Antivrus /malware in Snow Leopard?

[Asgerhj]

Hi

Yesterday I googled for reviews of the new Playstation 3 Slim and came across a site, which looked like having a video-review.
But clicking on the player a “QuickTimeUpdate.dmg” started downloading and mounted automatically.
Suddenly the following warning appeared:

“install.pkg” will damage your computer. You should move it to the Trash.

“install.pkg” is on the disk image “QuickTimeUpdate.dmg”. Safari downloaded this disk image today at 23.25 from redrocktube.com. It contains the “OSX.RSPlug.A” malware.

I booted into Leo and tried the same procedure and got NO warning.
Scanning the .dmg with ClamXav I got a warning.


So what I am basically trying to say is:

1: I wasn't aware that SL has built in some kind of Antivirus/malware. Were you?

2: Take care - don't feel too secure running a Mac (I still hear lots of people telling lots of other people that there is no reason to fear malware on the Mac platform......)
Others say that the only way to get infected on a Mac is if you install the malware yourself (hence you are stupid) - but that is the whole point in trojans: You think that you are installing something useful, but...

For my part, I was sceptical about the download, because QT updates doesn't work that way, but had it been named e.g. "videocodec.dmg" I am not sure that I wouldn't have installed it....
Hopefully ClamXav would have caught it!

[r.j.s]

Quote:

Originally Posted by Asgerhj

“QuickTimeUpdate.dmg” started downloading and mounted automatically.

Turn off "Open Safe files after downloading ..." in Safari, and it won't be a problem.

[RemarkabLee]

Interesting.

Would be nice if SL had this added protection. Was it a system warning or Safari? Are you running the same version on Leopard (4.0.3?)

[Asgerhj]

Quote:

Originally Posted by r.j.s

Turn off "Open Safe files after downloading ..." in Safari, and it won't be a problem.

Yeah, it would be a problem if I didn't suspect that the .pkg could harm me!

[r.j.s]

Quote:

Originally Posted by Asgerhj

Yeah, it would be a problem if I didn't suspect that the .pkg could harm me!

Actually, thinking about it ... I think Leopard does the same thing. Whenever you download an app, it will ask you if you are sure you want to run it, because it was downloaded from the internet and may harm your computer.

In Leopard:

[Asgerhj]

[quote=Would be nice if SL had this added protection. Was it a system warning or Safari? Are you running the same version on Leopard (4.0.3?)[/QUOTE]

Same version, 4.0.3

I think it was a system warning, because it appeared after mounting the .dmg.
I didn't launch the .pkg so it seems that SL scans .dmgs on mount.

[r.j.s]

Can anyone else running SL confirm this?

[RemarkabLee]

Quote:

Originally Posted by Asgerhj

Same version, 4.0.3

I think it was a system warning, because it appeared after mounting the .dmg.
I didn't launch the .pkg so it seems that SL scans .dmgs on mount.

Perhaps it scans the 'downloaded from' location and compared it to a blacklist, either as part of the system or an online database. Would be a nicer alternative to a traditional daemon that scans all file activity - yeuch!

[Asgerhj]

Quote:

Originally Posted by r.j.s

Actually, thinking about it ... I think Leopard does the same thing. Whenever you download an app, it will ask you if you are sure you want to run it, because it was downloaded from the internet and may harm your computer.

Well, the warning I got is different from the Leo-warning you mention:
1. You were launching an app - I wasn't
2. "My" warning also points out the exact malware (later confirmed by ClamXav)


I could post the link so you could try for yourself, but I don't want to because of the risk...
But read my 1.st post, and do a bit of googling then you can find it.
BUT BEWARE!!!! This is a LIVE TROJAN

[r.j.s]

Quote:

Originally Posted by Asgerhj

Well, the warning I got is different from the Leo-warning you mention:
1. You were launching an app - I wasn't
2. "My" warning also points out the exact malware (later confirmed by ClamXav)


I could post the link so you could try for yourself, but I don't want to because of the risk...
But read my 1.st post, and do a bit of googling then you can find it.
BUT BEWARE!!!! This is a LIVE TROJAN

At first you didn't say you didn't run the package ... once you did add that part, I saw the difference.

[uaecasher]

Quote:

Originally Posted by r.j.s

Can anyone else running SL confirm this?

yes it has the same thing, will post screen shot soon

[stainlessliquid]

You have to wonder what possesses apple to think forcefully downloading files whether you want them or not is a good feature for Safari, and then opening them by default...(PDF's and certain image formats are NOT "safe" files, same with quicktime) Its like theyre stuck in 1995 where people think the internet is safe and all downloads are useful. Not only is it extremely annoying, its just outright stupid.

[MisterMe]

Quote:

Originally Posted by Asgerhj

Hi

Yesterday I googled for reviews of the new Playstation 3 Slim and came across a site, which looked like having a video-review.
But clicking on the player a “QuickTimeUpdate.dmg” started downloading and mounted automatically.
...

I'm having a really difficult time trying to figure out what you are getting at. Everyone with the sense God gave red brick knows that MacOS X system software comes exclusively from Apple and no one else. QuickTime is MacOS X system software. It is available nowhere except Apple. New releases are available exclusively through Apple's website. Updates are available via Software Update or via download from Apple's website. Unless you are dumber than a bag of hammers, there is no way to fool anyone into downloading malware that pretends to be QuickTime.

[jav6454]

This is really In-te-resting..... to say the least. Snow Leopard is actually scanning your files before mounting, just in case.

[tvon]

Quote:

Originally Posted by MisterMe

I'm having a really difficult time trying to figure out what you are getting at. Everyone with the sense God gave red brick knows that MacOS X system software comes exclusively from Apple and no one else. QuickTime is MacOS X system software. It is available nowhere except Apple. New releases are available exclusively through Apple's website. Updates are available via Software Update or via download from Apple's website. Unless you are dumber than a bag of hammers, there is no way to fool anyone into downloading malware that pretends to be QuickTime.

I think maybe you should re-read the original post, you seem to have misunderstood and entirely missed the point.

[haineuxApple]

Please provide the link to the page where the virus-ridden package is.

I promise to use these powers only for good -- or for awesome.

[richthomas]

here is a link i found to test the anti malware protection in Snow Leopard (ive left it unlinkable on purpose to protect unsuspecting downloads)

fishwildlife.org/lurd.php?sodini+blog WARNING: This URL contains malware and if installed will infect your Mac.

when the disk image is mounted (may mount automatically when downloaded if you have this set in Safari) and the installer package is opened this message appears

here is the help document that opens once you click the purple help button

Quote:

What is malware?

If a warning message tells you that something you have downloaded from the Internet is “malware,” you should exercise caution. The safest action is to put the item in the Trash, and then empty the Trash.

Malware is an abbreviated term for malicious software. Malware includes viruses, worms, trojan horses, and other types of software that can damage your system or violate your privacy. Malware can be installed on your computer when you download content or applications from the Internet, either from email or websites.

Certain instances of malware are merely harmless or annoying. More often, its intent is to take control of your computer to collect personal information, host illegal content, send spam email, or cause harm to other systems on the network. Personal information that’s collected often includes credit card, banking accounts, social security numbers, or other identifying information leading to identity theft and financial loss.

Avoid opening items downloaded from websites and email messages unless you are certain that they come from a legitimate, trusted source. If you are uncertain about the source of a downloaded item, it is best to delete the item. You can always download it again later, after you have made certain that the item is not malware.

This article provides safety tips for handling email attachments and content downloaded from the Internet:

Apple Support article: Safety tips for handling email attachments and content downloaded from the Internet

[ceezy3000]

dam thats a nifty feature