Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Yes I know all of that... but are Apple going to fix the flaw in Safari which allows the page redirection to happen or not?
It's not something that needs to be fixed in Safari. Redirections are a normal function of many legitimate websites. The issue lies with Google's image search and with the specific sites that have been hacked to redirect. It could also be accomplished with your DNS servers being changed. None of these are Safari or Apple issues.
 
Yes I know all of that... but are Apple going to fix the flaw in Safari which allows the page redirection to happen or not?

That's all I want to know, thanks. I ask because we don't want it to be like XP with this crap that has happened for years and more to occur in the near future (now the crooks know it can be done).

Once you provide your password, the malware can modify any part of the system.

It is not a flaw, this effect would occur with any browser the malware is designed to modify. Of course, system owned apps can only be modified after the user authenticated to provide the process with higher privileges.

That type of redirection is actually more likely in user installed browsers, such as Firefox, given that system privileges are required to modify the Safari.app bundle and the owner (user that installed the app) is able to modify the app bundle of third party browsers, such as Firefox.

Edit: System level access is not required to produce the browser redirection.

It's not something that needs to be fixed in Safari. Redirections are a normal function of many legitimate websites. The issue lies with Google's image search and with the specific sites that have been hacked to redirect. It could also be accomplished with your DNS servers being changed. None of these are Safari or Apple issues.

I believe he is referring to the porn redirection after installation.

Edit: app bundles are not modified by this malware given removal stops the redirection. It must use some type of hook into the browser to cause the redirection.
 
Last edited:
I did begin to think it wasn't an Apple related issue shortly after I posted my post but yes I was also referring in part to the porn redirection.

As I noted previously, I use Opendns which might be protecting me without me knowing (from the images in question) who knows...

I hope Google fix this problem with the way image links are handled so that no user of any platform can be bothered by this as easily as it's happening.

Cheers you two. :)
 
Just yesterday my niece came up upon this while looking for information writing a school paper. Is this a flavor / variant of the MacDefender? This looks VERY similar, but hers had a bit better grammar, and more warning icons. Honestly, it threw me for a spin until I noticed it said "Macintosh HD" - which was not the name of hers. Luckily my previous warnings were heeded, and she force-quit safari rather than chance pressing any of the buttons.

First time I've spotted this type of attack, was this the same as MacDefender?
 

Attachments

  • Picture 17.png
    Picture 17.png
    227.3 KB · Views: 194
Just yesterday my niece came up upon this while looking for information writing a school paper. Is this a flavor / variant of the MacDefender? This looks VERY similar, but hers had a bit better grammar, and more warning icons. Honestly, it threw me for a spin until I noticed it said "Macintosh HD" - which was not the name of hers. Luckily my previous warnings were heeded, and she force-quit safari rather than chance pressing any of the buttons.

First time I've spotted this type of attack, was this the same as MacDefender?

RougeAntiSpyware, sounds legit. :D

I swear that that list is longer than actual known malware for Mac OSX.
 
Just yesterday my niece came up upon this while looking for information writing a school paper. Is this a flavor / variant of the MacDefender? This looks VERY similar, but hers had a bit better grammar, and more warning icons. Honestly, it threw me for a spin until I noticed it said "Macintosh HD" - which was not the name of hers. Luckily my previous warnings were heeded, and she force-quit safari rather than chance pressing any of the buttons.

First time I've spotted this type of attack, was this the same as MacDefender?

I bet her user shortname isn't "computer" either.
 
This is more then that average threat we get on Mac OSX. I use google about 10 or so times a day on my Mac and I am constantly getting requests from MACDefender asking if I give it permission to be installed. I will post up some screenshots later of some of the messages I am getting. I know for a fact the application is not installed but about 1 in 3 google searches I am making is infected with the virus. BTW I don't google search anything inappropriate the average google search for me is something like "Plate Techtonics" or "Hardstyle top 10".

I am looking at purchasing some anti-virus for my mac just to have an extra level of protection. And yes firewall is turned on, on my router and mac.
 
I am looking at purchasing some anti-virus for my mac just to have an extra level of protection. And yes firewall is turned on, on my router and mac.

Antivirus will only cause you to get a prompt from the AV software every time you navigate to a webpage hosting MACDefender. AV software will only make the situation worse.

AFAIK, it is only hosted via results in google image search. Are you only searching for images?
 
Just yesterday my niece came up upon this while looking for information writing a school paper. Is this a flavor / variant of the MacDefender?
Yep, that's it.
I am looking at purchasing some anti-virus for my mac just to have an extra level of protection.
It's really not necessary. I know this "threat" is a nuisance, but there's no way it can harm or affect your Mac unless you install it. Just uncheck "Open "safe" files after downloading" in your Safari Preferences and you won't have annoying popups.
 
Check out this quote about the latest variant of that Windows malware called Antivirus 2011.



From here, http://detnews.com/article/20110502/BIZ04/105020317/1013/rss12

BTW, it renders Windows useless by corrupting the registry. No registry in OS X.

Luckily, this type of malware on a Mac is not nearly as bad if your clumsy enough to get infected. You can even remove it from the account that is infected without having to boot into a safe mode.

This post made me have to edit a previous post. Thought I should quote it,

Antivirus 2011 (and all the variants) are a piece of piss to remove as it only affects the user account it was installed on, not the whole PC

1. Download Malwarebyes (free version) from http://www.malwarebytes.org/products/malwarebytes_free
2. Install on a different user account on the PC or safe mode if there is no other account
3. Run quickscan
4. Detects and remove

I would also recommend doing it in safe mode as well as an unaffected user account to ensure the minimal amount of processes are running.

Any decent AV software should prevent it from running, unless people are using some of those stupid free AV applications that do not protect a PC properly.
 
so much for the no malware on macs myth :D
funny how the apple fanboys are getting all defensive :rolleyes:

No Viruses. Big difference between a Virus and Malware. This requires user intervention.

Still no viruses on the Mac.

Just yesterday my niece came up upon this while looking for information writing a school paper. Is this a flavor / variant of the MacDefender? This looks VERY similar, but hers had a bit better grammar, and more warning icons. Honestly, it threw me for a spin until I noticed it said "Macintosh HD" - which was not the name of hers. Luckily my previous warnings were heeded, and she force-quit safari rather than chance pressing any of the buttons.

First time I've spotted this type of attack, was this the same as MacDefender?

I think you're biggest red flag here is the horrid grammar in the request. "To help protect your computer Apple Web Security have detected trojans and ready to remove them".

I'd assume an Apple product would you know, actually use appropriate grammar.
 
Last edited by a moderator:
1. Download Malwarebyes (free version) from http://www.malwarebytes.org/products/malwarebytes_free
2. Install on a different user account on the PC or safe mode if there is no other account
3. Run quickscan
4. Detects and remove

I would also recommend doing it in safe mode as well as an unaffected user account to ensure the minimal amount of processes are running.

Installing an app and running it in safe mode or from another account is still more work than removing this type of malware from a Mac given other apps are not corrupted on a Mac.

In my experience some software will still be non functional after repair.

If it is the default software that is toast, such as IE, I usually have to rescue the data out of the infected account to make the user a new account. These issues can be fixed by manually finding and repairing registry entries if you want to spend the time.

If the software that is still toast is third party, then you can delete it, run CCleaner to delete it's registry entries, and reinstall it.

But, I get what you are saying. This type of malware is really a non-issue for most users.
 
Last edited:
No Viruses. Big difference between a Virus and Malware. This requires user intervention.

Still no viruses on the Mac.

Viruses aren't big on Windows either these days compared to years past. It's about $$$ now, not just destroying things for the sake of destroying them. The fastest and easiest way to get personal information is a straight forward app that you trick people into opening. It doesn't require any cunning or serious programming knowledge, just easy prey.
 
Last edited by a moderator:
Viruses aren't big on Windows either these days compared to years past. It's about $$$ now, not just destroying things for the sake of destroying them. The fastest and easiest way to get personal information is a straight forward app that you trick people into opening. It doesn't require any cunning or serious programming knowledge, just easy prey.

Viruses, meaning exploits that include privilege escalation, could be useful for online financial fraud as allow the install of rootkits without user intervention. But, easier methods yield more profit than client side app exploitation.

Most online financial fraud is due to SQL injection attacks against e-commerce websites. The attack gets access to the data storage for credit card information. This is easier to do than exploiting a web browser, which most likely only results in the compromise of a much lower volume of valuable information.

Credit card dumps are sold in bulk for around 50 cents per each set of track2 info (CC# and verification info). So, each persons' credit card info and verification data is only worth on average 50 cents to a black hat hacker. That info is not worth enough unless going after in bulk via e-commerce web app exploitation (SQL injection or XSS), botnets, or phishing scams.

Web app exploitation (PSN breach) is out of the control of consumers as not related to their personal system.

Phishing scams (MACDefender is essentially this type - asks for your credit card info) can only be reliably prevented by users and are most likely not very successful on any platform. At least, in terms of cost/benefit analysis. Writing MACDefender was probably more work than the PSN breach. Which do you think will provide better profit returns?

Botnets, which rely on rootkit install to gather sensitive data, typically can be avoided using discretionary access controls to protect modification of the system level without authentication and user knowledge to protect against social engineering. This method has been successful because Windows XP does not use DAC in the default account created. As XP market share goes down, botnets will become less successful.

Easily avoidable phishing scams and web app exploitation will increase as botnets become less successful. This type of phishing scam targeting Mac may be an indicator that this transition is occurring as social engineering is becoming the more viable methodology. There is nothing the average user can do about web app exploitation other than use as few e-commerce sites as possible to limit their exposure.

Also, as much if not more credit card info is collected for sale on "dump" websites from skimming, which requires physical access to the card, as opposed to hacking. The online element of the crime only manifests as part of the sale of the credit card information.
 
Last edited:
Just yesterday my niece came up upon this while looking for information writing a school paper. Is this a flavor / variant of the MacDefender? This looks VERY similar, but hers had a bit better grammar, and more warning icons. Honestly, it threw me for a spin until I noticed it said "Macintosh HD" - which was not the name of hers. Luckily my previous warnings were heeded, and she force-quit safari rather than chance pressing any of the buttons.

First time I've spotted this type of attack, was this the same as MacDefender?

I had this exact same message pop up when I was doing a Google image search today. I clicked 'cancel,' closed Firefox, and restarted my computer. I'd like to note that this popped up on FIREFOX so everyone saying that this is a Safari-specific issue is not correct.

This may be a stupid question, but am I in any danger here? I didn't download anything, but I went back to that site a second time so I could get a screenshot of it. Once again restarting Firefox and my computer. I admit that I am not very tech-savvy, and things like this (virus, malware, trojan, etc.) scare me.

While Googling about this, I found a blog that suggested to download ClamXav (http://download.cnet.com/ClamXav/3000-2239_4-10668194.html). Is this really necessary?

I have read many websites regarding this issue, but they all seem ambiguous to me and I am not familiar with the terms used. I would appreciate some reassurance here, and any other help or advice.

Thanks in advance! :)
 
I had this exact same message pop up when I was doing a Google image search today. I clicked 'cancel,' closed Firefox, and restarted my computer. I'd like to note that this popped up on FIREFOX so everyone saying that this is a Safari-specific issue is not correct.

Actually, it is a Safari-specific issue because only Safari will open the file after it downloads. That is the issue, not the download itself.

This may be a stupid question, but am I in any danger here?

No, just don't open anything you download from that site, or anything you don't remember specifically downloading, and you will be fine.

Also, restarting your Mac was unneccesary.
 
Actually, it is a Safari-specific issue because only Safari will open the file after it downloads. That is the issue, not the download itself.
Ah, I understand. Thank you for clarifying.

No, just don't open anything you download from that site, or anything you don't remember specifically downloading, and you will be fine.

Glad to hear it! Thanks! :)
 
I had this exact same message pop up when I was doing a Google image search today. I clicked 'cancel,' closed Firefox, and restarted my computer.
This is actually a bad idea. If you suspect that malware has been downloaded to your Mac, DO NOT RESTART until you've removed all traces of it. The reason is that restarting could complete an installation (ever have to restart after installing some apps or Software Updates?). It's better to remove the item and not restart.
I had this exact same message pop up when I was doing a Google image search today. I clicked 'cancel,' closed Firefox, and restarted my computer. I'd like to note that this popped up on FIREFOX so everyone saying that this is a Safari-specific issue is not correct.
Yes, the simulated scan will show up on any browser, but are you saying the install package downloaded and launched when using FF? There's a difference between what appears on the browser and the actual install package launching.
I admit that I am not very tech-savvy, and things like this (virus, malware, trojan, etc.) scare me.
While you should always be wary, there's no reason to be scared. Read this, to better understand malware as it relates to your Mac: Mac Virus/Malware Info
While Googling about this, I found a blog that suggested to download ClamXav (http://download.cnet.com/ClamXav/3000-2239_4-10668194.html). Is this really necessary?
No. Simply deleting the install package without running it is all that's required to rid your system of this nuisance.
 
This is actually a bad idea. If you suspect that malware has been downloaded to your Mac, DO NOT RESTART until you've removed all traces of it. The reason is that restarting could complete an installation (ever have to restart after installing some apps or Software Updates?). It's better to remove the item and not restart.
To my knowledge, nothing actually downloaded, and I didn't give it permission to.

are you saying the install package downloaded and launched when using FF?
It didn't install or download at all.

While you should always be wary, there's no reason to be scared. Read this, to better understand malware as it relates to your Mac: Mac Virus/Malware Info
Thanks for this link, I'll definitely check it out.
 
I think you're biggest red flag here is the horrid grammar in the request. "To help protect your computer Apple Web Security have detected trojans and ready to remove them".

I'd assume an Apple product would you know, actually use appropriate grammar.

You don't say?

Just yesterday my niece came up upon this while looking for information writing a school paper. Is this a flavor / variant of the MacDefender? This looks VERY similar, but hers had a bit better grammar, and more warning icons.
 
Is this a flavor / variant of the MacDefender? This looks VERY similar, but hers had a bit better grammar, and more warning icons.
There are several variants of the name and the website presentation. They all are the same thing. Read the first section of the Mac Virus/Malware Info that I posted.
 
Annoyingly this type of thing will become all too common. Damn Apple and their great products, making themselves popular and that.
I liked the security through obscurity world we've come from...

Its not because of obscurity. It is because it is much harder to write viruses or malware for OS X or most Unix based OS' than it is Windows. Any idiot can write something for Windows simply by slightly modifying an existing exploit. Hence the term "script kiddies". There were plenty of viruses and malware for pre-OS X Macs. Any security expert will tell you security through obscurity is nonsense.

Also in Safari do this;
Preferences>General>Uncheck Open "safe" files after downloading
 
Many take security through obscurity to relate to OSs with low market share. But, security through obscurity applies more to knowledge about an OS's design and implementation. The parts of OS X that make up it's kernel space elements that relate to virus install are open source. Any one can download the source code to see how it is designed and implemented. By definition, open source functions in the exact opposite to security through obscurity. Proprietary code relies on security through obscurity by not making the source code available. The kernel space parts of Windows are mostly if not all propietary code.
 
Anyone have a working link or copy of this? Need it for testing & demonstration purposes. PM me if you have it saved!
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.