or Connect
AppleInsider › Forums › Software › Mac OS X › 'MACDefender' on Apple's radar as OS X malware spreads - report
New Posts  All Forums:Forum Nav:

'MACDefender' on Apple's radar as OS X malware spreads - report

post #1 of 95
Thread Starter 
A malware program that targets Mac OS X systems dubbed "MACDefender" has apparently gained traction in the wild, prompting Apple to tell its support representatives they should not attempt to remove the software.

According to an internal AppleCare document obtained by Ed Bott of ZDNet, the "MACDefender" software is considered an "Issue/Investigation in Progress." The confidential internal document, issued to representatives this week, notes that "AppleCare does not provide support for removal of the malware."

A series of bullet points accompanying the document state that employees should not confirm or deny that the malware has ben installed, attempt to uninstall it, or send customers to Tier 2 for further resolution. In addition, representatives are also told not to refer customers to the Apple Store, as those employees do not remove malware either.

"Explain that Apple does not make recommendations for specific software to assist in removing malware," the document reads. "The customer can be directed to the Apple Online Store and the Mac App Store for antivirus software options."

Bott also previously reported via his Microsoft Report that an AppleCare representative said malware for the growing Mac platform is "getting worse." The anonymous person claimed that call volume at AppleCare is four to five times higher than normal, and the "overwhelming majority" of calls are related to MACDefender or another alias.

"Many Mac users think their Mac is impervious to viruses and think this is a real warning from Apple," the anonymous person reportedly said. "I really wish I could say not many people will fall for this, but in this last week, we have had nothing but Mac Defender and similar calls."



The MACDefender malware first gained attention earlier this month, when it was spotted by an antivirus company. The program automatically downloads in web browsers through JavaScript.

But users must also agree to install the software and provide an administrator password, which led Intego to categorize the threat as "low." However, the latest details would suggest that users are unaware of what they are installing and proceed with the installation anyhow.

The malware spreads through search engines like Google via a method known as "SEO poisoning." The sites are designed to game search engine algorithms and show up when users search for certain topics.

Users on Apple's support forums have advised killing active processes from the application using the Mac OS X Activity Monitor. MACDefender can then be deleted from the Applications folder by dragging it into the trash.
post #2 of 95
So the one thing missing in this story is what MACDefender actually does once it's installed. Anyone know?
post #3 of 95
Isn't this the kind of problem the Mac App Store is designed to defend against?
post #4 of 95
Quote:
Originally Posted by Object-X View Post

So the one thing missing in this story is what MACDefender actually does once it's installed. Anyone know?

i think it's a barrage of pornography. Could be wrong though.

As the article notes, this is only a threat if you actively allow the installer to proceed by entering the administrator password. Most moderately advanced users will recognize this and refuse to continue. However, as macs become more and more popular, it's true that many less-experienced users could be confused or tricked. I certainly emailed some family members who are new to macs and reminded them to never enter their administrator password unless they were completely sure why they were doing it and trusted the download source.
post #5 of 95
Quote:
Originally Posted by David Forbes View Post

Isn't this the kind of problem the Mac App Store is designed to defend against?

Absolutely. Notice the installed base for iPhones and iPads greatly exceeds that of macs, yet the malware issue is non-existant. This is apple's solution to the problem, and personally I think it's a good one.
post #6 of 95
It's partly Apple's fault for having the "open safe files after downloading" feature is Safari. That feature is just asking for this kind of attack.
post #7 of 95
Quote:
Originally Posted by AppleStud View Post

i think it's a barrage of pornography. Could be wrong though.

I'm not sure, but I recall reading that it's an antivirus or anti-malware program like it's name suggests. When asked to activate the program, you have to enter CC info and when you do, it tells you the card didn't work and asks you to try another card all the while collecting your CC info. Allegedly, a user had entered 4 or 5 different CC numbers before getting wise to the scam.
post #8 of 95
deleted
post #9 of 95
Quote:
Originally Posted by AppleStud View Post

Absolutely. Notice the installed base for iPhones and iPads greatly exceeds that of macs, yet the malware issue is non-existant. This is apple's solution to the problem, and personally I think it's a good one.

I disagree simply because this is not a case where a user is searching for and intentionally downloading software. The App Store is great for providing a trust-based location for finding s/w and applications to meet Mac users' needs, and in the case of the iOS devices, it is the ONLY place to find apps.

Traditional Mac computers (iMac, MacBooks, Mac Pro, etc), aren't (yet?) locked into the App Store ecosystem (not sure they should be really). MAC Defender and MAC Security obviously aren't part of that ecosystem either, and as described in the article, downloaded via Javascript. The end user in this case, regardless of the existence of the App Store, still chose to download and install the malware.

In the end, the argument becomes, does Apple lock-down all computing systems to App Store purchases/updates? An even better question might be - could they?
dano
if it is to be, it is up to me...
Reply
dano
if it is to be, it is up to me...
Reply
post #10 of 95
Quote:
Originally Posted by David Forbes View Post

Isn't this the kind of problem the Mac App Store is designed to defend against?

Yep, and a good solution it is for the novice user. Perhaps once enough A-level apps are on the App Store, the default setup for OS could only allow installing from the App Store.

I think it's unacceptable for a computer to only allow installation from there, since it's supposed to be a much more of a pro tool than e.g. an iPad, but it's acceptable for it to be the default setting which a pro can disable.
post #11 of 95
Quote:
Originally Posted by David Forbes View Post

Isn't this the kind of problem the Mac App Store is designed to defend against?

You're trolling. But for those who don't know, the answer is no, that is not what the Mac App Store is for. The Mac App Store is to provide a centralized, ready-made marketing channel for developers to sell Mac software to customers. Apple gets a fee for providing this service. Any developer is also free to market software through any other channel. The Mac App Store has absolutely nothing to do with stopping viruses and malware.
post #12 of 95
Quote:
Originally Posted by muser View Post

The Mac App Store has absolutely nothing to do with stopping viruses and malware.

What about the fact that Apple performs QA on any apps they allow on there?
post #13 of 95
Quote:
Originally Posted by ascii View Post

It's partly Apple's fault for having the "open safe files after downloading" feature is Safari. That feature is just asking for this kind of attack.

I don't recall if that is on or off by default, but that still does not solve the problem. It only means the non paranoid among us only have to take an additional step and that is opening the DMG file after it is downloaded. I am sure that will pose no barrier to the people who will run anything they get.

I seem to recall one of the tech writers claiming he could name a file "this is a virus.com" and people would still run it. The same applies to many Mac users as well. Social engineering is OS agnostic as this incident shows. :-)
post #14 of 95
It's all those switchers. Allow/Deny clickers. They are conditioned to always click Allow because on Windows if they click Deny the message just pops up again over and over.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #15 of 95
Quote:
Originally Posted by AppleStud View Post

i think it's a barrage of pornography.


REALLY!!! And this is FREE???? Kewl... How can I find this supposed malware.
post #16 of 95
Quote:
Originally Posted by Protagonistic View Post

I don't recall if that is on or off by default, but that still does not solve the problem. It only means the non paranoid among us only have to take an additional step and that is running opening the DMG file after it is downloaded. I am sure that will pose no barrier to the people who will run anything they get.

I seem to recall one of the tech writers claiming he could name a file "this is a virus.com" and people would still run it. The same applies to many Mac users as well. Social engineering is OS agnostic as this incident shows. :-)

It's on by default. Yes you're right there's still the danger of someone seeing it in their downloads list or folder later and running it.

Actually I think this shows the opposite of what that tech writer said. People install stuff based solely on the name, they don't do any research. If it sounds good ("MACDefender") they're in. But he was just joking of course.

I think by default OS X should allow installing off CDs and installing off the App Store, and anything else (which is just web downloads really) requires some kind of obscure setting in the Security pane.
post #17 of 95
Quote:
Originally Posted by David Forbes View Post

Isn't this the kind of problem the Mac App Store is designed to defend against?

It's not an app. You visit a web site and you get a screen that appears to be scanning your Mac for malware. Then it is announced that you do indeed have malware and offers to install Mac Defender for you to clean your system. If you are running as an admin user, enter your password and let the installation take place you are toast. I have personally encountered this phishing expedition myself on a website that caters to, shall we say, prurient interests.

Bottom line, as with all malware, the user has to purposely allow this stuff to be installed. It's phishing, not a virus or worm. None the less I suppose there are enough clueless idiots who will dutifully install this crap and then call Apple for help. The price of higher market share I guess. These poor souls switched to the Mac because they kept getting their clocks cleaned by Windows malware and thought they were safe and could forget about malware.
post #18 of 95
all the stories on this just make it seem like a bigger threat then it actually is. Unlike a windows counterpart that may execute simply by visiting wrong webpage and exploit the OS or something. This is an app the user not only has to download, but run and type their admin password giving it permission to do harm. Sure it's under a guise but honestly i blame any user who installs it without foresight to know what they are doing. A simple google search would tell you more then you need to know about a program you are unsure of. If you didn't get it from a reputable source, you should look into it before saying yes, that simple. Mac trojans are always blown way out of proportion. All this coverage is gonna do is make the ignorant windows fanboy masses think "haha macs get virus's too" and the mac users that don't know better panic.

I should write a program and call it "Big Bad" and when it runs it asks for your admin password, name, address, CC, SSN and after you enter all of it, it gives a popup saying "i just broadcasted all your info to a million cyber criminals. haha. Thanks for being a mindless idiot. j/k. But if this was a real threat that's what would have happened. Know what you install next time" and if you deny the app permission or info it'll just say "Congradulations, you made a wise choice based on rational thinking"
post #19 of 95
It used to be that people who understood computing better than the average person, were the ones who bought Macs. Now the average and below-average are buying them also.

This means a larger target for malware writers, which means we all will see more Mac malware in the years ahead. Thanks, new Mac users who don't understand computing.
post #20 of 95
Quote:
Originally Posted by AppleStud View Post

i think it's a barrage of pornography. Could be wrong though.

As the article notes, this is only a threat if you actively allow the installer to proceed by entering the administrator password. Most moderately advanced users will recognize this and refuse to continue. However, as macs become more and more popular, it's true that many less-experienced users could be confused or tricked. I certainly emailed some family members who are new to macs and reminded them to never enter their administrator password unless they were completely sure why they were doing it and trusted the download source.

Lion has included a very minor, but important change to the windows you input your admin credentials. It wont stop the ignorant from foolishly installing items but having the button now state the action it will take is a good movie, albeit a minor one.

Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #21 of 95
Quote:
Originally Posted by ascii View Post

It's partly Apple's fault for having the "open safe files after downloading" feature is Safari. That feature is just asking for this kind of attack.

Executable files are never considered safe and are never automatically launched. So NO this feature is NOT asking for this kind of attack.
post #22 of 95
Quote:
Originally Posted by AppleStud View Post

i think it's a barrage of pornography. Could be wrong though.

As the article notes, this is only a threat if you actively allow the installer to proceed by entering the administrator password. Most moderately advanced users will recognize this and refuse to continue. However, as macs become more and more popular, it's true that many less-experienced users could be confused or tricked. I certainly emailed some family members who are new to macs and reminded them to never enter their administrator password unless they were completely sure why they were doing it and trusted the download source.

Actually, I think what it does is get your credit card details. You have to buy Mac Defender to clean the supposed malware it's found. And once they've got your credit card, they take you to the cleaners.
post #23 of 95
Quote:
Originally Posted by ascii View Post

It's partly Apple's fault for having the "open safe files after downloading" feature is Safari. That feature is just asking for this kind of attack.

*bump*
post #24 of 95
Quote:
Originally Posted by ascii View Post

What about the fact that Apple performs QA on any apps they allow on there?

Like many vendors, Apple does some verification that the apps sold in their store meets their minimum quality standards. That's a far cry from doing any deep investigation or making any strong guarantees about the software. No vendor will ever guarantee you won't get malware from something in their store.

But more importantly, that isn't the only way to put software on your computer. There many ways to get software on your computer besides the Mac App Store, so even if it were perfect, it wouldn't stop malware from getting on your computer. Apple will never block other channels, because the Mac is a general purpose computer. This MACDefender is a case in point. It wasn't installed from the Mac App Store.

Malware is a consumer-centric problem, not a provider-centric problem. To even attempt to stop malware from getting installed on your computer, you need a solution that surrounds your computer. You need anti-virus software designed to run on your computer and monitor it, like all the traditional anti-virus programs out there. Even then, it is a never-ending battle between the virus makers and the virus defenders that must be vigilantly fought.

The Mac is not and will never be immune to malware because of the nature of general purpose computers. The battle just hasn't heated up yet on the Mac.
post #25 of 95
Quote:
Originally Posted by solipsism View Post

Lion has included a very minor, but important change to the windows you input your admin credentials. It wont stop the ignorant from foolishly installing items but having the button now state the action it will take is a good movie, albeit a minor one.


I've tried to cancel that twice now... time to leave a different window open...
Hmmmmmm...
Reply
Hmmmmmm...
Reply
post #26 of 95
The problem with articles such as these is that the majority of people out there probably do not understand the difference between malware and a trojan or virus.

In this case, you are freely choosing to run the malware. There is no security vulnerability that is being exploited. Someone could tell you how to make poison saying it is a recipe for brownies. It is up to you to determine that antifreeze isn't a normal ingredient.

In the future, the AppStore model will help protect the easily manipulated. So much for Darwinism.
post #27 of 95
A person I know contacted me about it. She got it by clicking on a Craigslist ad. I talked her through it in a few minutes.

I blame people's willingness to click "OK" on years and years of EULAs that are incomprehensible and endless. The industry has brought it on themselves.
post #28 of 95
Quote:
Originally Posted by universeman View Post

It used to be that people who understood computing better than the average person, were the ones who bought Macs. Now the average and below-average are buying them also.

This means a larger target for malware writers, which means we all will see more Mac malware in the years ahead. Thanks, new Mac users who don't understand computing.

If what you say is true then we should have seen more and more malware developers every year since Macs have increased. Since there were more viruses and malware pre-Mac OS X that jump in sales should have shown a consider jump in Mac OS X viruses.

And what about iOS-based devices. Over 150M sold, a higher installed base than Macs, and being used on average by a much younger individual. Where are all those viruses?
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #29 of 95
Quote:
Originally Posted by muser View Post

You're trolling. But for those who don't know, the answer is no, that is not what the Mac App Store is for. The Mac App Store is to provide a centralized, ready-made marketing channel for developers to sell Mac software to customers. Apple gets a fee for providing this service. Any developer is also free to market software through any other channel. The Mac App Store has absolutely nothing to do with stopping viruses and malware.

I am absolutely NOT trolling and resent the accusation when I asked a legitimate question.
post #30 of 95
Quote:
Originally Posted by muser View Post

You're trolling. But for those who don't know, the answer is no, that is not what the Mac App Store is for. The Mac App Store is to provide a centralized, ready-made marketing channel for developers to sell Mac software to customers. Apple gets a fee for providing this service. Any developer is also free to market software through any other channel. The Mac App Store has absolutely nothing to do with stopping viruses and malware.

I think the point is it could. Certainly the OS could ship with a preference that restricted against running code downloaded from the internet outside of the app store. Make it user settable to have the restriction or not, and default the install to having the restriction.
post #31 of 95
Quote:
Originally Posted by muser View Post

You're trolling. But for those who don't know, the answer is no, that is not what the Mac App Store is for. The Mac App Store is to provide a centralized, ready-made marketing channel for developers to sell Mac software to customers. Apple gets a fee for providing this service. Any developer is also free to market software through any other channel. The Mac App Store has absolutely nothing to do with stopping viruses and malware.

Guarding against malware is one of the reasons given by Apple for the iOS App store, that much was covered in interviews from Steve Jobs when the app store was announced. It's understandable that people would assume that idea transfers to the Mac App store.

So, no, I really don't think it's trolling, and I think you should be a little more careful in slinging the troll accusation. It adds to the hostility and we don't really need that.
post #32 of 95
Quote:
Originally Posted by AppleInsider View Post

A series of bullet points accompanying the document state that employees should not confirm or deny that the malware has ben installed, attempt to uninstall it, or send customers to Tier 2 for further resolution. In addition, representatives are also told not to refer customers to the Apple Store, as those employees do not remove malware either.

I understand that they don't provide support for something that's not their problem, but to order them to not say they have malware is baffling. That's information the customer needs to know. If it means they shouldn't check for it, OK, fine, but if they know what the problem is, then why not say?
post #33 of 95
I do Mac Phone Support (independently and have only gotten one call (two weeks ago) and helped someone remove the virus. www.macphonesupport.net This sounds allot more wide-spread then I thought or realized and Apple not helping their customers, That's bad from them and the customers as the customer has to come to people like me and pay to get the virus removed from their Mac.
Quote:
Get busy living or get busy dying--Stephen King
Reply
Quote:
Get busy living or get busy dying--Stephen King
Reply
post #34 of 95
Quote:
Originally Posted by muser View Post

You're trolling. But for those who don't know, the answer is no, that is not what the Mac App Store is for. The Mac App Store is to provide a centralized, ready-made marketing channel for developers to sell Mac software to customers. Apple gets a fee for providing this service. Any developer is also free to market software through any other channel. The Mac App Store has absolutely nothing to do with stopping viruses and malware.

I think you are being a little hard on David. I think it is not far fetched to believe that the app store will have the effect of "safety" by providing a centralized and trusted system for downloading apps. Yes, that is a byproduct but I think the example set by the iOS app store is a good reference.

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply
post #35 of 95
Quote:
With virtually no effort on your part, Mac OS X defends against viruses and other malicious applications, or malware. http://www.apple.com/why-mac/better-os/

Yeah right!
post #36 of 95
Quote:
employees should not confirm or deny that the malware has been installed

I take issue with Apple's position above. This is akin to a doctor finding cancer in a patient and being instructed by his hospital employer not to say anything. It's malpractice. Perhaps he's not allowed to operate on the cancer but it's a duty to inform a patient that something is wrong if they are unaware. Apple is pure fail on this point.
post #37 of 95
Quote:
Originally Posted by esummers View Post

Executable files are never considered safe and are never automatically launched. So NO this feature is NOT asking for this kind of attack.

Executable files aren't, but installers are. If you download a DMG file with an installer in it, it will open the DMG, extract the installer, and attempt to install the software. Brilliant.

Granted, you DO have to enter an admin password for the software to actually install. So there is that.
post #38 of 95
If it takes one button click to install it, then it should, as an OSX function, take one button click to uninstall it.

On install, OSX should be identifying all the installed pieces and files. Users should never have to figure out a 'procedure' for finding them.

Freeze should stop the app from running including any background processes.

Uninstall should tell you what it wants to remove: The app, preferences, and also files created - you choose.

This should never get as far as support, except to ask what the app is.

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply
post #39 of 95
Quote:
Originally Posted by David Forbes View Post

I am absolutely NOT trolling and resent the accusation when I asked a legitimate question.

Ok, I apologize for saying you were trolling. I've just seen a lot of people making remarks that fit the pattern "Isn't that what so-and-so was for", in an attempt to snidely say it failed at that, when it really wasn't for that. I made a mistake in thinking you were doing the same thing. Sorry about that.
post #40 of 95
Quote:
Originally Posted by island hermit View Post

I've tried to cancel that twice now... time to leave a different window open...

You may have format your hard drive to get rid of it.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › 'MACDefender' on Apple's radar as OS X malware spreads - report