Apple: There's no malware on your Mac

[Ns1]

removal instructions are easy as fuck

Removal steps

Move or close the Scan Window
Go to the Utilities folder in the Applications folder and launch Activity Monitor
Choose All Processes from the pop up menu in the upper right corner of the window
Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector
Click the Quit Process button in the upper left corner of the window and select Quit
Quit Activity Monitor application
Open the Applications folder
Locate the app ex. MacDefender, MacSecurity, MacProtector or other name
Drag to Trash, and empty Trash

Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.

Open System Preferences, select Accounts, then Login Items
Select the name of the app you removed in the steps above ex. MacDefender, MacSecurity, MacProtector
Click the minus button

Use the steps in the “How to avoid installing this malware” section above to remove the installer from the download location.

 

[Sephire]

HAHA

 

[Ape]

A little follow up:

http://www.foxbusiness.com/technology/2011/05/25/apple-fights-fake-anti-virus-software-vendors/

In the meantime, Apple has issued advice on how users can clean up machines that have been infected by the malicious software, which goes by names including MacDefender, MacProtector and MacSecurity.

Well at least they are giving everyone a heads up, a little late but a heads up none the less.

 

[Sephire]

A more dangerous version of the malware releases. Apple "fix" obsolete.

Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, “How to avoid or remove Mac Defender malware,” the company posted instructions for users to follow if they’ve encountered this malware specimen in the wild. It also promised a security update to remove infections automatically.

File that memo under, “Too little, too late.”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

 

[LegendKiller]

lol @ Apple. This could turn into a huge fiasco, but they've been begging for it by making people think the OS was impervious to viruses unlike Windows.

Didn't one of their commercials bash Windows for being virus prone?

 

[TheStu]

lol @ Apple. This could turn into a huge fiasco, but they've been begging for it by making people think the OS was impervious to viruses unlike Windows.

Didn't one of their commercials bash Windows for being virus prone?

They made the point that there were 114,000 viruses for windows at the time, and 0 for OS X.

 

[ViRGE]

A more dangerous version of the malware releases. Apple "fix" obsolete.

Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, “How to avoid or remove Mac Defender malware,” the company posted instructions for users to follow if they’ve encountered this malware specimen in the wild. It also promised a security update to remove infections automatically.

File that memo under, “Too little, too late.”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

User-level malware is a mixed bag. Without the ability to run at ring 0, it can't hide. At best it can hide from the user account that was infected, but it can't hide from any other account. Nor for that matter can it activate itself on any other accounts. This means it's easy to find and easy to eliminate.

On the flip side of course it doesn't require admin privs to install, meaning if you can trick the user into executing it (or automatically execute it in the user context) you've succeeded. The payout is far lower, but so is the bar.

The fact of the matter is that we don't see user-level malware under Windows, and that's because the inability to hide it and the ease of removal is too great. Any anti-malware suite that knows what to look for is going to find it since it runs as a privileged user. It's an amusingly rude gesture to Apple, but it's all bark and no bite. The worst thing you can do is delete everything in a user's home folder; beyond that it's almost impossible to do any of the normal things done for economic gain.

 

[Emulex]

very very easy to trick an ios/osx user to put in their root password. do the ole double password trick. you assume you are typing it in wrong. i found a bot the other night haven't dissected it. seems like with known vulnerabilities you can escalate to root. not everyone patches up. i've seen so many mac's running .3-.5 behind its scarey

 

[TheStu]

very very easy to trick an ios/osx user to put in their root password. do the ole double password trick. you assume you are typing it in wrong. i found a bot the other night haven't dissected it. seems like with known vulnerabilities you can escalate to root. not everyone patches up. i've seen so many mac's running .3-.5 behind its scarey

Yes, because every Windows user is a paragon of up-to-date-ness.

 

[Cogman]

User-level malware is a mixed bag. Without the ability to run at ring 0, it can't hide. At best it can hide from the user account that was infected, but it can't hide from any other account. Nor for that matter can it activate itself on any other accounts. This means it's easy to find and easy to eliminate.

There is still TONS of userlevel malware available for windows. While rootkits and such are nasty, I would say the bulk of infections are Userlevel.

On the flip side of course it doesn't require admin privs to install, meaning if you can trick the user into executing it (or automatically execute it in the user context) you've succeeded. The payout is far lower, but so is the bar.

I don't see how the payout could be lower. What do they loose? The ability to hide easy, what do they gain? all the abilities to change the machine into a dedicated spam/porn server they could want. There isn't a whole lot they lose by not being able to operate in the admin level.

The fact of the matter is that we don't see user-level malware under Windows, and that's because the inability to hide it and the ease of removal is too great. Any anti-malware suite that knows what to look for is going to find it since it runs as a privileged user. It's an amusingly rude gesture to Apple, but it's all bark and no bite. The worst thing you can do is delete everything in a user's home folder; beyond that it's almost impossible to do any of the normal things done for economic gain.

Wrong, we see TONS of userlevel malware in windows. What is more rare is kernel-level malware.

I agree that the worst viruses are kernel level, but I don't agree that most viruses are kernel level in the windows world.

 

[Cogman]

Yes, because every Windows user is a paragon of up-to-date-ness.

That wasn't his argument. His argument is "users are stupid". An operating system could be the definition of secure, but as long as the user is allowed to execute something with root privileges there is a possibility that they can be manipulated to run some malware at escalated privileges.

 

[ViRGE]

There is still TONS of userlevel malware available for windows. While rootkits and such are nasty, I would say the bulk of infections are Userlevel.


I don't see how the payout could be lower. What do they loose? The ability to hide easy, what do they gain? all the abilities to change the machine into a dedicated spam/porn server they could want. There isn't a whole lot they lose by not being able to operate in the admin level.


Wrong, we see TONS of userlevel malware in windows. What is more rare is kernel-level malware.

I agree that the worst viruses are kernel level, but I don't agree that most viruses are kernel level in the windows world.

While I don't necessarily disagree with you, do you have any examples of any modern malware that doesn't do something in ring 0? Every major piece of malware I can think of has some kind of ring 0 component; I can't think of any malware that exclusively operates in userland. It's damn near necessary, not only for hiding but for being able to open up low-numbered ports, the half-open port limitation, keylogging, and getting around the Windows firewall.

 

[Cogman]

While I don't necessarily disagree with you, do you have any examples of any modern malware that doesn't do something in ring 0? Every major piece of malware I can think of has some kind of ring 0 component; I can't think of any malware that exclusively operates in userland. It's damn near necessary, not only for hiding but for being able to open up low-numbered ports, the half-open port limitation, keylogging, and getting around the Windows firewall.

Opening a low level port number is not a ring 0 operation (at least not in windows.) Key logging is also not a ring 0 operation (the windows api makes it pretty easy to do). The half-open port limitation isn't that big of a deal as most virus only use 1 outbound connection. Probably the biggest problem they will have is getting around the windows firewall, that is really the only true ring 0 operation you've listed.

 

[ViRGE]

Opening a low level port number is not a ring 0 operation (at least not in windows.) Key logging is also not a ring 0 operation (the windows api makes it pretty easy to do). The half-open port limitation isn't that big of a deal as most virus only use 1 outbound connection. Probably the biggest problem they will have is getting around the windows firewall, that is really the only true ring 0 operation you've listed.

Keylogging is very much a ring 0 operation as of Vista and later. One of the big changes MS made was that non-admin processes cannot interface with the input system under most circumstances, both to prevent keylogging and to prevent malware from self-approving privilege escalation dialog boxes. There are newer userland APIs for monitoring keys, but AFAIK they can't be used for outright keylogging.

As for low numbered ports, I'll have to get back to you. I'm 99&#37; sure non-admins can't open ports <1024, but I need to find it in writing (and besides, on Mac OS X this is definitely the case).

 

[Nothinman]

Keylogging is very much a ring 0 operation as of Vista and later. One of the big changes MS made was that non-admin processes cannot interface with the input system under most circumstances, both to prevent keylogging and to prevent malware from self-approving privilege escalation dialog boxes. There are newer userland APIs for monitoring keys, but AFAIK they can't be used for outright keylogging.

As for low numbered ports, I'll have to get back to you. I'm 99% sure non-admins can't open ports <1024, but I need to find it in writing (and besides, on Mac OS X this is definitely the case).

There's a big difference between ring 0 and admin, you probably do need admin to open low order ports but you definitely don't need to be in ring 0 to do so.

 

[Kaido]

It looks like the latest version does not require the administrator password:

http://www.computerworld.com/s/arti...are_installs_without_a_password?taxonomyId=89

However, it looks like you still have to manually run through the installer:

http://www.computerworld.com/common/images/site/features/2011/05/macguard.jpg

So avGuard.pkg auto-downloads & auto-launches, then you walk through the installation to install the second program. The workaround that they used is:

"avRunner sidesteps the need for an administrator password by putting itself directly in the Applications folder of a victimized Mac. Unlike a legitimate installer package -- or an illegitimate one for that matter -- putting an executable in the Applications folder doesn't require a password when the user is the administrator."

The bottom line is that the user still has to walk through the installation of the program to install the second piece that digs itself into the system. The hack is more of a social engineering one:

1. The user visits a site, which downloads the avRunner.pkg app

2. Safari auto-unzips files and launches them, thus auto-opening avRunner

3. The user installs avRunner, which installs the second piece of software ("Mac Guard") onto the computer, and then deletes itself (the avRunner.pkg)

4. Since most Macs are single-user accounts and are administrators of their machines, they do not require a password to be entered when installing an application to the Applications folder - but, the user still must run through the installation program manually to install the second program

5. Now the user is infected

While tricky, ultimately the user must still choose to install the Mac Guard program by hand, manually. The delivery method is sneaky because it's no different than download a zip file of any other program - Safari auto-downloads it, unzips it, and launches it for you to install. So a lot of people who aren't careful will unknowingly walk through the install process and get themselves infected.

Sneaky, but still not what I'd consider a huge threat - the software does not auto-install itself into your system; it prompts the user to install it. Just a localized social engineering hack, of sorts.

 

[ChAoTiCpInOy]

Most of these issues seems to happen through Safari because Safari automatically opens "safe" files, is that true?

 

[Kaido]

I should also point out a comparison to a virus I got on my Windows laptop a few months ago - the one that poses as a Windows antivirus program and kills any processes you open. I was downloading drivers for a machine on my bench and got it that way - I visited a third-party driver vendor website, which was fake, and it auto-downloaded and auto-installed the virus. It went through Firefox (latest update at the time, with the Adblock plugin), through Microsoft Security Essentials, through whatever else was on XP SP3 w/ latest updates, and within seconds had locked up the computer - no asking to download, no asking to install, just nailed within seconds of clicking on a google link.

Versus manually installing a Mac malware application :awe:

 

[Kaido]

Most of these issues seems to happen through Safari because Safari automatically opens "safe" files, is that true?

Sort of, because that's how it's designed. It's a convenience thing. For example, open up Safari and click on the download button on The Unarchiver app page (zip app):

http://wakaba.c3.cx/s/apps/unarchiver.html

It should auto-download, unzip, and have the application ready for you to drag over to the Applications folder. There are 2 ways to install an application on a Mac - either by drag & drop (which then requires the user to click "OK" for first run), or by an installer, which may or may not require an administrator password depending on what it needs to do within the system.

So the way that the new Mac Guard malware application works is like this:

1. Visit the infected site
2. Auto-downloads the zip
3. Zip auto unzips
4. Unzipped application is a non-password installer, which auto-launches for you to walkthrough the installation
5. User installs program
6. Machine is now infected

Technically, the user is still at fault - the user has to manually install the application. All that's happening is a little social engineering - the app presents itself for installation, which the user then typically mindlessly walks through (doesn't pay attention to the application name).

The question then becomes, should Apple be scanning all of the websites you visit, to prevent you from all possible phishing scams? Eh, I'd say not. The solution for now, imo, is for Apple to push out an update that changes the default behavior of Internet downloads from "auto open Safe files" to "do not auto open Safe files" so that users won't fall into the trap. Apps can still auto-download, but it won't present itself, and unless the user goes looking for "avRunner" and then manually unzips it and manually installs it, well, it presents a better end-user solution.

Sneaky, eh?

 

[Nothinman]

I should also point out a comparison to a virus I got on my Windows laptop a few months ago - the one that poses as a Windows antivirus program and kills any processes you open. I was downloading drivers for a machine on my bench and got it that way - I visited a third-party driver vendor website, which was fake, and it auto-downloaded and auto-installed the virus. It went through Firefox (latest update at the time, with the Adblock plugin), through Microsoft Security Essentials, through whatever else was on XP SP3 w/ latest updates, and within seconds had locked up the computer - no asking to download, no asking to install, just nailed within seconds of clicking on a google link.

Versus manually installing a Mac malware application :awe:

This is the first one to get any real press coverage, do you really think it's the last and most sophisticated one that will ever appear? I wouldn't be surprised to see ones popping up that require less to no interaction to get onto the user's desktop and are a lot harder to remove fairly soon.

 

[ChAoTiCpInOy]

The question then becomes, should Apple be scanning all of the websites you visit, to prevent you from all possible phishing scams? Eh, I'd say not. The solution for now, imo, is for Apple to push out an update that changes the default behavior of Internet downloads from "auto open Safe files" to "do not auto open Safe files" so that users won't fall into the trap. Apps can still auto-download, but it won't present itself, and unless the user goes looking for "avRunner" and then manually unzips it and manually installs it, well, it presents a better end-user solution.

I agree. If they stop that behavior, they can stop most social engineering attacks. The other thing is people shouldn't just be putting their password in with no question, but that's part of educating a user.

 

[Kaido]

This is the first one to get any real press coverage, do you really think it's the last and most sophisticated one that will ever appear? I wouldn't be surprised to see ones popping up that require less to no interaction to get onto the user's desktop and are a lot harder to remove fairly soon.

I'm just surprised it hasn't happened sooner!

This isn't even a real exploit though, imo. You can write something like this in Real Basic or Platypus in about 2 minutes. Ultimately it's just a dumb program that puts some hooks in your system and phones home, and relies on users not paying attention to get installed. It's still as much of a manually-installed program as any other app you'd get online. So, no apocalypse yet! (but I wouldn't doubt it's just a matter of time, haha)

 

[Kaido]

I agree. If they stop that behavior, they can stop most social engineering attacks. The other thing is people shouldn't just be putting their password in with no question, but that's part of educating a user.

Yeah, but most people use their Macs as appliances and figure if it pops up, it's OK to go with. One article said a lady's computer got infected when her kid was downloading games online and she hurried and typed in the password without paying attention to the specific app in question. Technically her fault, but based on the track record (of Macs in general), should not have been an issue. For now, disabling the auto-open feature in Safari should pretty much negate this whole issue from even presenting itself.

 

[Nothinman]

I'm just surprised it hasn't happened sooner!

This isn't even a real exploit though, imo. You can write something like this in Real Basic or Platypus in about 2 minutes. Ultimately it's just a dumb program that puts some hooks in your system and phones home, and relies on users not paying attention to get installed. It's still as much of a manually-installed program as any other app you'd get online. So, no apocalypse yet! (but I wouldn't doubt it's just a matter of time, haha)

I'm surprised too, especially considering how easy it seems to be to find exploits for OS X and iOS. But it doesn't matter how "dumb" the program is if it works in getting a handful of people to enter their CC#.

 

[TheStu]

That wasn't his argument. His argument is "users are stupid". An operating system could be the definition of secure, but as long as the user is allowed to execute something with root privileges there is a possibility that they can be manipulated to run some malware at escalated privileges.

i've seen so many mac's running .3-.5 behind its scarey

And my counter argument to both that, and the specific statement about mac user's not running Software Update, is that it is no better on the other side of the fence.

Not to mention the fact that the UAC is no better than asking for an admin password (if you are running as an admin) since it just pops up a window saying (and I am paraphrasing) 'confirm or deny'. And with all the various popup windows we get throughout the day, at work and at home, things in our way to getting to facebook, or our excel spreadsheets, or reloading our bank's website, whatever, we have been trained to just click whatever we need to click to get it the hell out of our way.