Mac users: a note on current OSX targeted malware

[Ken]

Mac Defender (AKA MAC protector) is a rogue anti malware program. It is not technically a virus since it is installed by social engineering. It can be described as a trojan but it does not self replicate so far…

It (and more variations to come) relies entirely on convincing the user that there is already a problem and they need to pay to have it fixed.

Search engine optimization poisoning seems to have been used to spread it initially via search results.

Many more Mac users are going to be impacted by this than will admit it since the software is well designed to lure in users who are may be otherwise sophisticated but expect their mac to either work correctly or expect to pay someone to fix it auto magically when it does something odd.

Follow the instructions at the link below to remove it. The link also shows how to close the Safari setting that allows it to self install after the user clicks an obfuscated link to download it. Mac users that use Safari as their browser should uncheck the checkbox labeled “Open “safe” files after downloading”.

All mac users should read the page so they can avoid the future variations sure to follow this one.

http://www.bleepingcomputer.com/virus-removal/remove-mac-defender

more links:

http://arstechnica.com/apple/news/2011/05/fake-mac-defender-antivirus-app-scams-users-for-money-cc-numbers.ars

https://discussions.apple.com/thread/3029310?start=0&tstart=0

http://www.freeappletutorials.com/2011/05/how-to-remove-mac-protector-mac.html

News on the “toolbox” sold by Crackers that was used to create this malware/trojan:

http://www.csis.dk/en/csis/blog/3195/

Share This

[MB]

Thank you!

Share This

[hammerhead]

I have a mac, and have no idea what I should be worried about. Mine is about 6 years old. I don’t use Safari, I use Firefox? I don’t read technical stuff well at all.

obfuscated? what does that mean.

Sounds way to confusing to me.

Share This

[chrisma]

@hammerhead:

unless you know that you’re running an anti-virus or malware program on your Mac (chances are you’re not), then anything that pops up and says YOU HAVE A VIRUS or MALWARE DETECTED or SCAN NOW, and certainly anything that say MAC DEFENDER you should assume is fraudulent and close it immediately. Don’t download it. Don’t run a scan. Just close the windows, or if you have to close the browser.

Some browsers do have a built in protection agains known malware sites, and if you attempt to go to them, you may get a warning screen saying “This site may be dangerous” or something to that effect, and you will be offered a choice to go back to the previous page or continue. In that case GO BACK.

Macs are not very vulnerable to auto installing viruses and malware in general, so usually the tactics rely on “social engineering” which means the throw up some kind of window to scare you and rely on you clicking the link or downloading their malware. Take a tip from Douglas Adams and DON’T PANIC. Take a moment and think about what you’re seeing and if it makes sense.

In general, webmasters do no install software on their sites to warn viewers that their computers are might be infected. Unless you’ve gone to a known Internet Security site and initiated a scan yourself, these are scams.

While were at it, email malware is really popular too, and the scams I’ve often seen involve supposed emails from banks, or the IRS, or ACH (Autotmated Clearing House) indicating that your payment has failed. People click on these links even if they’ve never heard of ACH, or don’t do business with the bank supposedly sending the email.

Again, the key is DON’T PANIC. Look at the message, think about whether it makes any sense. If there’s a link, don’t just automatically click it. You can hover your mouse over it and usually see what the actual link target is. Try this with any link. In a web browser the target of the link usually appears at the bottom of the browser window (or screen). In email programs it appears usually as a bubble or tool tip. It’s really common for a link in an email to read something like http://www.irs.gov, but actually target something irs.igiveyoumalware.com. Just taking a moment to ask a few questions and look a little closer can save a lot of headaches.

But, you can also worry a little less because most of this stuff is targeted at Windows users, who have a much easier operating system to exploit. And Windows malware, generally won’t affect a Mac.

Share This

[Michael Waldo]

If you use a Mac you may mistakenly believe that you are immune to viruses.

You are not.

New threats are emerging that target Apple’s machine and you need to be prepared to meet them.

Once upon a time Windows ruled the world and no one bothered to write viruses for Macs. Now that Apple is popular with the masses because of Powerbooks, Ipads, Imacs and so on, viruses writers are now targeting Macs.

You need an antivirus program for your Mac.

This link is right off Apples website:

http://www.apple.com/downloads/macosx/networking_security/clamxav.html

Share This

[Michael Waldo]

I forgot to add, Clamxav is a free, open source program. First used on Linux machines.

Share This

[chrisma]

Back when Clam first appeared it had pretty poor testing scores.

Looks like it’s improved somewhat since 2008.

http://en.wikipedia.org/wiki/Clam_AntiVirus#Effectiveness

Share This

[Ken]

Clamav always worked pretty well on mail servers running linux, bsd or other unix os. The early ports were kinda fragile on other platforms. Looks like they have put a lot of work into the osx version since the first one.

Clam av as a part of a series of filters and sendmail or postgres scripts, was pretty good at what it did. Turning that into something comprehensible to the user and adding a GUI has to be like turning a chainsaw into a car.

Share This

[cjboffoli]

This site has a great write-up on this issue:

http://aol.it/lziaRS

Share This

[Ken]

That is a very good link. Here is the un shortened one for those who don’t click on shortened links:

http://www.tuaw.com/2011/05/19/macdefender-malware-protection-and-removal-guide/

Read and printout the last 6 numbered rules and post them near your computer.

1 – Never install any apps unless you are absolutely sure of where they’re coming from and what they are.

2 – If an installer appears on your screen and you’re not sure how it got there, don’t let it install the software.

3 – Consider installing free anti-virus / anti-malware software. Both Sophos Anti-Virus for Mac Home Edition and ClamXav 2 are free and relatively unobtrusive.

4 – Never give your credit card number to anyone through an app. Most reputable software vendors provide other ways to purchase their products (Mac App Store or payment by PayPal) that do not compromise your credit card.

5 – Be cautious when entering admin credentials for strange applications (thanks to @jtjdt for the tip). The only time you should ever be prompted for your administrative password is when you are deliberately installing an application or plug-in.

6 – If your primary account on your Mac has administrative rights, consider changing that so that you have a separate admin account and your day-to-day account is a ‘standard’ account. This can protect against some privilege escalation approaches, and helps guard against issues in one account affecting the entire Mac.

TUAW doesn’t believe in scaring its readers. MacDefender is a warning to those of us who use Macs that hackers are now starting to pay attention to our previously malware-free world. A little bit of paranoia goes a long way in a world that can be, sadly, malicious rather than embracing, but a few simple precautions and a bit of situational awareness can go a long way towards keeping us all safe on our Macs.

Share This

[Ken]

Apple has admitted the scareware exists. Update planned to fix vulnerability.

http://support.apple.com/kb/HT4650

Share This

[Author]

Posts