New 'MACDefender' Malware Threat for Mac OS X

[FX120]

This is partially because due to a design flaw in Windows, many third-party applications won't even run unless they have administrator access (silly, no?).

So outdated software or poor programming = Design flaw in Windows?

Don't get me wrong, I have some legacy applications that won't run without elevated permissions, but they're just that, legacy applications. I suppose Microsoft could just take Apples approach and forcibly antiquate software.

 

[Azathoth]

Huge difference in my experience. The Windows UAC will pop up for seemingly mundane things like opening some files or opening applications for the first time, where as the OS X popup only happens during install of an app - in OS X, there is an actual logical reason apparent to the user. It is still up to the user to ensure the software they are installing is from a trusted source, but the reason for the password is readily apparent.

Right. Not.

In OS X is also pops up when doing things like opening files (html documents), DMG images etc. Of course this is correct behaviour, but OS X and Win7 are *fairly* similar in terms of user prompts.

 

[munkery]

The article -> http://blog.intego.com/2011/05/02/m...lware-program-attacks-macs-via-seo-poisoning/

Here is how it works:

In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open “safe” files after downloading in Safari, for example), will open. The file is decompressed, and the installer it contains launches ...

If the user continues through the installation process, and enters an administrator’s password, the software will be installed.

 

[inkswamp]

As I understand it, Safari will open the zip file since it's a "safe" download. But that doesn't mean it'll execute the code within that zip file, so how is this malware executing without user permission?

That's what I'd like to know. I can't even open HTML pages downloaded from my own website without OS X warning me before opening it, and yet this story makes it sound as if the file contained in the zip is somehow launching on its own without any user notification. Sounds like BS to me. What is the source for this?

Edit: I see. It starts an installer that the user has to go along with willingly, and therefore it's nothing even remotely similar to the stealth install crapware on Windows. Next.

 

[TheAppleDragon]

The article -> http://blog.intego.com/2011/05/02/m...lware-program-attacks-macs-via-seo-poisoning/

Here is how it works:

Why is everyone acting like this is new?

Malware like this has been around for quite some time. It's always been the same - just exit the stupid installer and absolutely nothing happens.

Now if/when the malware auto-installs, by THEN it will be a threat. So far Apple has been good at patching loopholes, though.

 

[munkery]

That's what I'd like to know. I can't even open HTML pages downloaded from my own website without OS X warning me before opening it, and yet this story makes it sound as if the file contained in the zip is somehow launching on its own without any user notification. Sounds like BS to me. What is the source for this?

It decompressed the zip file and executes code to launch an installer. This is considered a safe action because the user still has to continue to run the installer.

Installation of MacDefender via the installer requires password authentication by the user.

 

[iindigo]

So outdated software or poor programming = Design flaw in Windows?

Don't get me wrong, I have some legacy applications that won't run without elevated permissions, but they're just that, legacy applications. I suppose Microsoft could just take Apples approach and forcibly antiquate software.

That's the thing, though. It's not only old software that behaves this way. There are all kinds of modern software that require administrator access to run. One of the biggest ones I can think are games... typically those with some sort of anti-hack system.

MS has done nothing to discourage developers from writing their software to work this way and it's unfortunate.

 

[50548]

So let me get this straight:

1 - I must search for something on the Internet that leads me to that link (probably suspicious already);
2 - Javascript, IF activated, will start downloading a file, even though such a process can be stopped in the Safari downloads window;
3 - The suspicious ZIP file MUST be opened, this happening automatically ONLY if the "safe files" option is activated;
4 - I must OPEN the unzipped suspicious file, which will then lead me to a suspicious installer;
5 - I must AUTHORIZE the computer to install the suspicious file by providing my password;
6 - EVEN after doing all that, I can just kill processes and delete the file so that all is fine again.

And people still wanna call that "virus" or "malware"? Gimme an effing break! I've got a lot more damage from script kiddies who once sent me a disguised terminal command as a PDF file.

This is a non-issue...Winblows fanboys, can't you come with something better than this?

 

[bokdol]

i just cleaned out of the the computers at work. and the person had the installer window still open. they pressed ok but because they had 10 other windows open they really did not realize they authorized it to install.

it is not that they did not authorize it's that their computer had soo much stuff on they did not realize they authorized it.

 

[Lennholm]

That's the thing, though. It's not only old software that behaves this way. There are all kinds of modern software that require administrator access to run. One of the biggest ones I can think are games... typically those with some sort of anti-hack system.

MS has done nothing to discourage developers from writing their software to work this way and it's unfortunate.

They have done nothing to discourage it? Well, they introduced an annoying pop-up asking for confirmation that makes the developers customers frustrated. Any suggestion what other meaningful action they can take?
Also, I can't think of any application I have installed on my Windows PC that behaves like this.

When I first started using a Mac seriously, which was when Vista was out and got criticized for UAC, I was really surprised to discover that OS X has the exact same thing. In Windows 7 you not only have the option to switch it on and off, you can also customize the intrusiveness of it, I find it much more user friendly than in OS X.
I think a lot of people here need to actually try Windows 7 out instead of categorically dismiss it.

 

[50548]

They have done nothing to discourage it? Well, they introduced an annoying pop-up asking for confirmation that makes the developers customers frustrated. Any suggestion what other meaningful action they can take?
Also, I can't think of any application I have installed on my Windows PC that behaves like this.

When I first started using a Mac seriously, which was when Vista was out and got criticized for UAC, I was really surprised to discover that OS X has the exact same thing. In Windows 7 you not only have the option to switch it on and off, you can also customize the intrusiveness of it, I find it much more user friendly than in OS X.
I think a lot of people here need to actually try Windows 7 out instead of categorically dismiss it.

To compare Windows' extremely annoying UAC crap with the non-intrusive one-time authorization requests for newly-downloaded files on Mac OS X is ludicrous...not to mention the fact that OS X's user password validity lasts for a while after it is typed.

Conclusion: You've probably never really used OS X.

 

[maclaptop]

so much for the no malware on macs myth
funny how the apple fanboys are getting all defensive

Bravo, this is the funniest post ever.

I bet there's a lot of fan bois with soiled underwear.

Could it be true? Their perfect computers now quite vulnerable.

Ya gotta love it...the slap of reality

 

[dethmaShine]

Bravo, this is the funniest post ever.

I bet there's a lot of fan bois with soiled underwear.

Could it be true? Their perfect computers now quite vulnerable.

Ya gotta love it...the slap of reality

We were just waiting for you? Where have you been?

On another note, mods its getting hideous to see such comments being allowed on this website.

 

[iindigo]

They have done nothing to discourage it? Well, they introduced an annoying pop-up asking for confirmation that makes the developers customers frustrated. Any suggestion what other meaningful action they can take?
Also, I can't think of any application I have installed on my Windows PC that behaves like this.

When I first started using a Mac seriously, which was when Vista was out and got criticized for UAC, I was really surprised to discover that OS X has the exact same thing. In Windows 7 you not only have the option to switch it on and off, you can also customize the intrusiveness of it, I find it much more user friendly than in OS X.
I think a lot of people here need to actually try Windows 7 out instead of categorically dismiss it.

What do you mean, "Try Windows 7"? I've used and maintained every version of Windows from 98SE all the way up to 7. I even toyed around with 95 in a virtual machine from pure curiosity. Hell, I even have a Windows 7 boot camp partition.

I know exactly what Windows 7 is like. It comes with maintaining every computer at the house, several of the computers at the high school, fixing collegemates' computers, and being known as the neighborhood tech kid since age 14 (now 22, for reference).

 

[Digitalclips]

About as huge as most windows ones!

Difference being Windows users don't have to accept an invitation then enter an admin user name and password for most stuff they get zonked with.

BTW, Just curious, did the Scottish folks that founded your town not know how to spell or is it a typo in your town name?

 

[turbobass]

I love how you all pretend like this is the first piece of intrusive software (Malware) for Macs or like there's no such thing as a virus for Mac...

I'll just leave this right here...http://www.clamxav.com/

if anyone knows a better one let me know, thnx.

 

[GGJstudios]

I love how you all pretend like this is the first piece of intrusive software (Malware) for Macs ...

As already stated, it's not the first. Who's pretending that it is?

... like there's no such thing as a virus for Mac...

For Mac OS X, there isn't.

 

[dj-anon]

LOL. I got scared for a second since Pro Tools is dumb and doesn't like non-privileged accounts so I run as admin. But this "threat" requires so many clicks that it is ridiculous.

 

[KnightWRX]

It decompressed the zip file and executes code to launch an installer. This is considered a safe action because the user still has to continue to run the installer.

Installation of MacDefender via the installer requires password authentication by the user.

So Safari auto-downloads, unarchives and auto-executes something, but you think it is safe because it's an installer ?

I'm sorry, but I'm still curious about the "auto-execute" part. Why would it run the installer automatically after decompressing it. That sounds quite "unsafe" to me. Even without administrator privilege, that means code can still run that can affect the current user's account.

like there's no such thing as a virus for Mac...

Link to Mac OS X virus please. Anything, a name, a description of what it does, something.

Viruses and malware are not the same thing.

I'll just leave this right here...http://www.clamxav.com/

What's your point with ClamAV ? It's the defacto Unix anti-virus scanner that's used to scan for Windows viruses in e-mail servers usually.

 

[res1233]

I love how you all pretend like this is the first piece of intrusive software (Malware) for Macs or like there's no such thing as a virus for Mac...

I'll just leave this right here...http://www.clamxav.com/

if anyone knows a better one let me know, thnx.

Dude, the only viruses antivirus software ever pick up are Windows viruses, to prevent them from being passed along unintentionally to windows users. Most of what "antivirus" software does for macs is catch other forms of malware which are not viruses. This is part of the confusion about what the word "virus" means. The correct term for this software should be "antimalware", but the average consumer wouldn't know what that is if they saw it, so the misinformation continues.

 

[GGJstudios]

I'm sorry, but I'm still curious about the "auto-execute" part. Why would it run the installer automatically after decompressing it. That sounds quite "unsafe" to me. Even without administrator privilege, that means code can still run that can affect the current user's account.

It can't affect the user's account if the user doesn't proceed with the installation. If the installer is closed without proceeding, nothing is affected.

What's your point with ClamAV ? It's the defacto Unix anti-virus scanner that's used to scan for Windows viruses in e-mail servers usually.

It also scans for Mac malware.

 

[KnightWRX]

It can't affect the user's account if the user doesn't proceed with the installation. If the installer is closed without proceeding, nothing is affected.

You're not quite understanding what I'm saying or the situation here. Safari auto-downloads a zip file, runs it through Archive Utility which extracts something and then runs it.

It happens to be an installer this time. What if next time it's a malicious piece of code ? Why did it auto-execute, under what conditions and could these conditions be used to execute something other than an installer ?

Think a bit beyond the current situation. The malware authors do.

It also scans for Mac malware.

ie, not viruses. ClamAV's original intent was Linux e-mail servers and while it may have morphed into more, it's existence is not the proof of Mac viruses.

 

[GGJstudios]

What if next time it's a malicious piece of code ? Why did it auto-execute, under what conditions and could these conditions be used to execute something other than an installer ?

It can't achieve privilege escalation without the user entering their admin password. That means it can't damage your Mac OS X installation.

ie, not viruses. ClamAV's original intent was Linux e-mail servers and while it may have morphed into more, it's existence is not the proof of Mac viruses.

I only mentioned that because some are under the mistaken impression that ClamXav only detects Windows malware.

 

[SandynJosh]

All macs do have built-in anti-malware:
http://www.macworld.com/article/142457/2009/08/snowleopard_malware.html
Don't know how good it is, though.

NOTHING built-in or installed later will protect a computer if the user is stupid.

You, as a user, have to be wary of allowing yourself to do what the malware creator needs you to do to circumvent whatever protection your computer has. Oddly enough, there's a large enough number of village idiots with computers of any OS to make it worth writing malware.

 

[KnightWRX]

It can't achieve privilege escalation without the user entering their admin password. That means it can't damage your Mac OS X installation.

Are you purposefully ignoring my point ? Look, if you don't know and don't care about the finer points, don't reply or try to participate.

I'm curious how it auto-executes the installer because that can have potential damaging results for a user account, without privilege escalation. My data is all in my user account, I don't care about a few system files so much as I care about my data.

Can we please leave the bickering and "it's just an installer" out of it and discuss the technical requirements behind this malware so we can better understand it ?