Windows malware in Macs

Discussion in 'MacBook Pro' started by MacFranco, Dec 30, 2007.

  1. MacFranco macrumors newbie

    Dec 30, 2007
    What the hell is this?

    hello guys (girls),

    Opening an e-card (from 123 greetings) on my gmail account on a Macbook running OSX 10.4.11, a Windows-looking app. launched and found my system full of errors to fix etc., the usual hassle-and-malware.
    here it is the link:

    Afer a few clicks, it stopped and could look at my card.

    I for one never liked the switch to Intel processors... now this?
    By going this way of commodity processors in a nice package, Apple will get a few more switchers. Switchers to Windows! Same junk, but at one third the price!!!

    Happy new year to everybody, anyway.

  2. heatmiser macrumors 68020

    Dec 6, 2007
    There's your problem. This kind of behavior would have given you a virus on Windows. Be thankful OS X was there to protect you from yourself.
  3. sushi Moderator emeritus


    Jul 19, 2002
    If you looks closely, it is a scam web page.

    It is reporting bogus information.

    Be glad that you have a Mac and don't have a PC as this could have done something to your system.
  4. TheStu macrumors 65816

    Aug 20, 2006
    Carlisle, PA
    I am trying to figure out what you are in a rile over. You really think that you getting a pop-up that you then took to be a real thing as Apple's fault, directly correlated to their switch to intel? Really? REALLY?!

    It was a pop-up/spyware ad... nothing more. Nothing happened to your computer, all that nonsense they just spewed at you (except what your OS is, and your IP probably) is BS, and is in fact, fake.
  5. tersono macrumors 68000


    Jan 18, 2005
    It might have looked like a Windows app, but it wasn't - it was a heavily disguised web page. They're all over the place and will appear even if you're running a PPC Mac.....

    Basically it's got nothing to do with the intel switch or the computer you're using, and a lot to do with the crappy greeting card site....:rolleyes:
  6. jnc macrumors 68020


    Jan 7, 2007
    Nunya, Business TX
    ... And here I was wondering what sort of person might think of buying something like Norton Antivirus for OSX. Now I know!
  7. Osarkon macrumors 68020


    Aug 30, 2006
    Er....I'm hoping the OP meant this as a joke..

    The site shows a Windows Explorer window for goodness sake. It would have nothing to do with OS X.
  8. heatmiser macrumors 68020

    Dec 6, 2007
    Reminds me of this thread. The same righteous indignation, the same user error.
  9. Osarkon macrumors 68020


    Aug 30, 2006
    Haha yeah kind of. No wonder trojans work so well.
  10. sushi Moderator emeritus


    Jul 19, 2002
    Yep, it ran on my PB15 just fine! :)
  11. Gaberdine macrumors newbie

    Jan 7, 2008
    Not so dumb!

    Hi MacFranco,

    Don't worry, it was just a clever animation, not a real scan!

    However, you are not naive or stupid and you didn't do anything wrong. Ignore those dunderheads. ;) Just thank the gods you run Mac OSX, not Windows Vista. This is not a case of spoof links, bad pop-up adverts or fake greetings cards suckering the careless but a hack on a genuine website that redirects you to a malicious page.

    MalwareAlert, the "anti-virus" programme at the heart of this scam is a notorious piece of Rogue Software for the Windows OS that masquerades as anti malware but is in fact very malicious. Once installed it makes life hell and effectively blackmails you to pay for its removal.

    Though the "scan" was nothing more than an animated webpage, you are lucky to be using a Mac. Even without user intervention, Malware Alert and its associated pages are reportedly able to install spyware on vulnerable PCs.

    OK, you are a bit premature blaming Intel processors but, really, I don't get what all this sniping and criticism is about. You just visited a legitimate site and landed on a scam site - and you panicked. Its a pretty convincing page and looks quite heartstopping for second or two if you aren't expecting it. It could have been any legit site.

    FYI, Mac Franco, malware generally attacks the OS not the processor so Mac OS is still immune to 99.99% of all viruses, trojans and spyware. Nonetheless this is no reason for us to become lazy. In a year or two all that will change. Mac OS is more secure but not immune and with increasing switchers since the introduction of Intel chips, we are attracting more attention from hackers and virus writers.

    I recently experienced exactly the same thing as you did when I collected an eCard from though they are not a dodgy site as such. Basically they have been hacked some time over Christmas. Probably the .htaccess files were changed to redirect you to malicious sites. are supposed to be a decent and well established company. However when I contacted them about this they ignored all evidence that they had been hacked and insisted they do not install malware on users computers. They just suggested I use Spyboy Search and Destroy if I was worried about my computer - ignoring the fact that I use a Mac. It was a standard reply (crafted to sound friendly and personal) that I have seen reproduced elsewhere on the web when researching this hack.

    So what happens is this:

    1. A friend sends you a genuine card from and you receive a notification email
    2. You click the link and Safari starts to open the card
    3. Before the card loads you are forwarded to or similar
    4. A Safari Alert message appears (see photo) and Safari becomes unresponsive until you click OK or CANCEL - where OK is the default.
    5. Naturally you click CANCEL and the alert goes away but the page immediately forwards to the second malicious site which appears to be scanning your computer for viruses and you momentarily take fright until you realise it is finding Windows viruses, so obviously fake.
    6. You check the page elements and realise it is just an animation
    7. You click the back button until you reach your greeting card which now displays as normal
    8. You remind yourself what a clever chap you are to be using Mac OS

    Of course, if you clicked OK you would be downloading Malware Alert and other malicious software and if you were running Windows, you could be f**ked.

    Mac Franco, check your cookies and you will probably find some from (name: Performance-Optmizer)
    Malware [something]
    and - an address linked with many spamming and forged .htaccess code scams.

    These cookies seem to ensure you only experience the problem once, which is a clever bit of social engineering as most people won't bother to complain and it is harder to replicate if you are trying to pin it down.

    The problem seems to have been resolved now but 123Greetings still refuse to acknowledge that anything was wrong. I find this irresponsible as their lax site security has exposed thousands of PC users to malware.

    SO my position is, I refuse to send or receive cards from - and shall warn all my PC using friends about them - until they come clean about the fact that they were hacked and email me an apology (or thanks for pointing it out or whatever - some hope!) and warn all their recent users that they may have inadvertently allowed them to become infected. So that will be never then...

    Happy New Year


    Attached Files:

  12. Gaberdine macrumors newbie

    Jan 7, 2008
    Correction: as of 9th Jan 08 the problem still exists - I can replicate it by removing the offending cookies and restarting Safari - 5 days since 123greetings emailed me back to say there is no problem...

    caveat emptor - or something like that.
  13. Kelly™ macrumors regular

    Jan 4, 2008
    That is a nicely disguised page.

    I like XD

    I however wouldn't have fallen for it lol. Although parts of me want to run that .exe in a virtual Windows machine post snapshot lol, just to see what it does XD
  14. noodle654 macrumors 68020


    Jun 2, 2005
    Never Ender
  15. Hexernex macrumors newbie

    Jan 7, 2008
    OMG!!! MY MAC HAS BEEN INFECTED WITH MAL-WARE! AND IT'S ALL BECAUSE OF MY INTEL PROCESSOR! jk, sorry I just had to write something funny about this!;) All in good fun, no harm intended!

    But do not worry about your mac, just thank the heavens you were not running a PC like my Windows Vista I just sold! (Worthless piece of Garbage! $4000 does not go far with Microsoft!:mad::p)
  16. Mernak macrumors 6502

    Apr 9, 2006
    Kirkland, WA
    I will agree on both counts. The page is one of the best disguised pages that I have seen. And now that you mention it I would love to use a free trial of VMWare to install windows and try it, but I know I would get frustrated by the slowness.
  17. jrg24 macrumors newbie

    Oct 3, 2007
    i got this malware alert crap also. it pretty much took over firefox but does not seem to be effecting safari. i uninstalled firefox and reinstalled it later to no avail. i tried clearing the cache and cookies in firefox but it still has control over it. every time i start firefox it goes to the scanner2.malware site and will not let me navigate away from it. anybody know a way to get rid of it? btw, i am using an intel macbook running the latest version of tiger, if that helps.
  18. Gaberdine macrumors newbie

    Jan 7, 2008

    Hello everyone, I am new on these boards. I don't normally jump feet first into a forum without saying "Hi" first but I came straight to this thread from Googling 123greetings and scanner2malware with a full head of steam after my own recent experience... So hello. I'm Gaberdine. I'm new here. :)


    That seems to take this to another level, jrg24.

    So far we've been assuming Macs are still immune from this, if only because the Trojan is not written for Mac OS but your experience suggests otherwise!

    At the very least a security flaw in Firefox has been exploited by this and you should contact them.

    Your best bet right now would be to reinstall Firefox from scratch - but make sure you clear the cache, cookies and prefs file before you quit the old installation. You might want to export your bookmarks as an html file and erase them from Firefox too before re-installing and re-importing the bookmarks.

    It would be really helpful if you can answer the following:

    When did this begin?
    How did you first arrive at the malware page?
    What other symptoms is you Mac and / or Firefox displaying?
    Were you redirected from (e.g.) or another hacked website or did you arrive from a spoofed link (i.e. a link that says it is going to one URL but actually goes to another)?
    Did you get an alert window in Firefox and, if so, did you click OK?
    Did you do anything else that might have permitted the download or do you think this was a "drive-by"?
    What happened next?
    Have you installed any Firefox Add-ons recently?
    Do you get any clues by examining Activity Monitor and your logs?
  19. onicon macrumors regular


    Jan 8, 2008
    i tested it on a windows system :eek: wants to download some trojans (anti virus software prevented it, thank god :cool:).
  20. kkat69 macrumors 68020


    Aug 30, 2007
    Atlanta, Ga
    I for one never liked telling the difference between a program and a webpage in OSX now this?

    1 post user.... troll.... Someone tell Apple that PC is posting silly posts again trying to discourage Mac users.
  21. meagain macrumors 68030

    Nov 18, 2006
    I'm having a problem with "Scanner2 Malware" popping up constantly. I've yet to figure out which websites I'm visiting is causing it as I've yet to see any rhyme/reason to it.

    IDK what cookies, etc. to look for in Leopard. Or, perhaps there's some way to block it from popping up? I'm not clicking on any banners, emails, etc. to get it. It's really annoying and worrisome. Any ideas?
  22. Arkbargle macrumors member

    Jan 14, 2008
    You could just, you know, not download them. AV is just a resource-waste.
  23. heatmiser macrumors 68020

    Dec 6, 2007
    Take a screenshot so we can see what you're seeing.
  24. meagain macrumors 68030

    Nov 18, 2006
    I "think" it's happening when I open Userplane to chat. Not sure. The only way I can remove this is to hit "cancel" which quickly opens full screen to something saying it's downloading some stuff - then I close that window.

    Attached Files:

  25. Bobbi Flekman macrumors regular

    Jan 14, 2008
    MalwareAlarm is one of the many rogue anti-malwareprograms. It does not work on OS X, so the only thing that can happen is the download, nothing more.

    All it does is populate "the infected list" with a bunch of filenames that is supllied by the program itself. It doesn't even scan!

    How is your popup blocker? Does it block? Or do you let every popup pop up?

Share This Page