Mac OSX Fake Installer / Malware Spotted in the Wild
Whilst traversing The Tubes yesterday doing some research on credit card processing across a host of different sites, I was hit with an old school malware installer technique with a couple of new twists at one of them. (That's what it looks like above.)
What's old school about it, is it's using an old social engineering ruse to trick people into installing it. Make no mistake: it's fake software. Well, it might play media files, but I guarantee there's some sort of unwanted malware / adware payload along with it.
As you can tell from the Finder icon in the top left, and the "Accept and Install" button in the lower right, it's obviously geared for people on a Mac, and here are some telltale signs it's fake.
- Every media type that matters is playable out of the box on a Mac.
- "Media Player" is Windows-only software, and it's built into Windows, i.e. no need to install it like this.
- The Accept and Install button and the Finder icon are the (now very) old Mac interface style.
- Powered by "MediaDownloader," yet the software is called, "Media Player"?
- What the heck is the Finder icon even doing on a an installer for a third-party product?
Curiously, both Bitdefender and Webroot for Mac missed identifying the serving URL as malicious:
(Whether it has a trojan or some other malicious payload or if it's "just" adware, I don't know, and honestly, does it really matter? Its goal is to trick people into installing it.)
So, if you come across this bugger (or something similar in the wild), get the heck out of Dodge and for cryin' out loud, keep your mouse away from the "Accept and Install" button, will ya?
Flashback Checker & Removal Tools (or Why Antivirus Software is a Good Thing)
People sometimes question why antivirus software that's not a part of the operating system is a must.
With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.
To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.
Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.
Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.
Now, let's bring Apple into the picture.
Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.
Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).
Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.
All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.
Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes
the most common variants of the Flashback malware.
Here's what the update looks like in Software Update:
Mac OS X Flashback Trojan Fix in the Works by Apple
First a little clarification about the trojan: this infection is caused by a security flaw in Oracle's Java and isn't a whole per se in OS X. That said, the biggest surprise about the trojan for most people is that
Flashback has been around in one form or another for more than six months now.
As most of us know by now more than 600,000 Macs running OSX have been infected, so this isn't a tiny one-off threat. It's a bona fide Mac botnet.
This is really the first time Apple finds themselves in a position Microsoft has long ago mastered: how to handle the three prongs of dealing with a virus outbreak,
- security researchers
- virus writers
Unfortunately, it's really nothing more than,
Apple is developing software that will detect and remove the Flashback malware.
They do, however, give a good link on how to disable Java in your Mac's browser preferences.
Personally, I don't have Java enabled--never have--and if I find there's some content that requires Java, I turn it on manually for that one site then disable it again.
Nearly 600,000 Macs Hit with Flashback Trojan Malware
Many a blog have I written about the necessity of Mac antivirus software, hoping to get at least a few people to drop their delusions about how the Mac and Apple's OS X are impervious to viruses.
Now, don't get me wrong, I'm not trying to start a PC vs Mac flame war/battle. Really. (They're useless.) Nor do I want this to be an, "I told you so."
What I am saying is this: If it has a CPU, chances are at or near 100% that a virus can be written to attack that computer. It's only a matter of time 'til it happens. And, yes, some computers, operating systems, and software are inherently more secure.
Even still, it's important to realize "more secure" doesn't mean "secure."
In a way, we should consider ourselves lucky, like the MacDefender fake antivirus malware, this one is also getting a lot of coverage in the press and elsewhere, so it's raising the specter of viruses being mainstream for the Mac like they are for the PC.
And with that knowledge comes greater understanding of what can be done to protect ourselves. In this case the understanding came because Russian antivirus firm Dr Web uncovered the 550,000 strong botnet that spread via Trojan Backdoor.Flashback.39.
F-Secure also has a good write-up / manual removal instructions on how to remove the Trojan-Downloader:OSX/Flashback.I.
And, if you're a Mac user and you haven't yet gotten it, Apple has an important Java security update. (A Java exploit being the channel through which trojan is infecting the Mac to begin with.)
My $.02, if you're looking for antivirus software for your Mac, our testing is incomplete, but so far we like BitDefender Antivirus for Mac, so if you're in the market, take a look.
UPDATETurns out this Mac Trojan isn't some little deal. The folks at F-Secure have found out Mac Trojan Flashback.B Checks for virtual machine!
What's so significant about that?
Nearly all antivirus researchers rely heavily on virtualization software like Virtual PC, VMWare, Parallels, VirtualBox and others to help their research.
Using virtualization software allows the researchers to investigate viruses with the added safety net of doing so in a contained environment. And, in doing so they're able to more easily explore the innards of many viruses.
The malware writers for Windows have figured this out, and many of the most advanced viruses check to see if their virus is running inside a virtual environment and, if so, they shut down, thus making research slower, more tedious, and a lot more difficult.
This is one of those things that's been going on in the Windows virus arena for a long, long time. What's really unexpected though is that it's already showing up in a Mac virus, which on a couple of levels means virus writing is a lot more advanced for the Mac than many virus researchers--and certainly the general public--ever imagined.
The bottom line: if you're running a Mac and you don't have Mac antivirus software, it's time to consider it.
Do Macs Need Antivirus Software? More Answers to this Persistent Question
Since the Wired article, there has been just tons of coverage about how the worm came to be, about the threats to equipment like the Siemens controllers in the article, and what the real threats are from these types of attacks.
One of the best ones was in an ITWorld piece this week, "Does the Mac have an edge against state-sponsored hacking?"
This isn't just about state-sponsored hacking but about the question generally of: Does a Mac Need Antivirus Software?
This question is posed indirectly in the outsanding research document Macs in the Age of the APT [Advanced Persistent Threat] done by iSEC Partners.
There's a second question-within-the-question though: Does the Apple computer need antivirus software?
Let's start with a quote from the ITWorld article,
...and as you might expect this is where things get interesting.When hackers broke into Google's computer network nearly two years ago, their first step was to take over Microsoft Windows machines running in the company's China offices. Would Google have been better off had those workers been running the Mac?
"Not necessarily, according to researchers at iSec Partners, a security consultancy that is part of NCC Group.
"Speaking at the Black Hat conference in Las Vegas Wednesday, iSec founder Alex Stamos and his team of researchers took a look at the typical stages of the type of intrusion that hit Google -- called an advanced persistent threat (APT) attack -- and compared how the Mac would do versus Windows 7.
It's commonplace in the Mac community to believe--even recklessly--that Apple OSX is immune to viruses and other malware.
Malarky. If it has a CPU, it can get a virus. Full stop.
Right now there are still fewer--far fewer--threats for the Mac. No question.
Some pundits claim this is because there are fewer Macs than PCs; others will claim this is because the Mac is so much more secure, it's all but impervious to attacks technologically.
While that may--and I want to emphasize may--be true, that doesn't mean the Mac really is impervious technologically. It's not. It's just that the bad guys haven't publicly put the attention onto the Mac that they have onto Windows.
Further, the Mac is no more immune at all than a Windows 7 PC against a social engineering attack where the user is tricked into installing malicious software.
Again quoting the ITWorld piece on the iSEC research,
Interestingly, Stamos echoes the same key point we like to make about security: Security isn't just about protecting against technological attacks. It's also about protecting against social engineering attacks, too.Their conclusion: Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it's a whole different story.
"'They're pretty good for [protecting from] remote exploitation,' Stamos said. '[But] once you install OS X server you're toast.'
"The problem is that many of Apple's server protocols -- mDNS, Apple Remote Desktop, the Mac Kerberos authentication, for example -- use weak authentication models that give the attackers ways of getting access to parts of the network that should be blocked.
"'Every password-based authentication mechanism in OS X has problems,'[Editor's Note: Emphasis mine.] Stamos said.
And, it isn't even so much a question of getting tricked. It's also a question of accidental installations, too.'Most people get malware because they intentionally install it,' he said. 'At an institution of thousands of employees, you have to assume that one of them going to get tricked.'
Who hasn't been typing away when suddenly you get some popup message from your OS or your web browser as you're typing in something else and you accidentally hit [space] or [enter] to the popup message as you're going?
"Oh crap. Did I just hit [OK] to something? What was that message?"
And this, regardless of threats from government- or crime syndicate-funded viruses and crackers, is why the Mac--just like its PC brethren--does need antivirus software.
The ITWorld piece goes on to say how the attacks are much more commonplace than you might think. And there's research to back this up.
Here's the thing, too. A lot of these companies are very sophisticated companies. Just take Google for example.McAfee released a report saying that it had uncovered evidence of a sophisticated hacking operation that had broken into systems at more than 70 companies over the past five years.
"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion," wrote Dmitri Alperovitch, McAfee's vice president of threat research in a blog post.
Most anyone would be hard pressed to come up with a more technologically adept company. Yet, they got hit with an APT attack.
The point being, if a highly sophisticated company can get hit, doesn't it stand to reason that you can, too? Even if you do run OS X?
As the iSEC researchers said so well in their pdf,
Huh. I think that's great advice for PC users, too.Bottom Line: Run your Macs as little islands on a hostile network.
MacShield the Same (Trojan) Horse by a Different Name
MacDefender now showing up with yet another name, "MacShield."
Not much else to say. It's as bogus as ever and brings the total number of aliases it shows up as to five, including:
Just more crapware to keep an eye out for. We'd love to hear from anyone who has spotted these things in the wild so we can do proper investigation on them.
We're specifically looking for more screenshots of the ads of these things and also of what websites we can download them from.
So far it looks like the same-old-same-old:
MacDefender Screenshots... So Here's What it Looks Like
There have been a couple of different variations on the infection method that MacDefender uses, which I've shown in previous blog on MacDefender removal and on MacDefender spreading on Facebook.
Joel's wrap-up to the piece is great and worth reading. To paraphrase:
- Buy software from reputable places you go to
- Buying software from a popup window just isn't smart
- Educate yourself on what's out there and how to tell
If you were walking down the Las Vegas strip, you'd know a conman from a mile away! When some huckster approaches you with his wares, you get leery--you know better than to deal with them.
You've educated yourself.
[Alert] Apple Mac / OSX Security Preferences Bug May Leave System Exposed
One of the steps Apple is taking to thwart MacDefender and other viruses and malware on their systems, is a new item in the 'System Preferences / Security' Preferences pane.
This option, "Automatically update safe downloads list" was one of the key components of the last Apple security update, which was covered in a prior blog on MacDefender Removal.
What does it do?
This checkbox tells your Mac to checkin with Apple's servers daily (and when you reboot) and look for new malware definitions. (Sounds a bit like Apple is building its own antivirus software into OSX, doesn't it?)
(Un)fortunately, the folks at Mac Antivirus maker Intego have discovered a bug in this setting, and although it sounds minor, it could leave your system exposed. Here's the scoop according to Intego and their discussion of the Security Preferences Pane Bug:
...if you open the Security preference pane, unlock it, and wait for more than 30 seconds, any changes you make to this setting will not stick.
"Do the above, quit System Preferences, then open the Security preference pane and you will see that the setting will be as it had before your last change.
I did exactly as described on one of our test PCs and personally confirmed this bug exists.
This isn't great, especially given the recent battle Apple and the MacDefender creators have been having, but at least it's easy to check on and easy to fix.
Now, given that we're all solutions-oriented geeks here, the first two questions I had, as with any antivirus software / definitions update mechanism, were:
- How can I tell when the last time was that OSX updated its malware detection signatures?
- How can I force it to manually update if the signatures are old and out-of-date?
Turns out, it's a piece of cake...
Here's how to tell when your OSX malware definitions were updated:
- Open Terminal (Finder > Applications > Utilities > Terminal)
- type this:
Here's what I saw when I ran it:
Looking closely at the text above, you can see:
<key>LastModification</key><string>Thu, 26 May 2011 02:24:41 GMT</string>
This is the key to everything here, as it shows how current your definitions are.
As of the writing of this piece, this is the most current update available. (Hat tip to Lex Friedman and Macworld for being one of the first of many places to cover, Checking & forcing OSX to update malware definitions.)
So now, how do you force it to run if the definitions aren't current?
- Click: Apple > System Preferences > Security
- Uncheck then re-check "Automatically update safe downloads list"
Just be sure you close the Preferences Pane in under 30 seconds, or as Intego discovered, the settings aren't saved.
What controls the OSX anti-malware updates?
In case you're curious, the new Mac anti-malware updater is, as I just learned from a blog on XProtectUpdater is
an executable by the name of XProtectUpdater.' It’s located in /usr/libexec/XProtectUpdater.
So, the bottom line is, there's a bug in the Security Preferences. If you follow the steps above, it's easy to check if you're current or not, and if you're not, it's easy to fix.
Just make sure your settings are correct and that your Mac antimalware definitions are current.
Apple's MacDefender Tool: Quickly Circumvented, Now Regains Upper Hand
The ongoing battle between the OSX anti-malware team and the MacDefender malware creators has taken some interesting turns this week.
Apparently about eight hours after the anti-MacDefender update (which I talked about it yesterday's blog on MacDefender removal) was released, the bad guys regained the upper hand.
CNet has some great coverage by Topher Kessler who says,
Let the cat and mouse games commence.
"Less than a day after Apple tackled the malware threats in OS X with an updated implementation of its malware detection technologies, the MacDefender malware developers have issued another variant that bypasses Apple's definitions to root out and remove the malware.
Then, earlier today (June 6, 2010), there was this update from cnet:
The cat is back in the lead.
"Apple has updated Snow Leopard's XProtect yet again to tackle the new variant, and did so in less than a day after the original update was circumvented.
"Apple is taking a very active approach to prevent this malware from being a problem for people.
Apple definitely took a bit of a pounding publicly after having taken so long to respond to the MacDefender threat initially. Now though, it looks like they're showing their willingness to take on the Mac malware creators head-on.
Regardless of how effective this strategy is long term, every step they take now will make things more secure and close more and more holes in their operating system.
And, for that Mac owners should be grateful.
Does it eliminate the need for mac antivirus software?
I don't believe so.
It's clear Windows malware is lucrative--very lucrative--or else the malware Windows malware writers would've given up long ago.
And, what the MacDefender creators appear to've shown is that the Apple OS X system, while good, does have holes. How hard they are to find, how far the bad guys are to find them, and how lucrative it is for them to do so all remain to be seen.
The question is: Will Apple's virus situation become as bad as Windows?
Mac Defender 2.0... Malware Creator Responds to Apple Update
Apple may've taken a lot longer than anyone would have liked to respond to the Mac Defender fake antivirus malware, but he/she/they haven't.
In fact, on the heels of Apple's announcement, the Mac Defender creator has already fired another salvo back across Apple's bow.
According to Intego, a Mac-centric antivirus firm, the latest version, dubbed "Mac Guard," that has upped the ante and made stopping it all the harder.
For starters Intego says in their blog post on Mac Defender,
Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts.
"The first part is a downloader, a tool that, after installation, downloads a payload from a web server.
"As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.
Yikes. Auto-download? That sounds a lot like Windows malware to me.
And, here's where it gets really ugly.
Apple, in their infinite wisdom, has Safari, the default browser on the Mac, in its default configuration, automatically open so-called "safe" files after downloading.
Translation, it downloads on its open and even opens itself for you... all on its own! Yay! Before you know it, and without your asking for it, the standard, friendly looking Mac installer is in front of you. All on its own.
What next? All you have to do is click 'Continue' and so on as you normally would, and poof! your machine is infected.
The thing is, a lot of people won't know any different. All they see is the friendly-looking installer (that can't be harmful, right??), and a 'Continue' button.
What do they do? Click 'Continue,' of course!
What's more, according to Intego, is
Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. [Editor's note: emphasis theirs.]
This whole Mac Defender/Protector/Security/Guard trojan malware is causing more than a little buzz, including a piece on Mac Guard on ZDNet.
In the article, author Ed Bott's [Editor's Note: Botts... an apropos name for someone in Internet security], says,
Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots.
"Peter James, an Intego spokeperson, told me his company’s analysts were 'impressed by the quality of the original version.'
"The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.
That about sums up our take on things here, too. Seriously, Apple, these were a couple of real missteps on your part. First the long delay.
Then the craptastic response. C'mon. How 'bout disabling the inane Automatically open "Safe" files. That's not really a default, is it?
That's the best the company that makes innovative products like the iMacs, iPhones, iTunes, iPods, and iPads can do?
Maybe this is going to be a long road after all.
[N.B. The original Apple announcement on Removing Mac Defender, which we discussed in an earlier blog about Mac Defender, mentioned two steps Apple was taking to combat Mac Defender. They were going to be:
- releasing a Mac Defender remover as part of their next update and
- having OSX do some sort of realtime intervention if you tried to install the malware.]