New version of MacDefender: diShield?

Discussion in 'Mac Apps and Mac App Store' started by Mal, Jun 8, 2011.

  1. Mal macrumors 603

    Mal

    Joined:
    Jan 6, 2002
    Location:
    Orlando
    #1
    Just got the same pop-up and auto-download that has been reported as MacDefender, plus it actually downloaded two extra copies when I clicked the buttons (I was fully aware of what it was, and having not seen it previously, I wanted to explore it's functionality). It downloaded a file called anti-malware.zip, which extracted to another file called diShield.pkg. Since I was using Chrome, it didn't auto-launch the installer, so I launched it expecting to get the warning that it was going to be harmful, but it didn't. Is this one others have been seeing?

    jW
     
  2. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #2
    It's actually been around for several days. Check your System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist to see if it includes the following:
    OSX.MacDefender.A
    OSX.MacDefender.B
    OSX.MacDefender.CDE
    OSX.MacDefender.F​
     
  3. Mal thread starter macrumors 603

    Mal

    Joined:
    Jan 6, 2002
    Location:
    Orlando
    #3
    It does indeed include all of those. It still doesn't recognize the downloaded installer as malicious.

    jW
     
  4. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #4
    If memory serves (I haven't searched yet), I thought the name was dShield, not diShield. If that's true, that might account for it, but I can't see how a file name should matter, since they could randomize the file name.
     
  5. Mal thread starter macrumors 603

    Mal

    Joined:
    Jan 6, 2002
    Location:
    Orlando
    #5
    The filename may simply indicate a new variant too, where the filename itself doesn't prevent it from being caught, but something else inside. I copied and pasted that filename, though, so I do know it's correct. I had been thinking it was dShield before as well, hence my wonder if this was a new one.

    jW
     
  6. karl878 macrumors member

    Joined:
    Dec 8, 2005
    Location:
    CA
    #6
  7. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #7
    You can also do that without using Terminal. Just go to System Preferences > Security and uncheck/recheck "Automatically update safe downloads list"
     
  8. Mal thread starter macrumors 603

    Mal

    Joined:
    Jan 6, 2002
    Location:
    Orlando
    #8
    Well, apparently it was just a glitch. I dragged the file out of the trash and tried again, and this time I did get the warning message, identifying it as OSX.MacDefender.CDE.

    jW
     
  9. deannnnn macrumors 68000

    deannnnn

    Joined:
    Jun 4, 2007
    Location:
    New York City & South Florida
    #9
    I just had diShield.pkg downloaded to my Mac as well. No alert from Mac OSX, so I did a Google search and ended up here on MR. Strange. Interestingly, this diShield.pkg says that it was created on 6/12/11 at 7:50PM.
     
  10. audio_inside macrumors regular

    Joined:
    Oct 7, 2003
    Location:
    Boulder CO
    #10
    Yes, dishield

    The version I picked up today (from a sketchy Indian website) was indeed called dishield.pkg. Going to that site opens a page that looks like a Finder window and purports to be scanning your system:

    [​IMG]


    dishield.pkg has a CFBundleidentifier of org.moby.am and IFPkgCreator code in Cyrillic: Ыуегз игшдвук 2.1. It was properly flagged as malware on my 10.6.7 system during the install - early enough to abort but not too early to have freaked out my girlfriend.
     
  11. audio_inside macrumors regular

    Joined:
    Oct 7, 2003
    Location:
    Boulder CO
    #11
    The site hosting the page was from the domain 212 dot 95 dot 55 dot 96. Whois reveals some questionable connections:

    inetnum: 212.95.55.0 - 212.95.55.255
    netname: GIBIBITS-LTD-966647
    descr: Gibibits-Limited
    country: HK
    admin-c: KB1643-RIPE
    tech-c: SR614-RIPE
    status: ASSIGNED PA
    mnt-by: NETDIRECT-MNT
    mnt-lower: NETDIRECT-MNT
    mnt-routes: NETDIRECT-MNT
    source: RIPE # Filtered

    person: Konstantin Begidzhanov
    address: FLAT/RM 813 8/F Hollywood Plaza
    address: 610 NATHAN RD, KL
    address: Hong Kong
    phone: +852 36931522
    fax-no: +852 36931522
    abuse-mailbox: support@gibibits.com
    nic-hdl: KB1643-RIPE
    mnt-by: NETDIRECT-MNT
    source: RIPE # Filtered

    person: Simon Roehl
    address: Leaseweb Germany GmbH (previously netdirekt e. K.)
    address: Kleyer Strasse 79 /Tor 14
    address: 60326 Frankfurt
    address: DE
    phone: +49 69 90556880
     
  12. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #12
    Does Chrome use the file quarantine feature of OS X?

    Not all third party software works with file quarantine.
     
  13. MisterMe macrumors G4

    MisterMe

    Joined:
    Jul 17, 2002
    Location:
    USA
    #13
    Quarantine is not necessary. Just Trash anything that you didn't intend to download and you are set.
     
  14. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #14
    The OP mentioned OS X was inconsistent at displaying the file quarantine prompt related to XProtect to warn users that the software was malware.

    No prompt was shown after downloaded with Chrome.

    A prompt was shown after recovered from the trash.

    This file quarantine feature is known for functioning with default software and a few third party apps.

    I am just wondering if chrome is not one of the apps that function with this feature.
     
  15. ratzzo macrumors 6502a

    ratzzo

    Joined:
    Apr 20, 2011
    Location:
    Madrid
    #15
    Looks like it from what I can read in this thread. I still believe you have to be very dull to get such malware actually installed and working in your Mac. The day viruses get to my Mac without me knowing they actually got there, in a hidden way.. that will be the day I'll start to worry.
     
  16. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #16
    Obviously, no one should rely on a piece of software for complete protection from malware.

    But, it is also good to know which apps use the security features of the OS in case you have to make a software recommendation to someone that you know only relies on software for protection.
     
  17. Sanz315 macrumors member

    Joined:
    Feb 22, 2011
    Location:
    Chicago, Illinois
    #17
    oh man, that was close... i just got that diShield crap on my Mac. (googled some Monica Belluci pics :D n BAM!!!) This is the first time ive encountered it... Glad to say I new something wasn't right because it DL itself n it made me think of the days when I used to use windows LOL
     

Share This Page