Reply to: Mac virus

I just got hit by another via Google Images, so it's time to block them.

This time it was a product called MacKeeper, which looks extremely dodgy. Dodgy looking Russian(ish) names too. There are reports on their forum (url scrubbed)* that's it's hard to uninstall as well.

Most disturbingly it greyed out nearly all Safari's menu options, but Quit was still there, and that's what I used.

*url scrubbed because clicking on links to reviews on that site initiate a download.

P.S. There's a glowing write up of it at applenerd.net, but I have to assume that's fake as well. Ooh yes it is - the Facebook bit on the RHS is just an image that does nowt.

P.P.S. It's time Google got their act together on this one.

It's my fault really. ATW said a bearded man was at the door. I then googled 'Jeremy Beadle' to find a suitable image to post. There he was dressed as a police officer, so I clicked it and lo and behold Mac Virus attack. Even in death the bearded twat is playing tricks!

Anyone who enters their Admin credentials on an unsolicited Mac download deserves to be infected.

This isn't exploiting a Mac vulnerability, it's exploiting user stupidity.

Why is there no AIX virus?

Some; it's a technique known as SEO poisoning, whereby you cause a domain to rank highly for some popular search terms and, once the Googlejuice is flowing your way, set it to redirect to the server with the evil crap. (You don't redirect when the Googlebot comes calling, obviously...)

EDIT: and, as explained in that Microsoft post I linked to up there, it's the server you're redirected to that detects whether you're on Windows or Mac and serves up the appropriate crap accordingly.

I'll rep you up. Just looked up an image on the Mac on google and got hit by this. As I don't normally use a Mac I was like WTF is this! And then remembered I saw this thread this morning. So good call Ruprect.

Is it just some google images or all?

to the bell end that neg repped me for this thread and didn't sign it

I don't think this is related to that, as it doesn't have the capabilities specified, and is more of a scam that tries to get users to enter credit card numbers in a web site rather than a virus, trojan, keylogger, or anything else. Microsoft Malware Protection Center reckon it's a derivative of WinWebSec.

Aha, I knew I'd read about this recently, but now I've found the reference:

DIY crimekit brings advanced malware to Mac OSX

Note that last bit. It looks like it might be on the way to Linux platforms as well.

A choice quote from the comments to that article:

<big snigger>

You missed removing the Mac Protector entry from the startup items in your account:



(I note that image shows the account as having Admin privilege. When will folks learn to set up and use a non-Admin account for general surfing????)

Once you've removed it from startup items, a simple logout and login should get rid of the process, and you will be able to delete it and empty Trash straight away.

I got this last weekend after being tipped off about a certain image on Google Images.

The image I snapped is slightly different - 10 viruses in Computer, and different file names.

Since I was prepared for it I watched what happened carefully.

• I clicked on the infected image and it loaded.
• I then noticed jiggery-pokery going on in Safari's URL bar. It clearly showed another URL and I opened my download window to see what it was.
• Like you, I have automatic execution of downloaded stuff disabled.
• I went in with command line unzip to see the contents, and saw a .mpkg file (which is in reality a directory structure), and a list of its contents. Languages supported: English and Russian.

One dead giveaway was the fact that it was displaying a simulation of Finder inside a Safari window. Another dead giveaway of course was that the Finder display was nothing like my own (wrong name for system disk, not enough folders in the side bar etc).

At that point I chickened out.

Ssh Nick, you're not supposed to talk about it.

W00t! Struck gold this time: real proper Mac malware, complete with scammy pseudo-system components in a web site

This first screen (click these images for full-size screenshots) animated for about fifteen seconds, pretending to do a scan of my system, but it's just HTML, CSS and a bit of JS and does nothing special:


Looks moderately similar to the OS X Finder as seen in Leopard and Snow Leopard... but they've got the fonts all wrong, using (horror of horrors) Arial instead of Lucida Grande. That alone makes it look completely wrong; they might as well have used fuchsia Comic Sans and given up entirely on the idea of being convincing. What's next...

Ah, once it'd done its animation thing it downloaded a ZIP file called anti-malware.zip - and, even better, it sent it from the future!


As I've long since disabled auto-opening of downloaded files this didn't do anything automatically - otherwise it would, I believe, have been unzipped and its contents run automatically when downloaded. Let's unzip it...

Well, silly me - I thought it was going to be Mac Defender, but it's Mac Protector:


Let's run this one then:


A bit drab - they haven't even replaced the default background image on the installer. Also, it says "installer" twice. Let's hit "Continue"...


No license screen, and no installation location selection. I'm still not going to bother with that "Install" button though, just in case

Oh alright then:


This would have to be an administrative password to proceed with the installation.

So there you are: one piece of Mac malware not installed

EDIT: here's an alternative take on manual removal, including updates for new variants that have come along since the instructions below first circulated. Also, the free ClamXAV app has been updated to deal with these bits of scumware.

For anybody who ends up installing one of these thingies on their Mac, it turns out getting rid of them is pretty simple. The main problem is that the Finder won't let you trash the application because it's in use by the running process(es), so:

1. Locate the application (e.g. Mac Defender) in the Applications folder;
2. Right-click (or Ctrl-click, or whatever you usually do to popup a context menu) and select "Show Package Contents";
3. In the new Finder window that opens, select everything (Cmd-A is the quickest way) and send it to the Trash;
4. Empty the Trash. If Finder complains that something is in use, select "Secure Empty Trash" from Finder's application menu;
5. Restart (or, if you know what to look for, use Activity Monitor to terminate all relevant processes - generally, it's easier to restart);
6. Find the application as in step 1; as it's now just an empty folder with a fancy icon, you should be able to send it to the Trash without any problem.

Sorted