Mac virus

A virus that shows free porn ? Facking genius

To be fair that's not a virus it's malware that relies on the user being dimwitted and installing it.

Edit: I'm not an Apple fan either.

Could be worse

True.






Off to google image search

I just wasted twenty minutes trying to find an attack site via a Google Images search for "Mothers Day", but finally came across something that looks like one via obamawallpapers.blogspot.com (it popped up crappy messages and so on). FFS, it doesn't even download automatically (unlike the windows executable that came from another site) - I've got to actually click on the "Clean your Mac" link

EDIT: Actually, scrub that one - it's not malware, just scuzzware "marketed" using spammy linkjacking techniques, but it seems like it doesn't do anything actively malicious. See post #8 below for my real Mac malware adventure

EDIT: here's an alternative take on manual removal, including updates for new variants that have come along since the instructions below first circulated. Also, the free ClamXAV app has been updated to deal with these bits of scumware.

For anybody who ends up installing one of these thingies on their Mac, it turns out getting rid of them is pretty simple. The main problem is that the Finder won't let you trash the application because it's in use by the running process(es), so:

1. Locate the application (e.g. Mac Defender) in the Applications folder;
2. Right-click (or Ctrl-click, or whatever you usually do to popup a context menu) and select "Show Package Contents";
3. In the new Finder window that opens, select everything (Cmd-A is the quickest way) and send it to the Trash;
4. Empty the Trash. If Finder complains that something is in use, select "Secure Empty Trash" from Finder's application menu;
5. Restart (or, if you know what to look for, use Activity Monitor to terminate all relevant processes - generally, it's easier to restart);
6. Find the application as in step 1; as it's now just an empty folder with a fancy icon, you should be able to send it to the Trash without any problem.

Sorted

W00t! Struck gold this time: real proper Mac malware, complete with scammy pseudo-system components in a web site

This first screen (click these images for full-size screenshots) animated for about fifteen seconds, pretending to do a scan of my system, but it's just HTML, CSS and a bit of JS and does nothing special:


Looks moderately similar to the OS X Finder as seen in Leopard and Snow Leopard... but they've got the fonts all wrong, using (horror of horrors) Arial instead of Lucida Grande. That alone makes it look completely wrong; they might as well have used fuchsia Comic Sans and given up entirely on the idea of being convincing. What's next...

Ah, once it'd done its animation thing it downloaded a ZIP file called anti-malware.zip - and, even better, it sent it from the future!


As I've long since disabled auto-opening of downloaded files this didn't do anything automatically - otherwise it would, I believe, have been unzipped and its contents run automatically when downloaded. Let's unzip it...

Well, silly me - I thought it was going to be Mac Defender, but it's Mac Protector:


Let's run this one then:


A bit drab - they haven't even replaced the default background image on the installer. Also, it says "installer" twice. Let's hit "Continue"...


No license screen, and no installation location selection. I'm still not going to bother with that "Install" button though, just in case

Oh alright then:


This would have to be an administrative password to proceed with the installation.

So there you are: one piece of Mac malware not installed

Ssh Nick, you're not supposed to talk about it.

I got this last weekend after being tipped off about a certain image on Google Images.

The image I snapped is slightly different - 10 viruses in Computer, and different file names.

Since I was prepared for it I watched what happened carefully.

• I clicked on the infected image and it loaded.
• I then noticed jiggery-pokery going on in Safari's URL bar. It clearly showed another URL and I opened my download window to see what it was.
• Like you, I have automatic execution of downloaded stuff disabled.
• I went in with command line unzip to see the contents, and saw a .mpkg file (which is in reality a directory structure), and a list of its contents. Languages supported: English and Russian.

One dead giveaway was the fact that it was displaying a simulation of Finder inside a Safari window. Another dead giveaway of course was that the Finder display was nothing like my own (wrong name for system disk, not enough folders in the side bar etc).

At that point I chickened out.