New version of MacDefender: diShield?

[Mal]

Just got the same pop-up and auto-download that has been reported as MacDefender, plus it actually downloaded two extra copies when I clicked the buttons (I was fully aware of what it was, and having not seen it previously, I wanted to explore it's functionality). It downloaded a file called anti-malware.zip, which extracted to another file called diShield.pkg. Since I was using Chrome, it didn't auto-launch the installer, so I launched it expecting to get the warning that it was going to be harmful, but it didn't. Is this one others have been seeing?

jW

 

[GGJstudios]

It's actually been around for several days. Check your System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist to see if it includes the following:

OSX.MacDefender.A
OSX.MacDefender.B
OSX.MacDefender.CDE
OSX.MacDefender.F​

 

[Mal]

It does indeed include all of those. It still doesn't recognize the downloaded installer as malicious.

jW

 

[GGJstudios]

It does indeed include all of those. It still doesn't recognize the downloaded installer as malicious.

jW

If memory serves (I haven't searched yet), I thought the name was dShield, not diShield. If that's true, that might account for it, but I can't see how a file name should matter, since they could randomize the file name.

 

[Mal]

The filename may simply indicate a new variant too, where the filename itself doesn't prevent it from being caught, but something else inside. I copied and pasted that filename, though, so I do know it's correct. I had been thinking it was dShield before as well, hence my wonder if this was a new one.

jW

 

[karl878]

Checked my XProtect.plist and the plist hadn't been updated since late May (only had OSX.MacDefender.A and OSX.MacDefender.B).

So, manually updated via Terminal using instructions from here: http://reviews.cnet.com/8301-13727_7-20069468-263.html?tag=mncol;txt

 

[GGJstudios]

Checked my XProtect.plist and the plist hadn't been updated since late May (only had OSX.MacDefender.A and OSX.MacDefender.B).

So, manually updated via Terminal using instructions from here: http://reviews.cnet.com/8301-13727_7-20069468-263.html?tag=mncol;txt

You can also do that without using Terminal. Just go to System Preferences > Security and uncheck/recheck "Automatically update safe downloads list"

 

[Mal]

Well, apparently it was just a glitch. I dragged the file out of the trash and tried again, and this time I did get the warning message, identifying it as OSX.MacDefender.CDE.

jW

 

[deannnnn]

I just had diShield.pkg downloaded to my Mac as well. No alert from Mac OSX, so I did a Google search and ended up here on MR. Strange. Interestingly, this diShield.pkg says that it was created on 6/12/11 at 7:50PM.

 

[audio_inside]

Yes, dishield

The version I picked up today (from a sketchy Indian website) was indeed called dishield.pkg. Going to that site opens a page that looks like a Finder window and purports to be scanning your system:

dishield.pkg has a CFBundleidentifier of org.moby.am and IFPkgCreator code in Cyrillic: Ыуегз игшдвук 2.1. It was properly flagged as malware on my 10.6.7 system during the install - early enough to abort but not too early to have freaked out my girlfriend.

 

[audio_inside]

The site hosting the page was from the domain 212 dot 95 dot 55 dot 96. Whois reveals some questionable connections:

inetnum: 212.95.55.0 - 212.95.55.255
netname: GIBIBITS-LTD-966647
descr: Gibibits-Limited
country: HK
admin-c: KB1643-RIPE
tech-c: SR614-RIPE
status: ASSIGNED PA
mnt-by: NETDIRECT-MNT
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
source: RIPE # Filtered

person: Konstantin Begidzhanov
address: FLAT/RM 813 8/F Hollywood Plaza
address: 610 NATHAN RD, KL
address: Hong Kong
phone: +852 36931522
fax-no: +852 36931522
abuse-mailbox: support@gibibits.com
nic-hdl: KB1643-RIPE
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered

person: Simon Roehl
address: Leaseweb Germany GmbH (previously netdirekt e. K.)
address: Kleyer Strasse 79 /Tor 14
address: 60326 Frankfurt
address: DE
phone: +49 69 90556880

 

[munkery]

Does Chrome use the file quarantine feature of OS X?

Not all third party software works with file quarantine.

 

[MisterMe]

Does Chrome use the file quarantine feature of OS X?

Not all third party software works with file quarantine.

Quarantine is not necessary. Just Trash anything that you didn't intend to download and you are set.

 

[munkery]

Quarantine is not necessary. Just Trash anything that you didn't intend to download and you are set.

The OP mentioned OS X was inconsistent at displaying the file quarantine prompt related to XProtect to warn users that the software was malware.

No prompt was shown after downloaded with Chrome.

A prompt was shown after recovered from the trash.

This file quarantine feature is known for functioning with default software and a few third party apps.

I am just wondering if chrome is not one of the apps that function with this feature.

 

[ratzzo]

Looks like it from what I can read in this thread. I still believe you have to be very dull to get such malware actually installed and working in your Mac. The day viruses get to my Mac without me knowing they actually got there, in a hidden way.. that will be the day I'll start to worry.

 

[munkery]

Obviously, no one should rely on a piece of software for complete protection from malware.

But, it is also good to know which apps use the security features of the OS in case you have to make a software recommendation to someone that you know only relies on software for protection.

 

[Sanz315]

oh man, that was close... i just got that diShield crap on my Mac. (googled some Monica Belluci pics n BAM!!!) This is the first time ive encountered it... Glad to say I new something wasn't right because it DL itself n it made me think of the days when I used to use windows LOL