'MACDefender' on Apple's radar as OS X malware spreads - report - Page 2

There are plenty of switchers out there these days who are pre conditioned to expect such things from their PC days who could fall for this.

I do wish Apple was more on top of their installed apps. If an app has an installer you can often use Show Log to see where the files will be placed, but it’s ultimately pointless since launching the program can add files elsewhere in your system.

AppTrap does a decent job of running quietly in the background and then finding pieces of apps that you choose to through in the trash. Since I don’t throw many apps out I leave it turned off until I want to use it.

•

http://onnati.net/apptrap/

As others have said, it's a dmg with an installer script, and Safari trusts both of those (since they're essentially data).

Malware is not fatal. I can see Apple's position on this. Apple service personnel are not trained in diagnosing or removing viruses and malware. In this case even investigating the problem might expose the technician to explicit images that they probably would rather not be required to view.

I think the password screen could be improved significantly - including info about WHAT is being installed - or WHERE - etc - not that the writer of the virus couldn't get creative with it - but some sort of way to see more info - or maybe even some sort of Verify button that would check a security certificate or something.

Not saying that I have an answer here - but if a browser can block phising and alerts me when there are missing or invalid certificates - then the installer ought to be able to do something to at least provide more information about what it is doing.

i'm surprised NOT ONE PERSON here even mentioned this: APPLE IS REMOVING JAVA from the OS when LION is released in the WILD!!! so these types of Java Runtime apps will not get installed on to your MAC ANYMORE!! see the link at the bottom of this post:

No Java runtime

Also missing from Lion is a preinstalled Java runtime capable of executing "100% pure" Java apps. There are few examples of Java desktop apps in the wild, so most users won't notice. Not bundling the runtime will erase a large number of security vulnerabilities from the reported list of issues related to Mac OS X going forward however, as Java exists as a parallel platform to Apple's native Cocoa.

When users attempt to run a Java app, Lion offers to look online for a version it can install, and will download and install a slightly newer version than is currently available for Snow Leopard today (1.6.0_24-b07-329, rather than 1.6.0_22-b04-307).

Apple announced earlier that it would be working with Oracle to divest itself of maintenance of the Java platform on Macs, setting up a new OpenJDK Project for Java on Mac OS X going forward, starting with the release of Java SE 7.

Apple noted that the Java runtime may be removed from future versions of its operating system, and it appears that will be the case with Lion, albeit with a rather painless install option for users who need it.

http://www.appleinsider.com/articles...e_rosetta.html

just my 2 cents.. BITZANDBITEZ @ your service... ; )

I realized this was posted on a Saturday so maybe most of you were out for the weekend and didn't see this..

(this includes the TROLLS up in here and U know who U R...)

Apology accepted. I'm an iOS user (iPhone, iPad), but don't yet have a desktop Mac, though I will with my next purchase when my current PC (piece of crap) expires. I honestly thought that one of the reasons given for the Mac moving to an app store model was to curb the potential for this kind of mischief. I wasn't implying at all that it failed.

You say that Apple only does minimum quality checks. I'm not sure how you know this. I have heard they do quite vigorous automated checks of the executables to look for suspicious API calls. Whatever they're doing I have never heard of Malware appearing on the App Store.


Yes there are many ways to get apps on your computer, but what are the typical malware vectors? Not CD/DVD which are typically commercial apps. Web downloads and email attachments are the main sources, and Safari and Mail already have knowledge of certain Mac Malware and block it.


It could come to that, with the Mac requiring as full and invasive security software as Windows. But let's not jump the gun. So far the Mac has had very few exploits actually exploited in the wild. The main problem seems to be Trojans like this popping up every few months. So far things have been controlled by Apple making Safari recognise them. Let's see how things develop with the App Store in the next few years.

Apple's statement is perfectly correct. Mac OS X still has no known viral threats, and as this incident demonstrates you are pretty much only going to damage your machine if you explicitly tell the computer it's okay for it to do something it probably shouldn't.

Well over half of all the malware exploits on OS X are the result of vulnerabilities not in OS X itself, but in Adobe's Flash and also in Java. Hence, Apple has taken steps to ensure the latest version is in use (When it comes to Flash) and to simply remove the runtime altogether (At least as part of a native install) in the case of Java.

Maybe the REAL problem is that switchers think they need anti-virus software and are so conditioned to believe it that they run this. So in effect, this is Microsoft's fault.

The fundamental problem is that computers are just machines - they don't understand the software they're running in the way a human understands things, so they can't tell what's malware and what isn't. Existing security software uses signatures and heuristics to identify malware but this is only as good as your virus definitions file which is why the industry is in a constant cat and mouse battle.

Apple has decided to fundamentally tackle the problem by putting a human in the loop. The user is not an acceptable candidate since they may be a layman, but a person on the server side (App Store) whose profession it is to do this type of activity has a much better chance.

This is a fundamentally better solution than a virus program.

I do not believe there is any evidence to support your assertion. In fact, this article suggests that user error is probably the biggest security threat on the OS X platform and I would think javascript to be the second most exploited attack vector.

They should change the wording of this - it sounds like your computer is telling you that you should go ahead and type your password. They should make it more neutral, or even more of a warning: "A program is trying to install software on your computer. If you are sure the software is safe and wish to install it, type in your password." And they could change the icon to a skull and crossbones with a question mark over it.

And they could enact the Brady Bill into new app installations that require you to wait several days before the app is usable.

It's javascript that's the culprit here. Javascript has nothing to do with Java.
Lion will not be safer in this respect because javascript is used in every modern website, it's one of the pillars of the new web. Java on the other hand will die a slow death.

J.

That dialog is rather useless in my opinion. It's not actually asking the user for their password, it's asking for an admin password - the assumption being that the admin is a guru who will know what is safe.

But it's just a holdover from the server origins of OS X - in reality there never is an admin, so you are trusting a layman to decide what's safe to install which is a flawed model. In that sense the App Store gives every Apple customer access to an admin.

I work in the UK for a large PC repair shop. We see tons of malware on windows machines daily, which is incredibly difficult to get rid of or remove.

This piece of malware/virus is a complete joke. A few weeks ago we had our first customer come in with this. I was pretty shocked, but then when i looked at how stupid this program was compared to the ones you get in windows, I just shook my head.

To remove the malware you simply bring up activity monitor, disable "Macdefender", go to finder, drag the "MacDefender" app into the trash and restart the computer. You might want to take it out of login items from users as well. But that's it.

It's so easy to remove.

It's not a virus. It's simply another app, which the user agrees to install and then it comes up and pretends you are infected. It really makes me LOL.

If I'm not mistaken, it was the infamous Charlie Miller that stated that Flash was the largest security threat on any platform... or maybe one of his compatriots at SecCom? Too lazy to Goggle it myself...be my guest.

and you were using Safari wouldn't you have gotten this warning?

http://www.appleinsider.com/articles...rotection.html

Yes, I was trying to remove malware from my Mom's PC and it was very cunning in hiding itself compared to the amateur stuff coming Apple's way. This slightly supports the security through obscurity argument, but only time will tell.

One things that's missing here is for the OS to be doing its real job - both OSX and Windows.

The OS must know the provenance of every object in its system. So if we point at an app, then we can grab all its files, processes, etc without having to google it and hope someone has been there before.

Apple could do a *lot* to protect its users, through good OS design, long before we get to anti-malware tools.

Just out of curiosity, if someone knows your admin username and password, can an app install itself, or is that security window manual entry only?

Exactly, the same people fighting the app store & ragging on it are the same people that hate the closed ecosystem of iPhone/iPad/iPod. Spyware & malware can be easily avoided if users take some time to actually care about what they do on the web, unfortunately most people are to busy to educate themselves until it is too late.

In addition drag & drop apps should be outright banned, it's time companies like Mozilla learned to use the package builder that comes free with every single OS X install disk!

Depends on if you are already running malware. If not then no, manual entry required.

The real issue with this malware is that Safari's default settings are open "safe" files after downloading, this should have never been a feature in the first place. Whoever made the decision to have that as a feature in Safari should get a HUGE F- on security. First thing I always do is disable this feature in Safari.

The reason I was curious about the admin login is it seems to me Apple should have an admin account and password set up during the default setup process. So many users run their user account as admin because no-one ever told them otherwise. So even if Apple created an admin account with a password of the user's birth year, it would still offer some basic protection for naive users. Otherwise they'd never even see the admin login (?), which is even worse.

No it cannot install itself, unless your system is already "hacked".

OS X malware is spreading?

A new trojan reported every 2-3 years isn't exactly "spreading."

This is no different than the Leap-A situation in 2006, and the iWork trojan situation in 2009.

At this rate, that alleged vast ocean of OS X malware will hit our shores around 2050.

This is a non-event. Like it's been over the past decade: the 2 or 3 year mark hits since the last time, the media and everyone and their dog are all over it, we're told that this is the end, etc. Then we forget about it all until about 2 or 3 years later.

It's been "the end" since 2002 or so. Still waiting to see it.

The setup process requires you to make an administrator account. But note that even if you run as an administrator you don't have administrator rights. So each time an action is required like installing software, access to your keychain etc., your rights must be elevated via a manual entry. This - in essence - makes it very hard to write a virus for the Mac even if you have an administrator password.

J.

No, the application is distributed by Javascript therefore is bypassing the Mac Store.

Still you have to do a *lot* of dumb stuff to make the attack work. You have to:

- ignore the makepackage jumping up and down on the dock
- click on it
- give it your admin credentials
- let it "scan" your hard drive
- click on the button to buy it (which actually steals your info)

I know lots of people do it, but the bottom line is you are an idiot to do this stuff and it doesn't matter if it's mac or windows really as those idiots exist on all platforms.

The head of the finance department did this where I work, which is kinda funny.

I have no idea if these guys have any agenda or are completely on the up and up. Posting it as reference only as it does add some additional info to what's going on with the MacDefender malware and similar variants. Note that an iPad malware version is expected according to the article.

http://www.securitynewsdaily.com/era...ity-over-0791/

It's not security through obscurity, it's security through a 40 year old backend that was last hit by a major virus 20 years ago.

This is also NOT a virus it is malware, specifically a trojan which is NOT a virus. A virus cannot be written for UNIX because it needs to have a number of factors to propagate itself, all of which Mac OS X / *NIX do not allow.

They need to be able to access parts of the system automatically such as services. This isn't allowed by *NIX systems without a username and password therefore infection is only at the hand of the user. It then needs to be able to automatically send e-mails to propagate itself on other systems. Technically possible if it can access the system which returns me back to the username and password thing which is also generally encrypted on many *NIX systems.

On the otherhand an application can be run simply by viewing a webpage which would bring up an OK/Cancel dialog box which most people just simply click OK. It then hides itself in the system from view and does whatever the hell it wants.

There is HUGE money to be made with Windows security tools not because there are more Windows machines but because it is so easy to exploit and essentially blackmail people.

Safari>Preferences>General untick the box.

Now this threat is greatly diminished.

If someone did install it, it's set to run at start up so has to be killed using activity monitor (System Preferences), found in Applications Folder and dragged to trash.

A quick trip back to System Preferences>Accounts>Login Items to make sure it's not checked and you're done, it's gone.

Whatever you do don't use credit cards to make the payment this trojan demands to "fix" your system.



I find 'AppCleaner' useful in this regard.

http://www.freemacsoft.net/AppCleaner/

Macs are no better in that regard. Software Update, "This application was downloaded from the internet" warnings, iTunes usage agreements, etc. Honestly, even the admin info window helps to train the user to not pay attention to the messages that pop up on screen.

Computer users on any OS are quickly trained to just click through everything with the hope they might actually get to the point they wanted to reach.

Much like any Rogue Antivirus software, it pops up a bunch of virus alerts of "viruses" on your computer. It also blocks internet access. To remove it, simply go to the Activity Viewer in the utilities folder, hit the processes tab and quit the process called "MacDefender" then simply delete the "MacDefender" Application installed in the applications folder.

In order for the application to install to begin with you have to give it permission, so if you get infected, really who can you blame?

Only those who listened to those Windows crowd who believe anti virus is essential is going to get burned by this malware. Ironic, isn't it. If you don't believe Mac need these stupid scanner, you never won't install this malware in the first place.

You have a good point. But I think the problem is that the telephone rep can not be sure one way, or the other, and Apple is trying to prevent the reps from attempting to determine if there is or is not malware, and then possibly being wrong. They probably should be saying "We can't tell one way or the other, Mr. Customer, but you may want to see a specialist."

Where is Snow Leopard's malware/virus/trojan protection at in all this?? Is Apple going to release an update to detect this?

The videos on Youtube show a .mpkg file being automatically downloaded and opened with the installer. Basically a guy does a Google image search, clicks on "show full image," and boom, the .mpkg file downloads and opens automatically without user intervention.

That seems like a dubious "feature" for a web browser, to say the least.

Why did Apple classify .mpkg flies as "safe" files anyway?

The "open safe files automatically" feature should go away - it leaves you wide open to any bug where a "maliciously crafted .doc (or .whatever) file can lead to arbitrary code execution." The ability for JavaScript to initiate unrequested downloads doesn't help either.

And yet here we are with malware propagating on OSX.

Security isn't just about preventing vulnerabilities in the OS, it's also about protecting vulnerabilities in the user.

Pretty dick move to tell your support people to just ignore the issue and tell the customers that apple does not help with removing malware. I really hope the tech support guys dont listen or at least point the users in the right direction. Hell it would be awesome if they recorded a step by step removal guide and simply mentioned a URL shortener to get to that guide.

That is one awesome password. Mine is only this long. *********

PS How are you liking the perpetual save feature?