------



## Eeyore (Jul 16, 2009)

kindlemama said:


> Thanks for all the info, Eeyore. Good to know! 


You are most welcome, Kindlemama. Unfortunately, things are ramping up on the bad guys part.

'On Tuesday, Apple acknowledged the threat posed by what security experts call "scareware" or "rogueware." bogus security software that claims a computer is heavily infected with worms, viruses and other malware. Once installed, such software nags users with pervasive pop-ups and fake alerts until they fork over a fee to purchase the worthless program.

Apple also said it would update Mac OS X, adding the ability of the operating system to detect and delete the MacDefender scareware.

The group responsible for MacDefender -- and other earlier variants named MacProtector and MacSecurity -- must have read the news, said James.

"They changed the name to MacGuard, and released it today, maybe just to give Apple the finger," James said.

The cyber criminals also changed the way they distribute the fake security program, breaking it into two parts: a small downloader, dubbed "avRunner," which once on a Mac reaches out to a hacker-controlled site to download the phony MacGuard security software.

But the new version also includes a more important twist.

"Unlike the previous variants, no administrator password is required to install the downloader," said James. "People will still see an installer screen -- [the attackers] haven't gotten to the point where they're completely avoiding that yet -- but all one needs to do to install is click 'OK' a couple of times. So it's one less hurdle."

avRunner sidesteps the need for an administrator password by putting itself directly in the Applications folder of a victimized Mac. Unlike a legitimate installer package -- or an illegitimate one for that matter -- putting an executable in the Applications folder doesn't require a password when the user is the administrator.

With avRunner safely added to the Applications folder, it then grabs MacGuard from a remote server.

James said that clues in the scareware point to Eastern European or Russian hackers as behind the MacDefender/MacGuard campaign. Last week, Microsoft's malware engineers found links between the Mac scam and a fast-growing one that targets Windows users, and concluded that the same gang is responsible for both.

"These are smart people," said James. "There's nothing new here that Windows users haven't seen, but this group has a couple of very good Mac developers."

Mac users running Safari can stop avRunner from automatically opening its installer screen by unchecking the box marked "Open 'safe' files after downloading" at the bottom of the General tab in the browser's Preferences screen.

http://www.computerworld.com/s/article/9217061/Newest_MacDefender_scareware_installs_without_a_password?taxonomyId=89

Comment: So now it is even more important to uncheck the box for the installer. I think it is going to be a long drawn out battle for us Mac Users, as more and more sophisticated malware and trojans are developed to attack Apple's Operating System.

All the best.


----------



## Eeyore (Jul 16, 2009)

Latest update is now available for download from Apple which will remove the known variants of MacDefender/MacGuard and updates it files daily to cover any new threat that may appear in the future. 

Note: this malware update only applies to Mac OS X 10.6.7. If you’re running an earlier version of Snow Leopard then you need to make sure you download the Snow Leopard updates. However, if you’re running an older version of Mac OS X then you’re outta luck unless you hand over dollars to Apple for an upgrade.

All the best.


----------



## Eeyore (Jul 16, 2009)

This will probably be my last post on this subject, since the problem will be going on forever from now on. Version 5 of the malware (Now called MacShield) was released within hours after Apple updated a fix for the first four earlier versions of the malware early Friday 6/3 morning. So it will be a game of catch-up for Apple, just like it is now for Windows users.

I received an inquiry from my neighbor (the one who bought the stinky iPad cover from me) asking what to do, since he had an earlier version of OSX and didn't want to pay for the upgrades. I suggested he pay the $29 for the upgrade, but who knows? Since the Apple security fix only works on the latest version of Snow Leopard, older OSX users are left out in the cold. Maybe he didn't want to deal with the hassles of upgrading his older programs that work on Tiger to Snow Leopard?

I contacted a colleague of mine who works in the encryption/decryption business (Government work, so she doesn't sell anything,  ) and her personal computer is a Macbook Pro. She recommended and downloaded a product many moons ago from a long time security company called Sophos, who are in the threat detection business. They developed it over the past year and are constantly updating the threat signatures. Best of all, it's FREE. No email required, nothing to buy. Since Sophos is such a huge company they did it just to be nice to the few technically savvy Apple Users. Sophos does not provide support for the product but will answer technical questions on the Mac forum.

ClamXav is also good and available from the Apple website, but she said the developers work on it in their spare time and signature updates are few and far between, which would be fatal for computer users. She also said Avast has a new beta out for Mac Users, but there have been reports of users having major problems with it.

Her final word to me was to be wary; several new threats are coming out for OSX, according to what she has seen at work. There is a new hack kit available in the field that now has coding and templates available for OSX based on what the creators of MacDefender did (She has looked at the coding and said it was fair/good, but not as creative as some of the kits for Windows) and that there is now preliminary coding for a very nasty OSX Trojan called BlackHole Rat 3.1 which looks like it is autoexecutable (meaning you don't have to hit the okay button. It downloads and works by itself.) *That* one is a real piece of work.

Just something to ponder on in the near future. I bought a Mac because we had been ignored by the hacking community, (sigh).

If it is okay with the moderators, I will post the link to the Sophos Apple Antivirus, if anyone is interested.

NOTE: I am not affiliated with Sophos or with any of their products or with any other Apple/Windows based commercial antivirus products.

All the best.

I have since downloaded the Sophos to my Macbook Pro.


----------



## telracs (Jul 12, 2009)

Best bet, never download any of those "free" check my computer things.


----------



## corkyb (Apr 25, 2009)

Hi Eeyore,  Would you please pm me the sophos link if you aren't going to post it?  Also, I just now updated the latest software security update to my MacBook Pro. Is there a way to scan my computer to make sure I don't have the malware?  I just came across this thread; knew nothing about this.
Thanks


----------



## Eeyore (Jul 16, 2009)

Corkyb--As soon as you download the Apple security update, it will automatically scan your computer. If there is a problem, it will notify you. If nothing happens, then you don't have any of the malware variants. The Apple security software will run in the background and now do automatic updates for you.

All the best.


----------



## geko29 (Dec 23, 2008)

scarlet said:


> Best bet, never download any of those "free" check my computer things.


The issue here is that the program in question installs itself as a "drive-by download", meaning you're browsing a site you believe to be safe (like, say, Google images), and a download/installation is automatically triggered. You do NOT have to click on something that says your computer is vulnerable in order to be affected.


----------



## kindlemama (Jan 5, 2010)

Eeyore said:


> If it is okay with the moderators, I will post the link to the Sophos Apple Antivirus, if anyone is interested.


Eeyore, please post the link so we can all have access to it.

Again, thank you for taking the time to post all of this information. Most of it's way over my head, but it's much appreciated!!


----------



## Terrence OBrien (Oct 21, 2010)

This thing popped up on my iMac. The alert box looked just like something from Apple, but the pitch was just like all those things that come across on PCs. Two clues it was bogus:

1) There was no cancel button, no minimize icon, no kill icon, and no hide icon. The only option was to click OK.
2) The URL address was all numeric.

I quit Safari, then just started Safari again. That's the last I saw of it.


----------



## telracs (Jul 12, 2009)

geko29 said:


> The issue here is that the program in question installs itself as a "drive-by download", meaning you're browsing a site you believe to be safe (like, say, Google images), and a download/installation is automatically triggered. You do NOT have to click on something that says your computer is vulnerable in order to be affected.


But if you see something suddenly downloading when you're not downloading something, you can quickly quit Safari to wipe it before it finished.

You have to be aware of what's going on when you're on-line. no matter what kind of computer your on.


----------



## R. M. Reed (Nov 11, 2009)

Anyone know if this is Safari only? I use Firefox.


----------



## geko29 (Dec 23, 2008)

scarlet said:


> But if you see something suddenly downloading when you're not downloading something, you can quickly quit Safari to wipe it before it finished.


If you have enough time and wherewithal to notice the download of a 1.5MB file and completely exit your browser before the download completes (under a second on a typical cable internet connection, let's be generous and call it three seconds on DSL), you're FAR faster than I am.



R. Reed said:


> Anyone know if this is Safari only? I use Firefox.


Firefox doesn't even have the brain-dead option (on by default in safari) of automatically opening "safe" files after download.


----------

