Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Hardware > Notebooks > MacBook Pro

Reply
 
Thread Tools Search this Thread Display Modes
Old Dec 30, 2007, 09:51 AM   #1
MacFranco
macrumors newbie
 
Join Date: Dec 2007
Unhappy Windows malware in Macs

What the hell is this?

hello guys (girls),

Opening an e-card (from 123 greetings) on my gmail account on a Macbook running OSX 10.4.11, a Windows-looking app. launched and found my system full of errors to fix etc., the usual hassle-and-malware.
here it is the link:

http://scanner2.malware-scan.com/9_s...o=3958_0_11470

Afer a few clicks, it stopped and could look at my card.

I for one never liked the switch to Intel processors... now this?
By going this way of commodity processors in a nice package, Apple will get a few more switchers. Switchers to Windows! Same junk, but at one third the price!!!

Happy new year to everybody, anyway.

MacFranco::
MacFranco is offline   0 Reply With Quote
Old Dec 30, 2007, 09:53 AM   #2
heatmiser
macrumors 68020
 
Join Date: Dec 2007
Quote:
Originally Posted by MacFranco View Post
Opening an e-card
There's your problem. This kind of behavior would have given you a virus on Windows. Be thankful OS X was there to protect you from yourself.
__________________
Always on the lookout for longer battery life...
heatmiser is offline   0 Reply With Quote
Old Dec 30, 2007, 09:56 AM   #3
sushi
Moderator emeritus
 
sushi's Avatar
 
Join Date: Jul 2002
Location: キャンプスワンピー [Japan]
Quote:
Originally Posted by MacFranco View Post
What the hell is this?
If you looks closely, it is a scam web page.

It is reporting bogus information.

Be glad that you have a Mac and don't have a PC as this could have done something to your system.
sushi is offline   0 Reply With Quote
Old Dec 30, 2007, 10:23 AM   #4
TheStu
macrumors 65816
 
Join Date: Aug 2006
Location: Carlisle, PA
Quote:
Originally Posted by MacFranco View Post
What the hell is this?

hello guys (girls),

Opening an e-card (from 123 greetings) on my gmail account on a Macbook running OSX 10.4.11, a Windows-looking app. launched and found my system full of errors to fix etc., the usual hassle-and-malware.
here it is the link:

http://scanner2.malware-scan.com/9_s...o=3958_0_11470

Afer a few clicks, it stopped and could look at my card.

I for one never liked the switch to Intel processors... now this?
By going this way of commodity processors in a nice package, Apple will get a few more switchers. Switchers to Windows! Same junk, but at one third the price!!!

Happy new year to everybody, anyway.

MacFranco::
I am trying to figure out what you are in a rile over. You really think that you getting a pop-up that you then took to be a real thing as Apple's fault, directly correlated to their switch to intel? Really? REALLY?!

It was a pop-up/spyware ad... nothing more. Nothing happened to your computer, all that nonsense they just spewed at you (except what your OS is, and your IP probably) is BS, and is in fact, fake.
__________________
MacBook 1.83GHz Core Duo; 1024MB RAM (2*512MB); 100GB 5400RPM 16MB SATA150; ComboDrive; Intel GMA950; Black Keys, White Shell
TheStu is offline   0 Reply With Quote
Old Dec 30, 2007, 10:32 AM   #5
tersono
macrumors 68000
 
tersono's Avatar
 
Join Date: Jan 2005
Location: UK
It might have looked like a Windows app, but it wasn't - it was a heavily disguised web page. They're all over the place and will appear even if you're running a PPC Mac.....

Basically it's got nothing to do with the intel switch or the computer you're using, and a lot to do with the crappy greeting card site....
__________________
11" MacBook air 2012 i5 4gb/ 128gb - 17" unibody MBP C2D 2.8Gz / 4gb / 500gb - 20" iMac 2ghz C2D / 4gb/ 2tb - iPad 3 32gb wifi/3G - iPhone 5 16gb
I also like it HERE
tersono is offline   0 Reply With Quote
Old Dec 30, 2007, 10:54 AM   #6
jnc
macrumors 68020
 
jnc's Avatar
 
Join Date: Jan 2007
Location: Nunya, Business TX
... And here I was wondering what sort of person might think of buying something like Norton Antivirus for OSX. Now I know!
__________________
The views expressed above do not, and are not intended to represent or reflect the opinions, policies and/or statements of my employer(s).
jnc is offline   0 Reply With Quote
Old Dec 30, 2007, 11:07 AM   #7
Osarkon
macrumors 68020
 
Osarkon's Avatar
 
Join Date: Aug 2006
Location: Wales
Send a message via AIM to Osarkon
Er....I'm hoping the OP meant this as a joke..

The site shows a Windows Explorer window for goodness sake. It would have nothing to do with OS X.
Osarkon is offline   0 Reply With Quote
Old Dec 30, 2007, 11:17 AM   #8
heatmiser
macrumors 68020
 
Join Date: Dec 2007
Reminds me of this thread. The same righteous indignation, the same user error.
__________________
Always on the lookout for longer battery life...
heatmiser is offline   0 Reply With Quote
Old Dec 30, 2007, 11:23 AM   #9
Osarkon
macrumors 68020
 
Osarkon's Avatar
 
Join Date: Aug 2006
Location: Wales
Send a message via AIM to Osarkon
Quote:
Originally Posted by heatmiser View Post
Reminds me of this thread. The same righteous indignation, the same user error.
Haha yeah kind of. No wonder trojans work so well.
Osarkon is offline   0 Reply With Quote
Old Dec 30, 2007, 06:34 PM   #10
sushi
Moderator emeritus
 
sushi's Avatar
 
Join Date: Jul 2002
Location: キャンプスワンピー [Japan]
Quote:
Originally Posted by tersono View Post
It might have looked like a Windows app, but it wasn't - it was a heavily disguised web page. They're all over the place and will appear even if you're running a PPC Mac.....
Yep, it ran on my PB15 just fine!
sushi is offline   0 Reply With Quote
Old Jan 8, 2008, 06:43 AM   #11
Gaberdine
macrumors newbie
 
Join Date: Jan 2008
Not so dumb!

Hi MacFranco,

Don't worry, it was just a clever animation, not a real scan!

However, you are not naive or stupid and you didn't do anything wrong. Ignore those dunderheads. ;) Just thank the gods you run Mac OSX, not Windows Vista. This is not a case of spoof links, bad pop-up adverts or fake greetings cards suckering the careless but a hack on a genuine website that redirects you to a malicious page.

MalwareAlert, the "anti-virus" programme at the heart of this scam is a notorious piece of Rogue Software for the Windows OS that masquerades as anti malware but is in fact very malicious. Once installed it makes life hell and effectively blackmails you to pay for its removal.

Though the "scan" was nothing more than an animated webpage, you are lucky to be using a Mac. Even without user intervention, Malware Alert and its associated pages are reportedly able to install spyware on vulnerable PCs.

OK, you are a bit premature blaming Intel processors but, really, I don't get what all this sniping and criticism is about. You just visited a legitimate site and landed on a scam site - and you panicked. Its a pretty convincing page and looks quite heartstopping for second or two if you aren't expecting it. It could have been any legit site.

FYI, Mac Franco, malware generally attacks the OS not the processor so Mac OS is still immune to 99.99% of all viruses, trojans and spyware. Nonetheless this is no reason for us to become lazy. In a year or two all that will change. Mac OS is more secure but not immune and with increasing switchers since the introduction of Intel chips, we are attracting more attention from hackers and virus writers.


I recently experienced exactly the same thing as you did when I collected an eCard from 123Greetings.com though they are not a dodgy site as such. Basically they have been hacked some time over Christmas. Probably the .htaccess files were changed to redirect you to malicious sites.

123Greetings.com are supposed to be a decent and well established company. However when I contacted them about this they ignored all evidence that they had been hacked and insisted they do not install malware on users computers. They just suggested I use Spyboy Search and Destroy if I was worried about my computer - ignoring the fact that I use a Mac. It was a standard reply (crafted to sound friendly and personal) that I have seen reproduced elsewhere on the web when researching this hack.

So what happens is this:

1. A friend sends you a genuine card from 123greetings.com and you receive a notification email
2. You click the link and Safari starts to open the card
3. Before the card loads you are forwarded to performance-optimizer.com/landing...etc or similar
4. A Safari Alert message appears (see photo) and Safari becomes unresponsive until you click OK or CANCEL - where OK is the default.
5. Naturally you click CANCEL and the alert goes away but the page immediately forwards to the second malicious site which appears to be scanning your computer for viruses and you momentarily take fright until you realise it is finding Windows viruses, so obviously fake.
6. You check the page elements and realise it is just an animation
7. You click the back button until you reach your greeting card which now displays as normal
8. You remind yourself what a clever chap you are to be using Mac OS

Of course, if you clicked OK you would be downloading Malware Alert and other malicious software and if you were running Windows, you could be ********.

Mac Franco, check your cookies and you will probably find some from
stats.sellmosoft.net (name: Performance-Optmizer)
Malware [something]
and 67.18.150.90 - an address linked with many spamming and forged .htaccess code scams.

These cookies seem to ensure you only experience the problem once, which is a clever bit of social engineering as most people won't bother to complain and it is harder to replicate if you are trying to pin it down.

The problem seems to have been resolved now but 123Greetings still refuse to acknowledge that anything was wrong. I find this irresponsible as their lax site security has exposed thousands of PC users to malware.

SO my position is, I refuse to send or receive cards from 123greetings.com - and shall warn all my PC using friends about them - until they come clean about the fact that they were hacked and email me an apology (or thanks for pointing it out or whatever - some hope!) and warn all their recent users that they may have inadvertently allowed them to become infected. So that will be never then...

Happy New Year

RM
Attached Thumbnails
Click image for larger version

Name:	Malware Alert.jpg
Views:	18
Size:	29.8 KB
ID:	96919  

Last edited by Gaberdine; Jan 8, 2008 at 08:13 PM. Reason: Hello, I'm nice really.
Gaberdine is offline   0 Reply With Quote
Old Jan 8, 2008, 08:13 PM   #12
Gaberdine
macrumors newbie
 
Join Date: Jan 2008
Quote:
Originally Posted by Gaberdine View Post
The problem seems to have been resolved now but 123Greetings still refuse to acknowledge that anything was wrong. I find this irresponsible as their lax site security has exposed thousands of PC users to malware.
Correction: as of 9th Jan 08 the problem still exists - I can replicate it by removing the offending cookies and restarting Safari - 5 days since 123greetings emailed me back to say there is no problem...

caveat emptor - or something like that.
Gaberdine is offline   0 Reply With Quote
Old Jan 8, 2008, 09:01 PM   #13
Kelly™
Banned
 
Join Date: Jan 2008
That is a nicely disguised page.

I like XD

I however wouldn't have fallen for it lol. Although parts of me want to run that .exe in a virtual Windows machine post snapshot lol, just to see what it does XD
Kelly™ is offline   0 Reply With Quote
Old Jan 8, 2008, 09:06 PM   #14
noodle654
macrumors 68000
 
noodle654's Avatar
 
Join Date: Jun 2005
Location: Never Ender
Good thing I only have 1 hard drive in this
__________________
MacBook Pro 15" i7 2.3GHz (June 2012) HR Antiglare | iPhone 5 64GB | MacBook Air i5 1.3GHz (2013) | Mac Pro 5,1 W3580 |
noodle654 is offline   0 Reply With Quote
Old Jan 8, 2008, 09:25 PM   #15
Hexernex
macrumors newbie
 
Join Date: Jan 2008
OMG!!! MY MAC HAS BEEN INFECTED WITH MAL-WARE! AND IT'S ALL BECAUSE OF MY INTEL PROCESSOR! jk, sorry I just had to write something funny about this! All in good fun, no harm intended!

But do not worry about your mac, just thank the heavens you were not running a PC like my Windows Vista I just sold! (Worthless piece of Garbage! $4000 does not go far with Microsoft!)
Hexernex is offline   0 Reply With Quote
Old Jan 8, 2008, 10:22 PM   #16
Mernak
macrumors 6502
 
Join Date: Apr 2006
Location: Boston, MA
Quote:
Originally Posted by Kelly™ View Post
That is a nicely disguised page.

I like XD

I however wouldn't have fallen for it lol. Although parts of me want to run that .exe in a virtual Windows machine post snapshot lol, just to see what it does XD
I will agree on both counts. The page is one of the best disguised pages that I have seen. And now that you mention it I would love to use a free trial of VMWare to install windows and try it, but I know I would get frustrated by the slowness.
__________________
MB, 2.0Ghz, 2GB Ram, 80GB
iPhone, 8GB
Mernak is offline   0 Reply With Quote
Old Jan 9, 2008, 02:26 AM   #17
jrg24
macrumors newbie
 
Join Date: Oct 2007
i got this malware alert crap also. it pretty much took over firefox but does not seem to be effecting safari. i uninstalled firefox and reinstalled it later to no avail. i tried clearing the cache and cookies in firefox but it still has control over it. every time i start firefox it goes to the scanner2.malware site and will not let me navigate away from it. anybody know a way to get rid of it? btw, i am using an intel macbook running the latest version of tiger, if that helps.
jrg24 is offline   0 Reply With Quote
Old Jan 9, 2008, 07:08 AM   #18
Gaberdine
macrumors newbie
 
Join Date: Jan 2008
</rant>

Hello everyone, I am new on these boards. I don't normally jump feet first into a forum without saying "Hi" first but I came straight to this thread from Googling 123greetings and scanner2malware with a full head of steam after my own recent experience... So hello. I'm Gaberdine. I'm new here. :-)

Anyhoo.

Quote:
Originally Posted by jrg24 View Post
i got this malware alert crap also. it pretty much took over firefox but does not seem to be effecting safari. i uninstalled firefox and reinstalled it later to no avail. i tried clearing the cache and cookies in firefox but it still has control over it. every time i start firefox it goes to the scanner2.malware site and will not let me navigate away from it. anybody know a way to get rid of it? btw, i am using an intel macbook running the latest version of tiger, if that helps.
That seems to take this to another level, jrg24.

So far we've been assuming Macs are still immune from this, if only because the Trojan is not written for Mac OS but your experience suggests otherwise!

At the very least a security flaw in Firefox has been exploited by this and you should contact them.

Your best bet right now would be to reinstall Firefox from scratch - but make sure you clear the cache, cookies and prefs file before you quit the old installation. You might want to export your bookmarks as an html file and erase them from Firefox too before re-installing and re-importing the bookmarks.

It would be really helpful if you can answer the following:

When did this begin?
How did you first arrive at the malware page?
What other symptoms is you Mac and / or Firefox displaying?
Were you redirected from (e.g.) 123greetings.com or another hacked website or did you arrive from a spoofed link (i.e. a link that says it is going to one URL but actually goes to another)?
Did you get an alert window in Firefox and, if so, did you click OK?
Did you do anything else that might have permitted the download or do you think this was a "drive-by"?
What happened next?
Have you installed any Firefox Add-ons recently?
Do you get any clues by examining Activity Monitor and your logs?
Gaberdine is offline   0 Reply With Quote
Old Jan 9, 2008, 09:38 AM   #19
onicon
macrumors regular
 
Join Date: Jan 2008
i tested it on a windows system wants to download some trojans (anti virus software prevented it, thank god ).
__________________
onicon is offline   0 Reply With Quote
Old Jan 9, 2008, 09:47 AM   #20
kkat69
macrumors 68020
 
kkat69's Avatar
 
Join Date: Aug 2007
Location: Atlanta, Ga
Quote:
Originally Posted by MacFranco View Post
What the hell is this?

hello guys (girls),

Opening an e-card (from 123 greetings) on my gmail account on a Macbook running OSX 10.4.11, a Windows-looking app. launched and found my system full of errors to fix etc., the usual hassle-and-malware.
here it is the link:

http://scanner2.malware-scan.com/9_s...o=3958_0_11470

Afer a few clicks, it stopped and could look at my card.

I for one never liked the switch to Intel processors... now this?
By going this way of commodity processors in a nice package, Apple will get a few more switchers. Switchers to Windows! Same junk, but at one third the price!!!

Happy new year to everybody, anyway.

MacFranco::
I for one never liked telling the difference between a program and a webpage in OSX now this?

1 post user.... troll.... Someone tell Apple that PC is posting silly posts again trying to discourage Mac users.
__________________
iMac 27",MB (White),80g iPod Classic,2g iPod Nano,8g iPhone3G,16g iPhone3G,16g iPhone4(x2),1.83ghz Mac Mini(x4),32g iPad White,16g Nexus 7(x2),8g iPod 4th Gen(x2),16g Nexus 4 White (x2)
kkat69 is offline   0 Reply With Quote
Old Feb 24, 2008, 10:59 PM   #21
meagain
macrumors 68020
 
Join Date: Nov 2006
I'm having a problem with "Scanner2 Malware" popping up constantly. I've yet to figure out which websites I'm visiting is causing it as I've yet to see any rhyme/reason to it.

IDK what cookies, etc. to look for in Leopard. Or, perhaps there's some way to block it from popping up? I'm not clicking on any banners, emails, etc. to get it. It's really annoying and worrisome. Any ideas?
__________________
27" i7 iMac, AppleTV, 1st gen Air, iPhone 4, iPad 3g
meagain is offline   0 Reply With Quote
Old Feb 24, 2008, 11:02 PM   #22
Arkbargle
macrumors member
 
Join Date: Jan 2008
Quote:
Originally Posted by onicon View Post
i tested it on a windows system wants to download some trojans (anti virus software prevented it, thank god ).
You could just, you know, not download them. AV is just a resource-waste.
Arkbargle is offline   0 Reply With Quote
Old Feb 24, 2008, 11:03 PM   #23
heatmiser
macrumors 68020
 
Join Date: Dec 2007
Quote:
Originally Posted by meagain View Post
I'm having a problem with "Scanner2 Malware" popping up constantly. I've yet to figure out which websites I'm visiting is causing it as I've yet to see any rhyme/reason to it.

IDK what cookies, etc. to look for in Leopard. Or, perhaps there's some way to block it from popping up? I'm not clicking on any banners, emails, etc. to get it. It's really annoying and worrisome. Any ideas?
Take a screenshot so we can see what you're seeing.
__________________
Always on the lookout for longer battery life...
heatmiser is offline   0 Reply With Quote
Old Feb 27, 2008, 04:36 PM   #24
meagain
macrumors 68020
 
Join Date: Nov 2006
I "think" it's happening when I open Userplane to chat. Not sure. The only way I can remove this is to hit "cancel" which quickly opens full screen to something saying it's downloading some stuff - then I close that window.
Attached Thumbnails
Click image for larger version

Name:	Picture 13.png
Views:	16
Size:	130.0 KB
ID:	105272  
__________________
27" i7 iMac, AppleTV, 1st gen Air, iPhone 4, iPad 3g
meagain is offline   0 Reply With Quote
Old Feb 28, 2008, 03:10 AM   #25
Bobbi Flekman
macrumors regular
 
Join Date: Jan 2008
Quote:
Originally Posted by meagain View Post
I "think" it's happening when I open Userplane to chat. Not sure. The only way I can remove this is to hit "cancel" which quickly opens full screen to something saying it's downloading some stuff - then I close that window.
MalwareAlarm is one of the many rogue anti-malwareprograms. It does not work on OS X, so the only thing that can happen is the download, nothing more.

All it does is populate "the infected list" with a bunch of filenames that is supllied by the program itself. It doesn't even scan!

How is your popup blocker? Does it block? Or do you let every popup pop up?
Bobbi Flekman is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Hardware > Notebooks > MacBook Pro

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Malware that remote controls Macs? Mafamaticks OS X 10.8 Mountain Lion 1 Aug 15, 2013 11:41 AM
Janicab.A Malware Targets Computers Running OS X and Windows MacRumors Mac Blog Discussion 20 Jul 25, 2013 01:38 AM
Windows machines now come with malware preinstalled munkery Community Discussion 3 Sep 14, 2012 09:16 PM
Windows Malware Stows a Ride in iOS App Store App MacRumors iOS Blog Discussion 33 Jul 25, 2012 01:57 PM
[WINDOWS] Researchers Warn Netizens Against New Super Malware ellaimac Apple, Industry and Internet Discussion 2 May 31, 2012 05:37 AM

Forum Jump

All times are GMT -5. The time now is 02:34 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC