New 'MACDefender' Malware Threat for Mac OS X

[munkery]

The reality is that malware is not very successful without system level access. System level access is gained either via social engineering, privilege escalation exploitation, or systems running with elevated privileges by default.

Social engineering used to get system level access can only be completely prevented with user knowledge. Antivirus software does not have %100 detection rates.

Privilege escalation exploitation is rare in the wild in malware for any OS. But, the likelihood of privilege escalation being used in malware in Mac OS X is less than it being used in Windows because Windows has a greater number of privilege escalation exploits. Again, antivirus software is not complete protection so Windows is more vulnerable than Mac OS X.

Also, the default account created in any OS is the typical account used by the average user. The default account created in Mac OS X does not run with elevated privileges. Windows XP is still the OS with the greatest market share and the default account created and typically used in Windows XP is running with elevated privileges by default. Only exploitation to the user level is required for system level access in Windows XP admin accounts given that discretionary access controls are disabled. Windows XP systems make up most of the machines infected with malware belonging to botnets such as Zeus.

I get annoyed when Windows "fanboys" post in malware threads that the sky is going to start falling for Macs when those posters are likely to be using or have used in the past without understanding the consequences a Windows XP admin account given the statistics of OS market shares. Those users start making accusations of fanboyism when other users post objective details about how to avoid the threat, such as "it is only a trojan so just be careful what you authenticate."

 

[MorphingDragon]

Someone link us some malware and viruses for OSX so we can have a looksie.

http://www.computerlounge.co.nz/components/componentview.asp?partid=13939

 

[JAT]

No, I'm making an assumption that fanboys are voting down all the anti-Apple posts in droves. Whether they have posted in the thread is completely irrelevant. The point is you don't see people voting in droves for logical posts, but you do see negative votes in any post that speaks either for Microsoft or against Apple, regardless of the content of that message. That implies emotional reaction which implies fanaticism. You can argue semantics, but 1+1 still equals 2. Sherlock Holmes didn't have to do a poll to figure things out.



That sounds like a huge number, but it counts repeat viewings of the thread. There are both fewer posters (than 240) and fewer viewers (than 21,900) in totality. There is no way to discern how many stopped reading at the first page either. There is also a tendency for more voting towards the beginning of the thread than the end here, clearly indicating a strong possibility of posters unsubscribing and/or losing interest in the thread as time goes on. Evidence points towards logical trends and tendencies, not exact numbers.



You're right. You could just be stubborn.



I did do a search and hence the 2009 numbers of 25 million going to 75 million by 2009 (so 100 million is a fair estimate for 2011), but the article specifically stated the increase was largely due to the iPhone/iPod Touch. It gave no breakdown of Macs. The last iPhone numbers I saw were around 30 million some time ago and that didn't include iPads, so it may be well over 100 million now including them.



I've seen statistics on percentages of Firefox users relative to PPC and it was like 1 out of 28, if I recall correctly or about 3.5 per 100 users. If we assume 40 million Intel users for the moment, that would mean there are only a little over 1.4 million active PPC computers (not the same as users since many people own more than one Mac or Mac-capable system; I own 3 for example). So that would mean over 94% of PPC users have upgraded to PPC. I don't think it's quite that high; statistics are measured over time and non-use of a machine you do own (let alone one using multiple operating systems in the case of Intel) can skew the results. But even if I were to assume 25% of the PPC machines from 2007 and earlier are still in use (unlikely given attrition over the years; total sales of PPC isn't the same as active PPC machines; so when one says "installed" that doesn't mean they're still in use) that would still mean over 18 million PPC machines are no longer being actively used out of the 25 million total sold from 2007. Thus, your total Mac user base with 40 million Intels assumed would be 47 million totall (add more for more Intels sold; surely that figure is known to at least Apple minus any losses from computers blowing up). But then again, that's not 47 million USERS, necessarily. If the average Mac owner has 2 Macs, for example, that's then only 23.5 million users out there. So the true number of people (that Internet thieves have to potentially plunder) on the Mac is somewhere between 20-35 million at best, IMO not counting iOS devices.

Now you may think 27 million users to plunder is a big number, but compare that to Windows users (probably around a billion at this point which also includes many of the Macs since they also now can run Windows, creating even less incentive to bother with a Mac), it's a pretty small piece of the pie.

Now I am not saying that those statistics are "the" reason why the Mac has so little Malware and no viruses, but I am saying that you cannot totally dismiss it as a factor for at least a fair part of it. It could be 95% Unix security + foreign OS (as in foreign to the average hacker who runs Windows) and only 5% "why bother", but as the installed base of Mac users increases that "why bother" factor becomes "let's bother" instead. After all, it will only take one bad situation to cause a problem. There's usually a first for everything. Let's see what happens if/when the Mac user base reaches 100 million. iOS is tougher because it's closed, but it's more likely to be targeted in areas like browsing. You also cannot dismiss individual pieces of software with poor security (e.g. Safari regularly gets hacked during contests). Just because those were controlled conditions, it doesn't mean it couldn't be used in a more volatile situation. But is there an incentive? Clearly, there was an incentive to find one when money was offered.




No, I don't think I have. You're operating based on assumptions that because it hasn't happened in a meaningful way that it cannot happen and I think that is a false sense of security paramount to emotional fanaticism. Unlikely? Probably. Never? I wouldn't bet on it.

I would say that length of posts must mean something, so you must be an expert on emotional fanaticism. So, I believe everything you say. 100%.

 

[BMT]

For those interested in security research like myself:

It looks like the Malware authors have noticed all the publicity and changed the "product" name a few times to try and bypass detection.
Samples I have found and their details are listed below.

The original "MACDefender":

MD5 (BestMacAntivirus2011.mpkg.zip) = 791250a5cc4aa5a4cb98b4c856d67377
Size: 1.9 MB on disk (1,858,384 bytes)

Application:

MacDefender.app (Unable to MD5 - treated as folder)
Size: 2.8 MB on disk (2,492,103 bytes)

Application Binary: 

MD5 (MacDefender.app/Contents/MacOS/MacDefender) = 1938708ace7098803a0ca67b46236deb
Size: 299 KB on disk (297,336 bytes)

"MacSecurity"

MD5 (BestMacAntivirus2011.mpkg.zip) = 765cc4c43e665f5df75c1b102a390e2c
Size: 2.1 MB on disk (2,139,301 bytes)

Application:

MacSecurity.app (Unable to MD5 - treated as folder)
Size: 3.2 MB on disk (2,902,157 bytes)

Application Binary:

MD5 (MacSecurity.app/Contents/MacOS/MacSecurity) = 99da91a2bac5c21d9ab36c7a6c574ad3
Size: 311 KB on disk (311,124 bytes)

"MacProtector"

MD5 (anti-malware.zip) = 177e2254273d3413ee937aa0cd34587b
Size: 1.9 MB on disk (1,872,571 bytes)

Application:

MacProtector.app (Unable to MD5 - treated as folder)
Size: 2.8 MB on disk (2,511,661 bytes)

Application Binary:

MD5 (MacProtector.app/Contents/MacOS/MacProtector) = 1f8e9cd3f0717a85b96f350e4f4a539a
Size: 315 KB on disk (311,548 bytes)

These are actually the first Mac Malware samples I have been able to get my hands on, others have disappeared far to quickly.

For those that still need clarification:

Yes, if you have the Open "safe" files after downloading option enabled in Safari, after downloading the zip file it will be automatically unzipped by Archiver and the installer will be started (on Snow Leopard, at least).

Also, in reply to some of KnightWRX's questions/remarks:

- Installers are marked as Safe by Safari and therefore automatically run.

 

[GGJstudios]

I would say that length of posts must mean something, so you must be an expert on emotional fanaticism. So, I believe everything you say. 100%.

So if I make a post long enough, I can convince you to give me all your money?

 

[MagnusVonMagnum]

I would say that length of posts must mean something, so you must be an expert on emotional fanaticism. So, I believe everything you say. 100%.

Yes, it means that unlike most people, I actually know how to type.

It also means I can express myself in more detail than a two sentence reply. How would you like the articles posted on here to be that short? WTF would be the point?

There's a new iMac! It rulez dudes!

Yes, that's informative.

 

[JAT]

So if I make a post long enough, I can convince you to give me all your money?

I'll believe you really want it.

 

[munkery]

Someone link us some malware and viruses for OSX so we can have a looksie.

WARNING: for those interested, the following link will take you to a website that will automatically download a zip file containing this trojan. Only click the link if you are interested in seeing how it works. The webpage has been redesigned to look more like an OS X user interface.

ONLY CLICK THIS LINK TO DOWNLOAD THE TROJAN

It should be noted that ClamXav does not yet detect this trojan.

EDIT: The Google SEO poisoning for this link must be corrected as it no longer redirects to the malware's download page. Also, ClamXav now detects this threat.

 

[MatthewCobb]

MACDefender becomes MACProtector?

I just clicked on a Google image and got a very scary looking page from "Apple security center" that pretended to be scanning my Mac and allegedly finding all sorts of Trojans and then immediately downloading a "MACProtector" package. I deleted the package. Beware! This whole thing looked like a souped-up version of the MADefender trojan I encountered the other week.

 

[Ashin]

You guys keep saying "hurr just press no, only an idiot would fall for that"

Why is it when Windows have similar threats you use it against Windows, but on Mac it's as simple as pressing no?

Face it, the sad truth is I guarantee most Mac users will actually press yes and install it

 

[GGJstudios]

I just clicked on a Google image and got a very scary looking page from "Apple security center" that pretended to be scanning my Mac and allegedly finding all sorts of Trojans and then immediately downloading a "MACProtector" package. I deleted the package. Beware! This whole thing looked like a souped-up version of the MADefender trojan I encountered the other week.

Yes, they have several variations of the name: MacDefender, MacSecurity, MacProtector. I'm sure there will be more, but the behavior is the same. Simply deleting the package as you did is the right thing to do.

Face it, the sad truth is I guarantee most Mac users will actually press yes and install it

You can't guarantee any such thing, because you don't know the 50+million Mac users out there. The pattern we've seen in this forum is that users don't usually install it, but come here, asking about it. They usually cancel the install and delete the package, as MatthewCobb did, or ask advice about how to handle it.

Social engineering threats have nothing to do with which OS is being used. A foolish or ignorant user will fall prey to such attempts, whether they're on Windows, Mac OS X, Linux, Unix, etc. Your attempt to make this a "fanboy" issue demonstrates that you don't understand social engineering threats.

 

[Mal]

You guys keep saying "hurr just press no, only an idiot would fall for that"

Why is it when Windows have similar threats you use it against Windows, but on Mac it's as simple as pressing no?

Face it, the sad truth is I guarantee most Mac users will actually press yes and install it

Yes, because so many people here have said that.

Face it, this is a simple threat that's very easy to prevent (it literally is a matter of not entering your password to install something you didn't download). While it will get some people, I doubt that most Mac users would fall for it.

In addition, Windows threats like that are not what get talked about. Windows threats often don't require any user interaction, and certainly not a password to install. They are much likely to slip past even a more experienced user.

jW

 

[MagnusVonMagnum]

You can't guarantee any such thing, because you don't know the 50+million Mac users out there. The pattern we've seen in this forum is that users don't usually install it, but come here, asking about it.

I think all he was trying to say is that Windows users don't exactly hold the sole rights to ignorance, fallibility or stupidity. Most Mac users are probably even less technically inclined than average Windows users (comes with the easy GUI and reputation over the years). So, in other words "can't happen because you'd have to be stupid to install that" doesn't really fly as provable reasoning. It can happen. It does happen. And yes people ARE gullible or phishing wouldn't be so rampant.

 

[munkery]

Most Mac users are probably even less technically inclined than average Windows users (comes with the easy GUI and reputation over the years).

Really, you think so? Despite only having 5% of the global market share, Mac users represent around 26% of Ars Technica visitors. Seems to be that Mac users of those that are interested in technology and, therefore, also inclined in how to use it.

http://static.arstechnica.com/ars_OS_share_0710.png

 

[lilo777]

Really, you think so? Despite only having 5% of the global market share, Mac users represent around 26% of Ars Technica visitors. Seems to be that Mac users of those that are interested in technology and, therefore, also inclined in how to use it.

http://static.arstechnica.com/ars_OS_share_0710.png

Arstechnica has about 1000 visitors. This stat is meaningless. Besides, PC users have tons of their own web sites. Arstechnica (with their "this week in Apple" columns) is an Apple skewed web site.

 

[munkery]

Arstechnica has about 1000 visitors. This stat is meaningless. Besides, PC users have tons of their own web sites. Arstechnica (with their "this week in Apple" columns) is an Apple skewed web site.

Looks like it gets over 600000 visitors per day?

http://www.websitelooker.com/www/arstechnica.com

Looks like it also has Microsoft specific content as well?

http://arstechnica.com/microsoft/

 

[joelovesapple]

So when are Apple going to fix this?

That said, I did a 'test search' with google images and got nothing... however would opendns protect me against this or would I have to disable visual image searches until this flaw is fixed?

They say that Mac users are dumb computer users but in fact I'm quite the opposite. I primarily use a Mac but can repair Windows when it's messed up by viruses, reinstall it etc as well as use Linux quite happily, so that claim is not always true.

Vigilance counts for a lot when you're using an internet connected computer. Fact!

 

[discounteggroll]

I know at least a handful of people who will click on this out of sheer ignorance because they think it'll make their computer run better. sigh

 

[GGJstudios]

That said, I did a 'test search' with google images and got nothing... however would opendns protect me against this or would I have to disable visual image searches until this flaw is fixed?

Did you read the posts in this forum, or the original article, or the Mac Virus/Malware Info that has been posted in these threads? They all have the solution: uncheck the "Open "safe" files after downloading" option in Safari Preferences. That's all you need to do.

 

[munkery]

Hey GGJ,

Just some feedback about the malware link.

I would put information about specific threats and how to help prevent them in a separate link. That way you would have both general and specific guides to malware prevention on a Mac.

 

[GGJstudios]

Hey GGJ,

Just some feedback about the malware link.

I would put information about specific threats and how to help prevent them in a separate link. That way you would have both general and specific guides to malware prevention on a Mac.

Thanks for the suggestion! I've been thinking about a complete rewrite/update for that post, to make it more effective and clean up formatting. I just haven't gotten around to devoting the time to it.

 

[joelovesapple]

Did you read the posts in this forum, or the original article, or the Mac Virus/Malware Info that has been posted in these threads? They all have the solution: uncheck the "Open "safe" files after downloading" option in Safari Preferences. That's all you need to do.

Yes I did and I have been running as a limited user for about 2 years now as well but still, you'd think it might download even on a standard account, because I clicked on the link someone provided here just to see it for myself (obviously I wasn't stupid to install the trojan though).

 

[GGJstudios]

Yes I did and I have been running as a limited user for about 2 years now as well but still, you'd think it might download even on a standard account, because I clicked on the link someone provided here just to see it for myself (obviously I wasn't stupid to install the trojan though).

Whether you're logged in as a standard or admin user makes no difference. It will still download and launch if you have that option selected. Since it's only an installer package and can do nothing without the user proceeding with the installation, it's not considered malware. It's just an annoyance.

 

[munkery]

Yes I did and I have been running as a limited user for about 2 years now as well but still, you'd think it might download even on a standard account, because I clicked on the link someone provided here just to see it for myself (obviously I wasn't stupid to install the trojan though).

The process of installing this malware is the same on any account type, whether it be admin or standard.

MACDefender is installed in the system level of the OS which always requires authentication to modify unless using the root user account, which is not enabled by default.

Edit: MACDefender does not install anything at the system level. It requires password authentication in the event that the user is running a standard account. Subsequent variants do not require password authentication to install in admin accounts. But, this is really only a glorified phishing scam so it is no surprise that it doesn't need password authentication.

Odd, the developer should have included a system level keylogger given that it prompts for password authentication.

 

[joelovesapple]

Yes I know all of that... but are Apple going to fix the flaw in Safari which allows the page redirection to happen or not?

That's all I want to know, thanks. I ask because we don't want it to be like XP with this crap that has happened for years and more to occur in the near future (now the crooks know it can be done).