New malware attacks Mac OS X users through Apple Safari browser
Newly discovered malicious software dubbed "MACDefender" takes aim at users of the Mac OS X operating system by automatically downloading a file through JavaScript. But users must also agree to install the software, leaving the potential threat limited.
The new MACDefender malware was first noted on Saturday by users of the Apple Support Communities, and was highlighted on Monday by antivirus company Intego. If the right settings are enabled in Apple's Safari browser, MACDefender can be downloaded to a system after a user clicks a link while searching the Internet.
"When a user clicks a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file," Intego said. "In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open 'safe' files after downloading in Safari, for example), will open."
However, users must still agree to install the malware after it downloads. After the ZIP file is extracted, users are presented with the "MACDefender Setup Installer," at which point they must agree to continue and provide an administrator password.
Because of the fact that users must agree to install the software and provide a password, Intego categorized the threat with MACDefender as "low."
Users on Apple's support forums advise killing active processes from the application using the Mac OS X Activity Monitor. MACDefender can then be deleted from the Applications folder by dragging it into the trash.
The malware is not to be confused with MacDefender, the maker of geocaching software including GCStatistic and DTmatrix. The company noted on its site it is not affiliated with the malware.
Malware spreads through search engines like Google via a method known as "SEO poisoning." The sites are designed to game search engine algorithms and show up when users search for certain topics.
The new MACDefender malware was first noted on Saturday by users of the Apple Support Communities, and was highlighted on Monday by antivirus company Intego. If the right settings are enabled in Apple's Safari browser, MACDefender can be downloaded to a system after a user clicks a link while searching the Internet.
"When a user clicks a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file," Intego said. "In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open 'safe' files after downloading in Safari, for example), will open."
However, users must still agree to install the malware after it downloads. After the ZIP file is extracted, users are presented with the "MACDefender Setup Installer," at which point they must agree to continue and provide an administrator password.
Because of the fact that users must agree to install the software and provide a password, Intego categorized the threat with MACDefender as "low."
Users on Apple's support forums advise killing active processes from the application using the Mac OS X Activity Monitor. MACDefender can then be deleted from the Applications folder by dragging it into the trash.
The malware is not to be confused with MacDefender, the maker of geocaching software including GCStatistic and DTmatrix. The company noted on its site it is not affiliated with the malware.
Malware spreads through search engines like Google via a method known as "SEO poisoning." The sites are designed to game search engine algorithms and show up when users search for certain topics.
Comments
OMG!!!111!!! A VIRUS for the Macz!!! But, wait... You have to install it yourself. Again.
FWIW, I think this malware was the same that attempted to attack Firefox today. In this case it was blocked by the browser itself, with an on-screen warning that an unknown program was attempting to spoof an official Java update and had not been allowed. I don't know if Safari is giving the same warning. If not, Apple needs to.
There's a good possibility this piece of malware may get some traction. It's an issue many here would want to discuss since Apple's OS is generally said to be immune to these types of attacks. Users are lax about taking the basic security precautions that users of other OS's do.
FWIW, I think this malware was the same that attempted to attack Firefox today. In this case it was blocked by the browser itself, with an on-screen warning that an unknown program was attempting to spoof an official Java update and had not been allowed. I don't know if Safari is giving the same warning. If not, Apple needs to.
Good point. Mac OS can be as easily compromised by smart hackers as any other OSes. Its primary protection is relatively low market share (still). But this will change because of Apple's increasing profile/notoriety. The iOS devices will be targeted too.
Mac users have to be smart enough to consider the same steps of protection as Windows users, including installing anti-malware programs. Some will arrogantly defend Mac OSX as a fortress against viruses. But that is just not true.
Here we go again...
If I read correctly, you don't have to "install it yourself". You only need to agree for it to continue. In essence it works just like the malware hidden in a few Android Market apps last year. It/they couldn't load itself without the user agreeing to allow it to continue the installation.
And still no viruses.
Nothing to see here. Again.
So that brings the grand total to what, 3 pieces of malware in the wild since 2001?
And still no viruses.
Nothing to see here. Again.
Which demonstrates why this piece may grab some victims. Your attitude towards malware and viruses is typical of many other users of Apple products.
The software with needed basic precautions is relatively inexpensive. There's probably even free solutions, tho I haven't looked. In any case, why not use them?
If I read correctly, you don't have to "install it yourself". You only need to agree for it to continue. In essence it works just like the malware hidden in a few Android Market apps last year. It/they couldn't load itself without the user agreeing to allow it to continue the installation.
Many users are unfamiliar with installing applications on Mac OS X and Windows. An official looking window opens and tells them there is a problem. Please click the button to have it resolved automatically. Many non-technical users get fooled by this on Windows and there is no reason to think that naive Mac users won't be fooled as well. At least on Mac a warning pops up saying you are about to open a file downloaded from the Internet. Not sure what Windows 7 does since I haven't used it yet. In either case, no one on this forum would be fooled but the general public might be. Depending on the severity of the payload, if you don't have any means of cleaning it up after the fact, such as anti virus software what do you do?
Also many novice Mac and Windows users are running with admin privileges so they know the admin password.
Which demonstrates why this piece may grab some victims. Your attitude towards malware and viruses is typical of many other users of Apple products.
The software with needed basic precautions is relatively inexpensive. There's probably even free solutions, tho I haven't looked. In any case, why not use them?
-Because if you're an avid computer (as in person who computes), then you know well enough not to install random apps that you didn't download.
-Because antivirus and anitimalware software are bloat and unecessary 99% of the time for consumers who have little to no assets worth protecting.
Many users are unfamiliar with installing applications on Mac OS X and Windows. An official looking window opens and tells them there is a problem. Please click the button to have it resolved automatically. Many non-technical users get fooled by this on Windows and there is no reason to think that naive Mac users won't be fooled as well. At least on Mac a warning pops up saying you are about to open a file downloaded from the Internet. Not sure what Windows 7 does since I haven't used it yet. In either case, no one on this forum would be fooled but the general public might be. Depending on the severity of the payload, if you don't have any means of cleaning it up after the fact, such as anti virus software what do you do?
It's the same in windows 7. If you have a virus or malware on your computer - you installed it yourself.
Edit: Actually, this may be worse on the Mac because for some crazy reason, Safari flags .zip files as safe. Ack!
Which demonstrates why this piece may grab some victims. Your attitude towards malware and viruses is typical of many other users of Apple products.
The software with needed basic precautions is relatively inexpensive. There's probably even free solutions, tho I haven't looked. In any case, why not use them?
But continue not to use basic malware detection software, nor recommend it to anyone else using Apple products.
Forewarned is forearmed.
If I read correctly, you don't have to "install it yourself". You only need to agree for it to continue.
While I didn't try it (for obvious reasons), I'm pretty certain you also need to enter an administrator username and password to install it (like most software installed using Installer). So it's a bit more work than just clicking to continue, and would likely raise red flags with most people (i.e. why is a web link asking me to enter an administrator password?).
One of the benefits of a system which was designed to be multiuser from the ground up (i.e. UNIX, the foundation on which Mac OS X is built) is that a program running as a regular (non-admin) user can only affect things on the system owned by that user (i.e. not operating system files or other important system data). Only by authenticating as an administrator user can a program affect important system functions. And if you don't scrutinize everything which asks you for administrator access (password), then there's really nothing which can save you. I mean, you wouldn't give a random person on the street the key to your house if they asked, would you?
While I didn't try it (for obvious reasons), I'm pretty certain you also need to enter an administrator username and password to install it (like most software installed using Installer). So it's a bit more work than just clicking to continue, and would likely raise red flags with most people (i.e. why is a web link asking me to enter an administrator password?).
One of the benefits of a system which was designed to be multiuser from the ground up (i.e. UNIX, the foundation on which Mac OS X is built) is that a program running as a regular (non-admin) user can only affect things on the system owned by that user (i.e. not operating system files or other important system data). Only by authenticating as an administrator user can a program affect important system functions. And if you don't scrutinize everything which asks you for administrator access (password), then there's really nothing which can save you. I mean, you wouldn't give a random person on the street the key to your house if they asked, would you?
Nope. A key would be out of the question. But why?
Because I'm aware that nefarious people exist, and that not everyone that wants to talk to me means no harm.
Many Apple user's don't know that when it comes to their Apple product. They assume they're automatically protected by Apple's systems. So why not trust the guy at the door? Every user already knows he can't hurt you.
And there's the difference.
I mean, you wouldn't give a random person on the street the key to your house if they asked, would you?
But it is not a random person. It is someone impersonating a uniformed officer who says that we have reason to believe there may be a dangerous situation in your home, give us the key and the alarm code and we'll check it out just to be safe.
As I mentioned earlier, for ease of use, the single user on the computer is often the admin so they know the password, regardless if they are qualified to be the administrator or not.
So this malware does...?
Good point. The only reason I read the article and it wasn't mentioned.
Good point. The only reason I read the article and it wasn't mentioned.
Upon installation, the application adds itself to the user?s Login Items, so it will relaunch each time the user logs in or starts up their computer. The application itself cannot be quit easily, as there is no Dock icon.
(One thing to point out is that, in the past, these types of sites?very common vectors of Windows malware?only delivered Windows .exe applications. The fact that such a site is providing a Mac rogue antivirus is new, and extremely rare. While the site itself still shows a fake Windows screen, the rogue antivirus itself is a well-designed Mac application.)
This application is very well designed, and looks professional. There are a number of different screens, and the grammar and spelling are correct, the buttons are attractive, and the overall look and feel of the program give it a professional look. It will occasionally display alerts, telling users that viruses are found:
MAC Defender also opens web pages for pornographic web sites in the user?s web browser every few minutes. This is most likely to make users think that they are infected by a virus, and that paying for MAC Defender will relieve them of the problem.
Clicking the Register button on the About screen takes users to a web page where they can purchase a license for the program: either a 1-year, 2-year, or lifetime license. Users are asked to provide a credit card number, and the web page used is not secure. The scam here is to charge users for a program that doesn?t do anything; the virus warnings presented are bogus, and after paying, they no longer display, so users think the program has done something useful. It is also possible that these credit card numbers, given via an unsecure web page, could be used for other purposes.
If I read correctly, you don't have to "install it yourself". You only need to agree for it to continue. In essence it works just like the malware hidden in a few Android Market apps last year. It/they couldn't load itself without the user agreeing to allow it to continue the installation.
As the next person states, you also have to type in an admin password.
While I didn't try it (for obvious reasons), I'm pretty certain you also need to enter an administrator username and password to install it (like most software installed using Installer). So it's a bit more work than just clicking to continue, and would likely raise red flags with most people (i.e. why is a web link asking me to enter an administrator password?).
One of the benefits of a system which was designed to be multiuser from the ground up (i.e. UNIX, the foundation on which Mac OS X is built) is that a program running as a regular (non-admin) user can only affect things on the system owned by that user (i.e. not operating system files or other important system data). Only by authenticating as an administrator user can a program affect important system functions. And if you don't scrutinize everything which asks you for administrator access (password), then there's really nothing which can save you. I mean, you wouldn't give a random person on the street the key to your house if they asked, would you?
This is also way few people should ever be using an admin account as their daily use account (this applies for Macs and Windows). Even if you are the only person using your computer, having to enter a different login than your normally daily login should give you enough warning to avoid doing something stupid.
But what I find quite often from Windows converts is that years of using Windows has caused them to develop a reflex action to simply click-through warnings and pop-ups without reading them first. And on my Windows PC at work (we are stuck on XP for now), I'll occassionally get a login window popping up randomly because some application (usually Outlook) has gotten "lost" and forgotten how to log into some network resource (Exchange in the case of Outlook). And the login NEVER tells you what application is requesting the password and why. As a Mac user, I used to always dismiss these login windows out of caution only to find out later that Outlook hasn't been retrieving my mail. But now I've been trained by experience with Windows to simply enter in my login info and hope that it's for some application that I'm legitamately trying to run and not some malware trying to "social engineer" me and take over my computer.
Maybe warnings and install windows should have a delay built them..you aren't allowed to click "OK" for at least 5 seconds. Then maybe more people would read the dialog before clicking.