Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Mac malware authors release a new, more dangerous version
ZDNet ^ | May 25, 2011, 12:05pm PDT | By Ed Bott

Posted on 05/26/2011 2:21:53 AM PDT by Swordmaker

Summary

Apple finally responded to the Mac Defender outbreak, with a technical note containing removal instructions and the promise of a removal tool. Within hours, the bad guys had released a new version of their malware. This one doesn’t require that you enter an administrator’s password.

Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, “How to avoid or remove Mac Defender malware,” the company posted instructions for users to follow if they’ve encountered this malware specimen in the wild. It also promised a security update to remove infections automatically.

File that memo under, “Too little, too late.”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

A security researcher for Intego, the Mac-centric security company that identified the original Mac Defender, found the first example of this new code via a poisoned Google search very early this morning.

Several factors make this specimen different. For starters, it has a new name: MacGuard. That’s not surprising, given that the original program already had at least three names. But this one is divided into two separate parts.

The first part, a downloader program, installs in the user’s Applications folder. If you’re an administrator on your Mac (and most people are, given that the overwhelming majority of Macs have only one user and the default account in that scenario is an administrator), the installer will open automatically. All you have to do is click Continue to begin the installation.

Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

The downloader portion then installs the second part, which is similar to the original Mac Defender.

The new architecture seems to be a specific response to Apple’s instructions in the Mac Defender security note: “In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password.”

In this new variation, no password is required as long as you’re logged in using an administrator account. That might lull a potential victim into thinking they’re safe.

I know a lot of Apple users who breathed a sigh of relief yesterday, thinking that Apple’s belated response finally means that the problem is over. As any computer security researcher will tell you, this arms war is just getting started.

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots. Peter James, an Intego spokeperson, told me his company’s analysts were “impressed by the quality of the original version.” The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.

If Apple plans to play Whack-a-Mole with these guys, they’re in for months of misery. Just ask any Windows security expert who was around in 2003 and 2004 when Microsoft was learning a similar painful lesson. If each reaction from Apple takes two or three weeks, the bad guys will make a small fortune and Mac users can count on significant pain and anguish.

If you’ve run across this new variation in the wild, let me know. I’ll have my eyes open and plan to report back if I find anything.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: mac; malware
Navigation: use the links below to view more comments.
first 1-2021-4041-51 next last

1 posted on 05/26/2011 2:21:55 AM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: Swordmaker

If I come across any Mac viruses on my virus-free Windows computer, I’ll let you know.


2 posted on 05/26/2011 2:33:12 AM PDT by Jonty30
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

I think the virus writer’s have been studying the Apple’s software for a long time and know many hole’s that Apple isn’t aware of .

It’s going to be interesting.


3 posted on 05/26/2011 2:34:42 AM PDT by Jonty30
[ Post Reply | Private Reply | To 1 | View Replies]

To: Jonty30

How do the bad guys “make a fortune?” Isn’t this against the law? Can’t they be found?


4 posted on 05/26/2011 2:44:22 AM PDT by nikos1121
[ Post Reply | Private Reply | To 2 | View Replies]

To: nikos1121

They use automated programs called bots, which collect information from infected computers.

Many of those infected computers will have financial information, like bank accounts, credit cards, stocks and bonds, or anything else that you can think of that is defined as financial information.

If your computer gets infected, it will send that information to whomever is collecting it and they will proceed to raid bank accounts or use credit card information or even use insider trading information to get rich.

They can be caught, but it takes a lot of time and effort to go through IP addresses and hope the criminals didn’t have time to erase their tracks or be traced to a country like China, Iran, or Russia where they really can’t be touched.


5 posted on 05/26/2011 2:53:38 AM PDT by Jonty30
[ Post Reply | Private Reply | To 4 | View Replies]

To: Jonty30

In the end, it’s actually a positive development, because it forces Apple to take similar steps that Microsoft had to take to secure Windows.


6 posted on 05/26/2011 2:55:49 AM PDT by Jonty30
[ Post Reply | Private Reply | To 2 | View Replies]

To: All
The key to avoiding this malware in its more dangerous form is to

If you are not now running as a Standard User, here is how to set up a new Administrator user (you will always need one in OSX) and change your current user to a Standard User, which is much safer:

  1. Under the Apple Menu, select "System Preferences..."
  2. Click the "Accounts" on the fourth line to open the Accounts Preference Pane.
  3. If the Accounts Pane is "locked," i.e. the padlock icon at the lower left is closed, click on it, provide your current Administrator Name and password to unlock it.
  4. Create a New User by clicking on the "+" button directly above the padlock icon.
  5. Give the New User a name that is NOT "Admin" but is something specific to YOUR computer... non-generic... so that a malware writer cannot anticipate your administrator name by knowing something about you. "Aunt FLossy" might be a good administrator name, if you DON'T have an Aunt FLossy.
  6. Give this New User a password that is NOT a word in a dictionary... combine numbers, upper and lower case letters, and some non alphanumeric characters... make it a HARD password... but one you won't forget. Free$23Republic would be a good example of a hard, memorable password for a freeper, and would also remind him to make a donation from time to time.
  7. Write down this New Administrator name and password and lock it away somewhere... just in case.
  8. Check the box "Allow user to administer this computer"
  9. At the bottom of the list of users at the left of the pane, click on "Login Options."
  10. Check the box next to "Show fast user switching menu as:" and select "Name" in the drop down menu box. This will create a user switching menu on the upper right of your Mac menu bar.
  11. If there are multiple users other than yourself on this Mac, turn off the automatic login at the top of the pane. If it is just yourself, don't do this step unless you want to increase your computer's physical security so that you have to login every time you start up. That IS the best practice, but it is your personal preference.
  12. Select an appropriate picture for your New Administrator User.
  13. Click on the padlock icon to RELOCK the Accounts Pane.
  14. Under the Apple Menu, LOG OUT of your current account.
  15. Log in as your NEW ADMINISTRATOR.
  16. Repeat steps 1 through 3 above, except use the New Administrator name and password to authenticate the unlocking of the Accounts Pane in step 3. This both unlocks the pane AND confirms that this newly created account is an administrator account.
  17. Click on your ORIGINAL account name, the one you usually use to operate the computer, to select it.
  18. Uncheck the box next the "Allow user to administer this computer."
  19. Click on the padlock icon to relock the Accounts pane.
  20. Close the System Preference window.
  21. Under the Apple Menu, Log Off the Administrator Account.
  22. Log back in to your normal account.

You are now safe from this exploit.

Use your new administrator's name and password to install any software or to do system maintenance. You can install software from your Standard User account by providing that name and password for each instance. You will not be able to make changes to your system files, Libraries, Applications folders, or the HD root directory unless you provide that Administrator name and password.

Note, the administrator name and password will STILL not allow you to make changes to ROOT UNIX files or to alter any of the core files as the ROOT is not activated on the default OSX install... That requires one level higher user level even yet. However that administrator IS capable of activating ROOT by creating a ROOT superuser and creating a ROOT superuser password.

7 posted on 05/26/2011 3:33:20 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; altair; ...
The MacDefender authors have stepped up the game a bit... it's a bit more dangerous now. For some Mac users it can self install!!!—PING!

For information on how, who is at risk, and for SWORDMAKER'S INSTRUCTIONS on how to NOT TO NOT BE VULNERABLE TO THIS PROBLEM... This is a must read thread!

Please, No Flame Wars, Discuss technical issues, software, and hardware.
Don't attack people!

Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!


Apple Ping!

If you want on or off the Mac Ping List, Freepmail me.

8 posted on 05/26/2011 3:39:07 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Jonty30

Ahh, but Jonty30, the hole in question is social engineering. People are conditioned to pay attention to official-looking dialog boxes. The original version of this relied upon deceit, but nothing else.

One malware event may or may not open a door here. That door has been swinging in the wind, widely, for a very long time in the microsoft camp. I deal with it everyday in my professional life, on all three primary platforms. You’re right that Apple, as well as all other software manufacturers, needs to have a serious eye on security.

Largely, they have. What has changed here is that the number of macs has increased to the point where those malefactors writing viruses and malware now feel that they have another worthwhile target. That isn’t the same as saying that they didn’t have one before. All that really started with the Morris worm in 1988. And came to full fruition with windows years after that.

Whether this is a cottage industry now or not, I do agree with you that ALL makers of software need a generally better eye on security. I wouldn’t, however, and cannot, single out Apple alone. No mac in my district, and that’s a large number of thousands, has yet been infected. On the other hand, we do regularly see a need to clean one or another of the pcs. No big deal. No need to crow about it. It is a numbers game, ultimately. You may look at this as something which speaks well of recent Apple sales, if nothing else.


9 posted on 05/26/2011 3:46:26 AM PDT by sayuncledave (A cruce salus)
[ Post Reply | Private Reply | To 6 | View Replies]

To: PeteB570

Ping for later reading.


10 posted on 05/26/2011 3:53:07 AM PDT by PeteB570 (Islam is the sea in which the terrorist shark swims. It aids & comforts the shark on it's journey.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: All
From what I can find out from other sources other than the biased author of this article, Ed Bott, who writes only negative articles about Apple, the malware DOES still need to be installed... following the download. The only thing that gets opened automatically is the downloader which is in an auto-executing zip file. The primary difference is that it no longer is requiring the administrator password for those who are running as administrator level users who have "Open 'safe' files after downloading" checked in Safari. ALL OTHERS who are running as Standard Users are not at risk from this malware!

Apple's online instructions on how to dispose of this malware are still effective... contrary to Bott's negative comment of "too little, too late!"


Summary

A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender "anti-virus" software to solve the issue.

This “anti-virus” software is malware (i.e. malicious software).  Its ultimate goal is to get the user's credit card information which may be used for fraudulent purposes.

The most common names for this malware are MacDefender, MacProtector and MacSecurity. 

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants.  The update will also help protect users by providing an explicit warning if they download this malware. 

In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.

Products Affected

Mac OS X 10.4, Mac OS X 10.6, Mac OS X 10.5

Resolution

How to avoid installing this malware

If any notifications about viruses or security software appear, quit Safari or any other browser that you are using. If a normal attempt at quitting the browser doesn’t work, then Force Quit the browser.

In some cases, your browser may automatically download and launch the installer for this malicious software.  If this happens, cancel the installation process; do not enter your administrator password.  Delete the installer immediately using the steps below.

  1. Go into the Downloads folder or your preferred download location.
  2. Drag the installer to the Trash. 
  3. Empty the Trash.

How to remove this malware

If the malware has been installed, we recommend the following actions:

Removal steps

Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.

Use the steps in the “How to avoid installing this malware” section above to remove the installer from the download location.

Note: Apple provides security updates for the Mac exclusively through Software Update and the Apple Support Downloads site. User should exercise caution any time they are asked to enter sensitive personal information online.
 


11 posted on 05/26/2011 3:54:23 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Jonty30
In the end, it’s actually a positive development, because it forces Apple to take similar steps that Microsoft had to take to secure Windows.

Oh, BS, Jonty. Windows was forced to take the steps that Apple took a long time ago to match the security of UNIX™ that was built into OSX from the first. Quit trying to rewrite history. Apple took those steps back in 2001 when it dumped Mac-OS9 and lower and even THAT was more secure than Windows was then. It's been Microsoft that has been playing catch up.

12 posted on 05/26/2011 3:59:54 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Swordmaker

thank you for all this info.

I have been out of the loop with all this information.

First..how do you know if you have or don’t have a virus?

Do I understand it can only be accessed by downloading a bad program? Is there a way to be safe with these things? I dont download much other than the updates they tell me I need, is there a problem in this?

I will try to do the administer user change you suggested.

BTW. Hope things are going okay for you following the death.. you have been in my thoughts.


13 posted on 05/26/2011 4:00:20 AM PDT by DollyCali (Don't tell God how big your storm is... tell your storm how BIG your God is!)
[ Post Reply | Private Reply | To 7 | View Replies]

To: DollyCali
First..how do you know if you have or don’t have a virus?

There are still zero viruses for the OSX Mac... this is a trojan horse application. Not the same thing. I dont download much other than the updates they tell me I need, is there a problem in this?

There is no problems with downloading and installing the updates from Apple... always use "Software Update..." from the Apple Menu on the Menu Bar. These updates from Apple are security signed and certified from Apple. Your system checks that and if they are NOT what they say they are it will stop the update dead in its tracks and warn you! Apple will NEVER notify you by a pop-up from a website that you need to click on something because they've found a problem.

I will try to do the administer user change you suggested.

Print out the Post and do them step by step and you should be fine... Then just continue Freeping as you've been Freeping and you be OK.

I'm doing fine. We buried my Mom's ashes with my Dad's on Monday with a nice family only ceremony. It was quite moving.

We had some good news to temper the passing of my mother: my older daughter gave us the news on mother's day that she is making us Grandparents! She knew before the passing of my mother and whispered it to her on her deathbed... and my Mom nodded and smiled, showing she understood... so she knew she was going to be a greatgrandmother before she died. That makes me happy.

We promised my daughter not to tell anyone until she passed her third trimester and that OK came down after the ceremony on Monday! The genetic counselors say everything is A-OK, too! YAY! She is due to deliver on December 7th.

14 posted on 05/26/2011 4:13:34 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Swordmaker
it no longer is requiring the administrator password for those who are running as administrator level users who have "Open 'safe' files after downloading" checked in Safari. ALL OTHERS who are running as Standard Users are not at risk from this malware!

So, since I run Firefox, not Safari, I shouldn't worry? (In any event, I'm not dumb enough to run an installer I didn't intentionally download, no matter how "official" looking it is.)

15 posted on 05/26/2011 4:21:00 AM PDT by kevkrom (Palin's detractors now resort to "nobody believes she can win because nobody believes she can win")
[ Post Reply | Private Reply | To 11 | View Replies]

To: kevkrom
So, since I run Firefox, not Safari, I shouldn't worry? (In any event, I'm not dumb enough to run an installer I didn't intentionally download, no matter how "official" looking it is.)

Honesty? I don't know.

16 posted on 05/26/2011 4:30:24 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Swordmaker

bookmark


17 posted on 05/26/2011 4:53:19 AM PDT by GOP Poet (Obama is an OLYMPIC failure.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Bump for later. Thanks for the post.


18 posted on 05/26/2011 5:10:12 AM PDT by Ben Hecks
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
Thanks, Sword. I'm a mainly a lurker, but I read everything you ping. I already have my Admin account as an account that no one uses, so I guess I did something right there! :) WooHoo! I do like the extra security of unchecking the "Open Safe Files" option, however, so thanks for that, too.

And I'm sorry to hear of your loss. God's blessings.

19 posted on 05/26/2011 6:15:00 AM PDT by StrictTime
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
3. If the Accounts Pane is "locked," i.e. the padlock icon at the lower left is closed, click on it, provide your current Administrator Name and password to unlock it.

It seems to me that if the Accounts Pane is locked, then you are done (not running as Admin), so skip all the rest of those steps.

20 posted on 05/26/2011 6:21:13 AM PDT by palmer (Cooperating with Obama = helping him extend the depression and implement socialism.)
[ Post Reply | Private Reply | To 7 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-51 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson