• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Reply to: Mac virus

Collapse

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

  • You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
  • You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
  • If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Previously on "Mac virus"

Collapse

  • Sysman
    replied
    Originally posted by NickFitz View Post
    Some; it's a technique known as SEO poisoning, whereby you cause a domain to rank highly for some popular search terms and, once the Googlejuice is flowing your way, set it to redirect to the server with the evil crap. (You don't redirect when the Googlebot comes calling, obviously...)

    EDIT: and, as explained in that Microsoft post I linked to up there, it's the server you're redirected to that detects whether you're on Windows or Mac and serves up the appropriate crap accordingly.
    I just got hit by another via Google Images, so it's time to block them.

    This time it was a product called MacKeeper, which looks extremely dodgy. Dodgy looking Russian(ish) names too. There are reports on their forum (url scrubbed)* that's it's hard to uninstall as well.

    Most disturbingly it greyed out nearly all Safari's menu options, but Quit was still there, and that's what I used.

    *url scrubbed because clicking on links to reviews on that site initiate a download.

    P.S. There's a glowing write up of it at applenerd.net, but I have to assume that's fake as well. Ooh yes it is - the Facebook bit on the RHS is just an image that does nowt.

    P.P.S. It's time Google got their act together on this one.
    Last edited by Sysman; 22 May 2011, 13:08.

    Leave a comment:


  • MarillionFan
    replied
    Originally posted by NickFitz View Post
    Some; it's a technique known as SEO poisoning, whereby you cause a domain to rank highly for some popular search terms and, once the Googlejuice is flowing your way, set it to redirect to the server with the evil crap. (You don't redirect when the Googlebot comes calling, obviously...)

    EDIT: and, as explained in that Microsoft post I linked to up there, it's the server you're redirected to that detects whether you're on Windows or Mac and serves up the appropriate crap accordingly.
    It's my fault really. ATW said a bearded man was at the door. I then googled 'Jeremy Beadle' to find a suitable image to post. There he was dressed as a police officer, so I clicked it and lo and behold Mac Virus attack. Even in death the bearded twat is playing tricks!

    Leave a comment:


  • Incognito
    replied
    Anyone who enters their Admin credentials on an unsolicited Mac download deserves to be infected.

    This isn't exploiting a Mac vulnerability, it's exploiting user stupidity.

    Leave a comment:


  • stek
    replied
    Why is there no AIX virus?

    Leave a comment:


  • NickFitz
    replied
    Originally posted by MarillionFan View Post
    I'll rep you up. Just looked up an image on the Mac on google and got hit by this. As I don't normally use a Mac I was like WTF is this! And then remembered I saw this thread this morning. So good call Ruprect.

    Is it just some google images or all?
    Some; it's a technique known as SEO poisoning, whereby you cause a domain to rank highly for some popular search terms and, once the Googlejuice is flowing your way, set it to redirect to the server with the evil crap. (You don't redirect when the Googlebot comes calling, obviously...)

    EDIT: and, as explained in that Microsoft post I linked to up there, it's the server you're redirected to that detects whether you're on Windows or Mac and serves up the appropriate crap accordingly.
    Last edited by NickFitz; 21 May 2011, 16:46.

    Leave a comment:


  • MarillionFan
    replied
    Originally posted by Ruprect View Post
    to the bell end that neg repped me for this thread and didn't sign it

    I'll rep you up. Just looked up an image on the Mac on google and got hit by this. As I don't normally use a Mac I was like WTF is this! And then remembered I saw this thread this morning. So good call Ruprect.

    Is it just some google images or all?

    Leave a comment:


  • Ruprect
    replied
    to the bell end that neg repped me for this thread and didn't sign it

    Leave a comment:


  • NickFitz
    replied
    Originally posted by Sysman View Post
    Aha, I knew I'd read about this recently, but now I've found the reference:

    DIY crimekit brings advanced malware to Mac OSX

    Note that last bit. It looks like it might be on the way to Linux platforms as well.
    I don't think this is related to that, as it doesn't have the capabilities specified, and is more of a scam that tries to get users to enter credit card numbers in a web site rather than a virus, trojan, keylogger, or anything else. Microsoft Malware Protection Center reckon it's a derivative of WinWebSec.

    Leave a comment:


  • Sysman
    replied
    Aha, I knew I'd read about this recently, but now I've found the reference:

    DIY crimekit brings advanced malware to Mac OSX

    A crimeware kit discovered over the weekend promises to bring a flood of advanced malware that steals passwords and other sensitive data from computers running Mac OS X.

    The kit is being advertised as the Weyland-Yutani Bot in underground crime websites, where it's being sold for $1,000. The first ever crimeware kit for the Mac comes with the ability to grab data entered into Firefox, with the Chrome and Safari browsers soon to follow, according to Danish IT firm CSIS Security Group. The makers of the new DIY malware kit claim they are close to releasing versions that will work on iPads and Linux machines as well.
    Oh, in case Linux users are feeling smug at the moment:
    Note that last bit. It looks like it might be on the way to Linux platforms as well.

    Leave a comment:


  • Sysman
    replied
    Originally posted by d000hg View Post
    A choice quote from the comments to that article:

    Security by obscurity worked for Sony!
    <big snigger>

    Leave a comment:


  • Sysman
    replied
    Originally posted by NickFitz View Post
    EDIT: here's an alternative take on manual removal, including updates for new variants that have come along since the instructions below first circulated. Also, the free ClamXAV app has been updated to deal with these bits of scumware.

    For anybody who ends up installing one of these thingies on their Mac, it turns out getting rid of them is pretty simple. The main problem is that the Finder won't let you trash the application because it's in use by the running process(es), so:
    1. Locate the application (e.g. Mac Defender) in the Applications folder;
    2. Right-click (or Ctrl-click, or whatever you usually do to popup a context menu) and select "Show Package Contents";
    3. In the new Finder window that opens, select everything (Cmd-A is the quickest way) and send it to the Trash;
    4. Empty the Trash. If Finder complains that something is in use, select "Secure Empty Trash" from Finder's application menu;
    5. Restart (or, if you know what to look for, use Activity Monitor to terminate all relevant processes - generally, it's easier to restart);
    6. Find the application as in step 1; as it's now just an empty folder with a fancy icon, you should be able to send it to the Trash without any problem.


    Sorted
    You missed removing the Mac Protector entry from the startup items in your account:



    (I note that image shows the account as having Admin privilege. When will folks learn to set up and use a non-Admin account for general surfing????)

    Once you've removed it from startup items, a simple logout and login should get rid of the process, and you will be able to delete it and empty Trash straight away.

    Leave a comment:


  • Sysman
    replied
    Originally posted by NickFitz View Post
    W00t! Struck gold this time: real proper Mac malware, complete with scammy pseudo-system components in a web site

    This first screen (click these images for full-size screenshots) animated for about fifteen seconds, pretending to do a scan of my system, but it's just HTML, CSS and a bit of JS and does nothing special:

    I got this last weekend after being tipped off about a certain image on Google Images.

    The image I snapped is slightly different - 10 viruses in Computer, and different file names.

    Since I was prepared for it I watched what happened carefully.
    • I clicked on the infected image and it loaded.
    • I then noticed jiggery-pokery going on in Safari's URL bar. It clearly showed another URL and I opened my download window to see what it was.
    • Like you, I have automatic execution of downloaded stuff disabled.
    • I went in with command line unzip to see the contents, and saw a .mpkg file (which is in reality a directory structure), and a list of its contents. Languages supported: English and Russian.


    One dead giveaway was the fact that it was displaying a simulation of Finder inside a Safari window. Another dead giveaway of course was that the Finder display was nothing like my own (wrong name for system disk, not enough folders in the side bar etc).

    At that point I chickened out.

    Leave a comment:


  • d000hg
    replied
    Ssh Nick, you're not supposed to talk about it.

    Leave a comment:


  • NickFitz
    replied
    W00t! Struck gold this time: real proper Mac malware, complete with scammy pseudo-system components in a web site

    This first screen (click these images for full-size screenshots) animated for about fifteen seconds, pretending to do a scan of my system, but it's just HTML, CSS and a bit of JS and does nothing special:


    Looks moderately similar to the OS X Finder as seen in Leopard and Snow Leopard... but they've got the fonts all wrong, using (horror of horrors) Arial instead of Lucida Grande. That alone makes it look completely wrong; they might as well have used fuchsia Comic Sans and given up entirely on the idea of being convincing. What's next...

    Ah, once it'd done its animation thing it downloaded a ZIP file called anti-malware.zip - and, even better, it sent it from the future!


    As I've long since disabled auto-opening of downloaded files this didn't do anything automatically - otherwise it would, I believe, have been unzipped and its contents run automatically when downloaded. Let's unzip it...

    Well, silly me - I thought it was going to be Mac Defender, but it's Mac Protector:


    Let's run this one then:


    A bit drab - they haven't even replaced the default background image on the installer. Also, it says "installer" twice. Let's hit "Continue"...


    No license screen, and no installation location selection. I'm still not going to bother with that "Install" button though, just in case

    Oh alright then:


    This would have to be an administrative password to proceed with the installation.

    So there you are: one piece of Mac malware not installed

    Leave a comment:


  • NickFitz
    replied
    EDIT: here's an alternative take on manual removal, including updates for new variants that have come along since the instructions below first circulated. Also, the free ClamXAV app has been updated to deal with these bits of scumware.

    For anybody who ends up installing one of these thingies on their Mac, it turns out getting rid of them is pretty simple. The main problem is that the Finder won't let you trash the application because it's in use by the running process(es), so:
    1. Locate the application (e.g. Mac Defender) in the Applications folder;
    2. Right-click (or Ctrl-click, or whatever you usually do to popup a context menu) and select "Show Package Contents";
    3. In the new Finder window that opens, select everything (Cmd-A is the quickest way) and send it to the Trash;
    4. Empty the Trash. If Finder complains that something is in use, select "Secure Empty Trash" from Finder's application menu;
    5. Restart (or, if you know what to look for, use Activity Monitor to terminate all relevant processes - generally, it's easier to restart);
    6. Find the application as in step 1; as it's now just an empty folder with a fancy icon, you should be able to send it to the Trash without any problem.


    Sorted
    Last edited by NickFitz; 19 May 2011, 22:23.

    Leave a comment:

Working...
X