malware in safari?

Discussion in 'Mac Apps and Mac App Store' started by karsten, Mar 5, 2011.

  1. karsten, Mar 5, 2011
    Last edited: Mar 5, 2011

    karsten macrumors 6502a


    Sep 3, 2010
    EDIT- I figured out where the malware was coming from- its' coming from a Safari extension called "Magic Scroll". it's written by the "Slice Factory," it's supposed to make your scrolling better, which it does, but apparently it written by some malware company that distributes a bunch of stuff. i tracked down their website and sure enough they produce both this scrolling and the price finding add-on. they don't tell you running the mouse add-on will enable the other one however. i got this straight from apple's site i'm going to report it to them hopefully others don't have this same problem. at least you know how to get rid of it now.

    ok i feel dumb, on amazon i'm getting this popup in the bottom right of the screen about finding the best deal, the popup says it's the "Best price add-on" but i never installed that. i don't see it in safari's extensions, i assume some program installed it so how do i get rid of it? thanks
  2. Gorilla'sMom macrumors newbie

    Mar 7, 2011
    Where does "Magic Scroll" hide it's malware?

    I had the same problem with this "BestPrice" add-on - but I can't find any extension installed called "Magic Scroll" or anything by Slice Factory. I would like to get rid of this, but I'd also like to know where it came from in the first place!

  3. karsten thread starter macrumors 6502a


    Sep 3, 2010
    About the only thing you can do is disable the extensions one by one til you figure out which one it is. You have to restart safari each time too.
  4. Gorilla'sMom macrumors newbie

    Mar 7, 2011
    Thanks, I'll try that - weird thing is I haven't added any new extensions for ages and this thing just popped up today.

  5. Gorilla'sMom macrumors newbie

    Mar 7, 2011
    Found the "BestPrice" addon

    I found which extension was causing the problem - PrintPlus 1.0 - and guess what? It's also by Slice Factory. I'm also going to lodge a complaint with Apple. Looks like they're adding malware to a lot of their programs....

  6. Big-TDI-Guy macrumors 68030


    Jan 11, 2007
    Huge concidence here - my Safari today has been acting REALLY weird - so much so I just reset it, and I'm not using it currently.

    Started on MR - I got a finder popup from my firewall saying Application "Safari" is attempting to access the internet - clicking "no" may change it's performance. (or something to that extent)

    I quit Safari and it was still there (hence I don't think it was a random popup window)

    I hit cancel, and went about my business. Relaunched Safari and went to Amazon - after my SSL purchase on Amazon - it stated an invalid certificate (from Amazon, WTF?) and it had some jazz about as the site not having proper credentials. (should have captured a screenshot of this) Given that I had not navigated to this sight - nor had this happen with in years - I quit.

    Reset Safari entirely - have not touched it since. Went to another device, using another browser, and changed my password.

    Likelihood of this being related? Not big - but figured I'd share my odd occurrence...
  7. kgtenacious macrumors regular


    Jun 15, 2010
    I had this same problem with Slice Factory's "Print Plus" - if you look in (in my case) ~/Library/Safari/LocalStorage/safari-extension_com.slicefactory.printplus-wk8yrear33_0.localstorage you can figure out that the code for the malware is in there.
  8. GGJstudios macrumors Westmere


    May 16, 2008
    Just a suggestion: you may want to change the title of this thread to include the name of the offending extension, so if someone is searching for feedback on it, they'll find this thread.
  9. munkery, Mar 21, 2011
    Last edited: Mar 21, 2011

    munkery macrumors 68020


    Dec 18, 2006
    Tested the following slice factory extensions: 1) Print Plus 2) Dictionary 3) Magic Scroll. All were installed from the Safari Extension Gallery.

    I was not able to reproduce the adware behaviour stated by others.

    I had ad blocking and plugin blocking disabled during the test. Accept cookies was set to always, all web content settings were enabled, and pop-up windows were allowed.

    I also navigated to the Slice Factory website with the extensions installed to see if a cookie set by that webpage initiated the behaviour. I did not install the extensions from the Slice Factory website so that may be a factor in not reproducing the pop-up.
  10. nec207 macrumors 6502

    Mar 21, 2011
    That me say this again as more people before get bad at windows 7 and windows vista and move to Mac computers and Linux and run has root the computer will get malware.

    All mac computers OSx and most Linux the root account is locked you are admin user that can run sudo command or SU to actually Switch-User to a root user when you need root privilege.You should not be running has root.

    If you do so and with popularity of Mac computers and Linux than windows more malware will make its way out.

    Look even apple say you need firewall and you should not be running as root user .No need for anti-virus to date only 3 virus out there for Mac in past 5 years and like none for Linux .

    None of my frends that use Linux or Mac computer run as root and never got malware they download lots of free movies and free music where PC will get malware in less than week going to those sites.
  11. old-wiz macrumors G3

    Mar 26, 2008
    West Suburban Boston Ma
    There are zero viruses in the wild for the Mac. ZERO.
  12. GGJstudios macrumors Westmere


    May 16, 2008
    There's the market share myth again! :rolleyes:
    There has never been a virus in the wild that runs on Mac OS X, which was introduced 10 years ago. The handful of trojans that exist can be easily avoided with some education and common sense and care in what software you install:
  13. Consultant macrumors G5


    Jun 27, 2007
    WRONG. Mac OS does NOT run as root by default.
  14. GGJstudios macrumors Westmere


    May 16, 2008
    I think that's what they were saying:
  15. nec207 macrumors 6502

    Mar 21, 2011
    For example, it prevents hackers from harming your programs through a technique called “sandboxing” — restricting what actions programs can perform on your Mac, what files they can access, and what other programs they can launch.

    All successful, and most plausible, malware attacks on Mac OS X have occurred in the last 2 years with the last quarter of 2007 being particularly prolific. Market penetration and overall sales of the Mac OS X system have directly mirrored development of malware, a phenomenon also demonstrated with other operating systems such as Microsoft Windows. Based on this data there is no reason to believe the trend will not continue as Apple continues to increase their market share.

    OS X 10.5 Leopard introduces new sandboxing technology to show a dialog box to the user before running any new program downloaded from the Internet. Software downloaded from the Internet, both from the mail and from browser applications, is marked as suspicious and will not be executed until the user clicks on a confirmation dialog box to explicitly allow it to run.

    When reading comments on articles about Mac security, you find many people who are in denial about malware that targets the Mac. Granted, there are far fewer viruses, worms and Trojan horses affecting Macs than Windows PCs, but the risk is real, and it’s getting worse. In fact, the complacency of Mac users, who have almost been led to believe that their platform is germ-free, may lead to more serious outbreaks should virulent malware target the Mac. Most Mac users don’t know how to react to a malware attack.

    If we look at 2009, we can see that malware writers are increasingly targeting the Mac. In January, shortly after Apple announced a new version of its iWork suite of productivity software, malware writers took advantage of it. Mac users who downloaded the software via BitTorrent were also treated to the iServices Trojan horse, hidden inside the iWork installer. The iServices Trojan opened a back door on infected Macs, and it connected to remote servers to download new code. It was actively used as part of a botnet that was involved in distributed denial of service attacks and more.

    Read more:
    Computing - Insight for IT leaders Claim your free subscription today.
  16. GGJstudios macrumors Westmere


    May 16, 2008
    First, there's no need to bold everything. I've read all that before.
    To be accurate, there are zero viruses and worms and only a handful of trojans. Again, no one is saying Macs are immune to malware threats; only that antivirus software isn't needed to protect against the few trojan threats that do exist. How many times must this be said before people actually read and comprehend it?

    The "market share" theory suggests:
    larger market share = more visibility = more malware​
    This is not proven by actual events. Ten years ago, when Macs represented a much smaller market share and a much smaller installed base, there were a handful of viruses that could affect Mac OS 9 and earlier. Today, Macs have a much larger market share and much larger installed base with Mac OS X (and growing at a rate of over a million Macs per month), but the number of viruses has not increased proportionately.... or at all... in fact, the number has decreased to zero. The market share theory doesn't work. Period.
  17. munkery, Mar 22, 2011
    Last edited: Mar 22, 2011

    munkery macrumors 68020


    Dec 18, 2006
    Much of the information in the PDF associated with this article is incorrect. For example:

    Page 26

    It refers to the bundle architecture as insecure. The argument presented would be true if security sensitive apps were not owned by system. Given that they are owned by system, malware cannot modify the bundle of an app owned by system without authentication when the app is run with user privileges in an admin or standard account.

    For example, show package contents of iTunes, Safari, or Mail and try to create a folder in the bundle. In relation to the example in the article, try renaming iTunes.

    Apps not owned by system are vulnerable but without privilege escalation can not install rootkits or keyloggers. Even apps owned by system run with user privileges and require privilege escalation to install dangerous payloads.

    Mac OS X does not prompt for authentication if you install apps in the proper location for that user account type. When installed in the proper location, apps are sandboxed from the system level of Mac OS X by the Unix DAC model used within Mac OS X.

    Windows is less secure because most apps (Chrome only exception I can recall) install their associated files in levels of the system that require authentication regardless of user account type (unless Admin in Windows XP because running as superuser - no authentication required to install with elevated privileges - very dangerous). It is easier to trick Windows users to install a trojan with elevated privileges given that almost all apps ask for authentication to install and the user can not distinguish the intent of that authentication.

    Page 30

    The claim that the Application folder is unprotected is false. Security sensitive apps within the Application folder are owned by system.

    Also, security sensitive system binaries are still stored in /bin and /sbin in Mac OS X.

    Page 31

    The ability to read the contacts stored in Address Book could be used by a worm to propagate. But, malware that uses this to spread is not likely to appear in the wild if the malware is not profitable. It is unlikely that malware will be profitable without being able to hook (this is a specific function) into apps owned by system.

    Page 33

    Starts off talking about trojans, trojans are easily avoided with user knowledge in Mac OS X because most apps do not require authentication to install if installed in the appropriate location where the Unix DAC model protects the system.

    Viruses using the model shown in the article will not be successful without privilege escalation. This is the reason why Mac OS X malware is not successful in the wild.

    By default, very few server side services are exposed in Mac OS X and those that are exposed are sandboxed. Vectors for worm propagation are limited to client side. Client side worms require authentication to install and spread if do not include privilege escalation via exploitation because of the Unix DAC model used in Mac OS X. Trojans used to trick users to authenticate are less likely to be successful in Mac OS X as stated above.
  18. Cognita macrumors newbie


    Mar 2, 2011
    I also had this malware. I was using 4 extensions at the time: PrintPlus 1.0, CustomSearch, AdBlock, and Plugin Customs (all installed directly from Safari Extensions Gallery). AdBlock and Plugin blocking were fully enabled.

    The Amazon Best Price add-on popped up within the same hour that I actually USED PrintPlus for the first time, which was about 2 weeks after I installed it. It informed me proudly that it was "embedded in my browser." I freaked out. Could the catalyst have been the actual USE of PrintPlus, as compared to just the installation of it?

    I deleted it (and a bunch of other crap that came with it) from ~/Library/Safari/LocalStorage/... It hasn't come back. Ick.
  19. MisterMe macrumors G4


    Jul 17, 2002
    Calling this kind of software "malware" debases the term and confuses others. You installed extensions with hidden adware. Shame on the developers who produce this stuff. "Legitimate" developers should not mimic the tactics of malware developers. Complain to the extension developer. Complain to Apple. Complain to the companies whose products and services are advertised by this crap. Let them know that you will not patronize any company that advertises in this way.
  20. Cognita macrumors newbie


    Mar 2, 2011
    Thanks for the "adware" vs "malware" tip. I'm still a novice and the clarification is appreciated. I wasn't sure of the protocol for something like this, so I sent an immediate bug report to apple with a screen shot and I also reported it via the apple website.

    That's also a good idea to complain to the companies who are advertised by the adware. I guess that would be Amazon directly? It's worth a try.
  21. GGJstudios macrumors Westmere


    May 16, 2008
    Read the Virus/Malware link in post #12 to get more clarification on this topic.
  22. nec207, Apr 15, 2011
    Last edited: Apr 15, 2011

    nec207 macrumors 6502

    Mar 21, 2011
    I think we should say most anti-virus programs also scan for worms,spyware and adware .

    Mostly it is spyware,adware,keyloggers ,trojan that is problem .

    Can you explain this with out be understanding alot how the OS works.

    Read more here.
  23. GGJstudios macrumors Westmere


    May 16, 2008
    Yes, and those can be easily avoided without the need for antivirus software.
  24. munkery macrumors 68020


    Dec 18, 2006
    In Mac OS X Snow Leopard, applications that come with your Mac can not be modified without entering your password.

    Even if these applications are modified, it would not cause the installation of rootkits, such as keyloggers that could log protected passwords entered into security sensitive apps such as Safari.
  25. nec207 macrumors 6502

    Mar 21, 2011
    sorry what do you mean ?

    windows uses DLL files and Exe files and the registry when most Unix,Linux and Mac OS X do not.

    humm the DLL ,exe and registry are good way for malware to mess up your system.

    Not say registry errors over the years of computer use.

Share This Page