Skip to content

Posts tagged ‘MACDefender’

1
Jun

Mac OS X Security Update 2011-003 adds MACDefender Protection [Updated]

Apple has released Security Update 2011-003 for Mac OS X 10.6 which updates the system’s built in ‘File Quarantine’ (aka. XProtect) mechanism to detect and remove OSX.MacDefender.A. More significantly, however, Apple has now enabled the ability for File Quarantine to receive daily updates to to its malware definition list, essentially giving Mac OS X a very simplistic built-in anti-virus. Now it’s just up to Apple to actually update the malware definitions list on a regular basis.

In System Preferences > Security > General, users can choose whether or not they want to “Automatically update safe downloads list”. I’m not sure “safe downloads list” is the best name for it however, as it doesn’t really help users understand what its purpose is. I highly recommend keeping this option checked. Note that the screenshot below is not a recommendation of what your preferences should look like, it’s merely highlighting the new option. For more into about configuring your Security settings check out Securing Leopard: Security, FileVault and Firewall (to be updated with this new setting shortly).

[Updated 01/06/2011] As I wholly expected, a new variant of MACDefender is already out in the wild that does not get detected by OSX’s File Quarantine. As File Quarantine is simply a blacklist of known malware, it does not have the ability to pick up on malware it doesn’t recognise. This will be a good test to see how quickly Apple responds and updates the File Quarantine definitions. If you installed the 2011-003 security update then your system is already set to check for new updates every 24 hours. Browse safe out there.

[Updated 02/06/2011] Apple has already updated the File Quarantine definitions for the latest MACDefender variant (OSX.MacDefender.C). Pretty good response time by Apple!

29
May

The State of Mac Malware

There’s been a lot of buzz recently about the sudden increase in Mac-specific malware cropping up so far this year. First people raved about the fairly tame and unthreatening BlackHole RAT trojan, then Mac users had to watch out for a slightly more crafty but avoidable MACDefender trojan, and now there’s news of a more advanced malware kit (Weyland-Yutani Bot) that has the ability to steal data entered into Firefox (Safari and Chrome currently unaffected, but expected to follow soon). AppleCare has reportedly been receiving a significant number of calls about the MACDefender trojan, and has issued a support document on how to deal with it.

Clearly some change is in the air, but exactly how does it affect normal Mac users? I for one actively look for Mac-based malware (eg. MACDefender), and have never stumbled across it by accident. Maybe I need to surf on the ‘dark side’ of the web more often. I just wanted to give my take on recent events and the state of Mac malware, and why I don’t think there’s any reason to be too worried just yet.

Read moreRead more

3
May

Low Risk MACDefender Trojan is Easily Avoided

There have been widespread reports of people installing a trojan that masquerades as an anti-virus program dubbed MacDefender. When visiting a malicious or compromised website promoted by SEO (search engine) poisoning, some Mac OS X users using Safari are experiencing the automatic download of a disk image which then automatically mounts and launches an installer. Intego’s blog has a detailed report which shows that they’ve discovered instances of scareware, where the websites (ironically displaying a faux-Windows GUI) show a fake virus scan and inform the user that their computer is infected.

Note: The automatic mounting and execution of the installer can easily be prevented by unchecking the “Open ‘safe’ files after downloading” option in the Safari Preferences.

If the user installs it, the MacDefender app look very professionally done and is unlike any other OSX malware to date. It will periodically open porn sites, pop up warnings that the user’s computer is infected, and prompt them to purchase the MacDefender anti-virus software. The software purchase page is just a place to get the user’s credit card number, and no product is delivered.

For the most part this is a very low-risk trojan, and can easily be avoided by disabling the ‘safe files’ option, and not installing software that randomly appears on your computer. No website can arbitrarily scan your computer for malware, and if they tell you that you’re infected, they’re lying. If common sense and good security practice aren’t enough, you can install an anti-virus (eg. VirusBarrier or Sophos) that will pick up this trojan.

If you did accidentally install the trojan, it can be removed with the following steps:

  1. Open Activity Monitor (in /Applications/Utilities/), and find the MacDefender.app process in the list. If it’s there, select it and click ‘Quit Process’.
  2. Open System Preferences (in the Apple menu) and click on Accounts. Click on the Login Items tab for your user, and find MacDefender in the list. If it’s there, select it and remove it using the minus [-] button below the list.
  3. Delete MacDefender from your Applications folder.

Check out my article on Securing Leopard and Top 100 Security and Privacy Tips!

[Update 5/5/11] There are reports of variants of the MACDefender trojan going around under the name “Mac Security” or “Mac Shield”. For the reversers, check out this reverse engineering of the MACDefender binary.

css.php