Skip to content

Posts tagged ‘intego’

29
May

The State of Mac Malware

There’s been a lot of buzz recently about the sudden increase in Mac-specific malware cropping up so far this year. First people raved about the fairly tame and unthreatening BlackHole RAT trojan, then Mac users had to watch out for a slightly more crafty but avoidable MACDefender trojan, and now there’s news of a more advanced malware kit (Weyland-Yutani Bot) that has the ability to steal data entered into Firefox (Safari and Chrome currently unaffected, but expected to follow soon). AppleCare has reportedly been receiving a significant number of calls about the MACDefender trojan, and has issued a support document on how to deal with it.

Clearly some change is in the air, but exactly how does it affect normal Mac users? I for one actively look for Mac-based malware (eg. MACDefender), and have never stumbled across it by accident. Maybe I need to surf on the ‘dark side’ of the web more often. I just wanted to give my take on recent events and the state of Mac malware, and why I don’t think there’s any reason to be too worried just yet.

Read moreRead more

3
May

Low Risk MACDefender Trojan is Easily Avoided

There have been widespread reports of people installing a trojan that masquerades as an anti-virus program dubbed MacDefender. When visiting a malicious or compromised website promoted by SEO (search engine) poisoning, some Mac OS X users using Safari are experiencing the automatic download of a disk image which then automatically mounts and launches an installer. Intego’s blog has a detailed report which shows that they’ve discovered instances of scareware, where the websites (ironically displaying a faux-Windows GUI) show a fake virus scan and inform the user that their computer is infected.

Note: The automatic mounting and execution of the installer can easily be prevented by unchecking the “Open ‘safe’ files after downloading” option in the Safari Preferences.

If the user installs it, the MacDefender app look very professionally done and is unlike any other OSX malware to date. It will periodically open porn sites, pop up warnings that the user’s computer is infected, and prompt them to purchase the MacDefender anti-virus software. The software purchase page is just a place to get the user’s credit card number, and no product is delivered.

For the most part this is a very low-risk trojan, and can easily be avoided by disabling the ‘safe files’ option, and not installing software that randomly appears on your computer. No website can arbitrarily scan your computer for malware, and if they tell you that you’re infected, they’re lying. If common sense and good security practice aren’t enough, you can install an anti-virus (eg. VirusBarrier or Sophos) that will pick up this trojan.

If you did accidentally install the trojan, it can be removed with the following steps:

  1. Open Activity Monitor (in /Applications/Utilities/), and find the MacDefender.app process in the list. If it’s there, select it and click ‘Quit Process’.
  2. Open System Preferences (in the Apple menu) and click on Accounts. Click on the Login Items tab for your user, and find MacDefender in the list. If it’s there, select it and remove it using the minus [-] button below the list.
  3. Delete MacDefender from your Applications folder.

Check out my article on Securing Leopard and Top 100 Security and Privacy Tips!

[Update 5/5/11] There are reports of variants of the MACDefender trojan going around under the name “Mac Security” or “Mac Shield”. For the reversers, check out this reverse engineering of the MACDefender binary.

css.php