MacDefender Screenshots... So Here's What it Looks Like

Joel Esler, one of the members of the Snort.org project has excellent coverage of MacDefender and its variants. It's from May, but I just came across it today, and it's so good it's worth sharing.

There have been a couple of different variations on the infection method that MacDefender uses, which I've shown in previous blog on MacDefender removal and on MacDefender spreading on Facebook.

Joel's wrap-up to the piece is great and worth reading. To paraphrase:
  1. Buy software from reputable places you go to
  2. Buying software from a popup window just isn't smart
  3. Educate yourself on what's out there and how to tell
Think the last one is hard? Consider this:

If you were walking down the Las Vegas strip, you'd know a conman from a mile away! When some huckster approaches you with his wares, you get leery--you know better than to deal with them.


You've educated yourself.


Mac Defender 2.0... Malware Creator Responds to Apple Update

Apple may've taken a lot longer than anyone would have liked to respond to the Mac Defender fake antivirus malware, but he/she/they haven't.

In fact, on the heels of Apple's announcement, the Mac Defender creator has already fired another salvo back across Apple's bow.

The latest?

According to Intego, a Mac-centric antivirus firm, the latest version, dubbed "Mac Guard," that has upped the ante and made stopping it all the harder.

For starters Intego says in their blog post on Mac Defender,

Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts.

"The first part is a downloader, a tool that, after installation, downloads a payload from a web server.

"As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.


Yikes. Auto-download? That sounds a lot like Windows malware to me.

And, here's where it gets really ugly.

Apple, in their infinite wisdom, has Safari, the default browser on the Mac, in its default configuration, automatically open so-called "safe" files after downloading.

Translation, it downloads on its open and even opens itself for you... all on its own! Yay! Before you know it, and without your asking for it, the standard, friendly looking Mac installer is in front of you. All on its own.

What next? All you have to do is click 'Continue' and so on as you normally would, and poof! your machine is infected.

The thing is, a lot of people won't know any different. All they see is the friendly-looking installer (that can't be harmful, right??), and a 'Continue' button.

What do they do? Click 'Continue,' of course!

What's more, according to Intego, is Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. [Editor's note: emphasis theirs.]

This whole Mac Defender/Protector/Security/Guard trojan malware is causing more than a little buzz, including a piece on Mac Guard on ZDNet.

In the article, author Ed Bott's [Editor's Note: Botts... an apropos name for someone in Internet security], says,

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots.

"Peter James, an Intego spokeperson, told me his company’s analysts were 'impressed by the quality of the original version.'

"The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.


That about sums up our take on things here, too. Seriously, Apple, these were a couple of real missteps on your part. First the long delay.

Then the craptastic response. C'mon. How 'bout disabling the inane Automatically open "Safe" files. That's not really a default, is it?

That's the best the company that makes innovative products like the iMacs, iPhones, iTunes, iPods, and iPads can do?

Maybe this is going to be a long road after all.

[N.B. The original Apple announcement on Removing Mac Defender, which we discussed in an earlier blog about Mac Defender, mentioned two steps Apple was taking to combat Mac Defender. They were going to be:

  1. releasing a Mac Defender remover as part of their next update and
  2. having OSX do some sort of realtime intervention if you tried to install the malware.]


Mac Malware Removal: No Help from Apple Support

Even though our focus (at least for now) is on Windows antivirus software and malware removal, we've had a few people contact us asking about the malware known as Mac Defender1 (previously discussed in our blog on Mac antivirus software).

Here's the short version: it does not automatically install itself onto your Mac. It does require you to manually install it to be infected. And, the main way it's getting installed is when people are tricked into installing it.

How do you get rid of it?

Well, apparently, even though it's not that hard, you can't turn to Apple Support for help, as according to ZDNet there's No Help from Apple Support Reps Removing Mac Defender, although there is now an official Apple help article on Removing Mac Defender.

Although we've not tested the removal steps ourselves, given that the removal instructions come from Apple itself, you can be sure they work and are legit.

And, yes, all the top Mac antivirus software is already detecting and removing the malware.

MacDefender is known alternately as MacSecurity or MacProtector


What about Mac Antivirus Software?

Oooh, the debate there is around this topic.

I'm of the opinion that the time has come for those of us who run Macs--or those of us that run both Mac and Windows--to pull our collective head out of the sand and start looking at Mac antivirus software.

In case you've not heard about it, the latest Mac  malware (this one is a trojan) is known already by three different names:

  1. Mac Defender
  2. Mac Protector
  3. Mac Security 

No matter its moniker, it's 100% bull.

Adrian Kingsley-Hughes, writing for ZDNet talks about both the Mac Defender trojan and the state  of denial that most Mac users are in about Apple antivirus software, viruses and malware in his great piece at ZDNet.

Sure, there's the problem of actual viruses that sneak their way uninvited onto your system. This has long been one of the problems Windows users have suffered and those in the Mac camp have been largely unaffected by.

He hits it out of the park in describing exactly what the other problem is. (And this is why Mac antivirus software is a good idea.)

The threats posed by the bad guys are also different. Very different.

"Rather than rely on viruses which spread by using system vulnerabilities, the bad guys have turned to the Trojan.

"This is malware disguised as something desirable - a game, a software utility, a porn video - and it relies on the user choosing to install it onto their system.

"It’s hard to protect against this kind of stuff because the user chooses to override the operating system’s desire to be cautious when it comes to installing stuff.

"Getting people to install their own malware has been a popular trick used against Windows users for some time now, and there’s no reason to think that the same trick wouldn’t work against the modern Mac users, especially given how many of them were Windows users not long ago.

What it boils down to is social engineering more than software engineering. Why bother to try to trick the computer into doing something it shouldn't when it's much easier to trick the person into doing something he or she shouldn't?

Think no on is that naive? How come so many folks fall for the Nigeria 419 scams and wire their hard earned money of to Nigeria and other lands far and wide?

What are we doing about it? We've begun taking our expertise in testing antivirus software for Windows and putting it to work on the Mac.

So, if you're a Mac owner (or have family members, friends, etc who are), keep an eye on our blog, follow us on Twitter (@pcantivirus), or Like us on Facebook. We've got a lot in store right around the corner.


DOJ and FBI flex muscles: Takedown of international botnet

Paul Roberts from Threat Post brings news in the battle against botnets: The Coreflood Trojan botnet takedown.

The U.S. Department of Justice stated Wednesday that they'd taken steps to disable an international botnet of over 2 million infected PCs. What's significant about this botnet is that it was stealing corporate data including user names and passwords and other financial data.

According to a statement from the U.S. Attorney's office for the District of Connecticut, thirteen defendants were charged in a civil complaint. A total of 29 domain names were seized in a raid connected to malware--code named "coreflood" --on machines attempting to communicate with the command and control servers.

The "coreflood" malware is believed to have been originated out of Russia and has been active for  ten years, which is staggering and unbelievable in-and-of itself. The DOJ said it had received a temporary restraining order allowing it to disable the malware.

This crackdown is considered to be one of the largest actions taken by U.S. law enforcement against an international botnet Trojan virus. In the past year, a similar botnet takedown was driven by the private sector (Micrsoft and FireEye).

[Editor's Note: See our prior post: Microsoft Working to Take Down Win32/Rustock Botnet. This crackdown against the "coreflood" malware and command and control servers mirrored the efforts by Dutch authorities that disabled Bredolab botnet back in October.]

According to the U.S. Attorney's office, five command and control servers were halted, plus the 29 domain name sites that communicated to these C&C servers.

The government replaced the C&C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties. While the infected machines were not disinfected of the malware, of course, the hope is that security software providers will develop tools to remove the coreflood malware and that victims will update their antivirus definitions.


Bredolab Trojan Botnet Dismantled

After infecting what's estimated to be 30,000,000 computers, the Bredolab Trojan, one of the worst ones ever to see the light of day, has been dismantled.

According to the official press release about dismantling the Bredolab Trojan Botnet from the Dutch authorities,

At the request of the Dutch Public Prosecution Service, Armenian police arrested the probable mastermind behind the criminal Bredolab botnet network at the international airport in Yerevan today.

A piece at The Register about the Bredolab dismantling describes the outcome saying, Infected machines remain pox-ridden but the command system associated with the cybercrime network has been decapitated, following an operation led by hi-tech police in The Netherlands.

That's good news, and clearly, capturing this individual and dismantling Bredolab is a big deal. Both the size and and horrible effects of this trojan make its destruction an especially big deal.

The Register piece goes on to say, Bredolab allow[ed] criminals to capture bank login details and other sensitive information from compromised machines, has infected an estimated 30 million computers worldwide since its emergence in July 2009.

This means if your computer has an infection, you'll need to take action immediately, including:

  1. contact your bank(s)
  2. contact your credit card(s)
  3. run a full antivirus scan of your PC
Once Bredolab was taken apart, the authorities used the botnet to send Bredolab infection notifications to the infected PCs.

One last thought: if you find you've gotten a notification like the one above, you might be well served to contact your financial institutions by phone for the time being so you can be sure your personal and financial information is safe 'til you can be certain you've gotten complete virus removal and your computer is clean.


Trojan in So-Called Windows 7 Compatibility Checker

Antivirus firms BitDefender and Sunbelt Software, among others, have identified new malware they're calling, "Trojan.Generic.3783603"

According to Sunbelt, The malware immediately creates a backdoor to the user's system, which then allows remote access for cyber-criminals to obtain confidential information or install more malicious software.

While the delivery vehicle isn't unique, it targets its victims randomly through spam emails, this appears to be the first one disguised as a so-called, "Windows 7 Compatibility Checker." Even though Windows 7 has been widely available since October 2009, here we are over six months later with unsuspecting users now being duped into installing this scumware.

BitDefender says in their notice,

The infection rates reflected by the BitDefender Real-Time Virus Reporting System indicate the beginning of a massive spreading of Tojan.Generic.3783603.

"Although this phenomenon has just started, it seems that it’s just a matter of time before the cybercriminals control a huge number of systems.

"Infection rates are also expected to boom because of the effective social engineering ingredient of this mechanism, namely the reference to the highly popular Microsoft® Windows® OS.

While security professionals shouldn't have to keep saying it, evidently it needs to be said:

  1. Never, ever open an attachment from unknown contacts
  2. Be wary of opening an attachment sent from someone you know when you're not expecting it first. (Many computers have been infected when one person's computer gets infected then the virus emails itself to everyone in the infected person's address book.)
  3. Install, run, and keep updated the best antivirus firewall software or Internet security suite you can afford.


Arrests Made for ZBot / Zeus Trojan

Police in Manchester, England, arrested two people in connection with the Zbot Trojans.

If you're unfamiliar with the ZBot Trojan, also called "Zeus," it's a nasty bugger that was responsible for over $415,000 being stolen from a Kentucky county's bank account earlier in 2009.

But that's not all it's known for.

Zbot/Zeus is, according to mention in a Sophos security blog is,

"...one of the most notorious pieces of malware of recent times.

"It's a data-stealing Trojan horse, designed to grab information from Internet users which would help hackers break into online bank accounts and social networking sites such as Facebook and MySpace."

That's just the start of it. Zbot also gets/got spammed to average people using the Internet using a variety of social engineering tricks to try to trick the unwary into opening an attachment or clicking on a link to a website hosting malware.

So, assuming the right folks were arrested, this could be rather good news. Let's hope that they did get the right folks, and let's hope also that even though they're out on bail already, they soon face the appropriate amount of justice--especially given how many people, companies, governments, and other organizations were harmed by their Trojan malware.

And, to the cops responsible for the arrest, again assuming they caught the right folks, "Well done."


New Precautions from Banks about Online Banking

It goes without saying that the cybercriminals are getting smarter... a lot smarter, and they're writing more and more sophisticated trojans, viruses, and all forms of other malware to get at your computer and ultimately your data and personal information.

What this has led to is a banking industry group, Financial Services Information Sharing and Analysis Center, to recommend their member banks notify their customers (i.e. businesses who do online banking) to take much more stringent means to ensure secure communications between their business and the banks.

According to the Washington Post's Security Fix blog which has a post, Tighter Security Urged for Businesses Banking Online on this very topic,

"The group recommends that commercial banking customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.'"

What this means is: have one computer that does absolutely nothing but talk to the bank, get Windows updates, and (in our view, of course, antivirus updates).

This raises a couple of questions:

  1. Is this practical?
  2. If it's recommended for businesses, why not for consumers, too?

As to the question of practicality, it may or may not be. For a company where there's more than one person doing the bookkeeping and banking, perhaps a couple of additional computers might be a small cost to absorb.

For a large company, this just isn't practical; however, there may be other alternatives like a Linux "LiveCD"

As for it being practical for consumers, that isn't likely either.

How many people have the space and money to have a computer just for banking--not to mention the time to set it up and keep it updated, though running a good, modern antivirus product can certainly help reduce the likelihood of an infection in the first place.

Lastly, lest it go unsaid, use your head when you're doing online banking! Make sure you're on an https page when you connect, and if you know the website address of your bank, which you should, bookmark the link.

This way you can be much more aware that you're going to the right URL and not accidentally going to a fake (but very real looking!) version of your banks website.


Protecting Yourself From Stealth Keyloggers

There's ample understanding and concern about viruses, worms, and even botnets to some degree.

Most everyone who runs a PC understands that viruses, adware, and the like come with the territory and that it's wise to run antivirus software (or better yet an Internet security suite.)

What's still a bit more murky than viruses and worms are stealth keyloggers--especially ones that report back to a central server in realtime.

What adds to the murkiness is that keyloggers in the eyes of some technologists aren't all necessarily bad.

While some keylogging software definitely is, there's other software out there that are used to help protect kids online and to help monitor employees and public workers who're abusing computer and office time.

The line between good keyloggers and bad ones, really comes down to one thing: what is the keylogger being used for?

In the case of "good" keyloggers, ultimately they're used to protect. Perhaps it's a child, perhaps it's an employer, perhaps it's a government agency, or perhaps it's someone else.

In the case of "bad" keyloggers, they're used to steal, wreck, and ruin. Perhaps it's to steal passwords, perhaps it's credit card numbers or a bank account, perhaps it's an identity, perhaps it's merchandise.

Whatever the case, how evil real-time stealth keyloggers work is a little less of a mystery thanks in part to a New York Times piece in the technology blogs, "Bits," section of nytimes.com

Part of the problem is that these real-time keyloggers are now allowing the cyber-criminals to completely circumvent things like RSA's SecurID system and other similar security technology roadblocks.

As Saul Hansell of the times puts it,

"By going real time, hackers... are now undeterred by systems that create temporary passwords, such as RSA’s SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula.

"If your computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account.

"Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location.

"Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can’t see."

"They don’t break the encryption; they just log in at the same time you do."

I'll hand it to them, it's definitely clever, but what's even more amazing and alarming is that,

"When people visit Web sites that have been taken over by the hackers, the software is surreptitiously downloaded onto their machines.

"Clampi[a particularly nasty Trojan that uses real-time components] has an unusual feature that can take advantage of a vulnerability in Windows and spread itself to all of the computers on a corporate network.

"...each of those machines, in turn, was programmed to notice when their users visited any of 4,600 specified Web pages, including banks, brokerages and other sorts of sites."

As the article asks, "Does this mean the high-tech security tokens and such are a waste?"

Not really, as they still help protect against less sophisticated attacks.

Think of it this way: locking your front door might not deter a criminal willing to smash the window to get it; however, it might deter a good portion who won't smash a window but who would try to turn the doorknob to get in.

Criminals with access to the advanced technologies like real-time keyloggers are still fairly rare; less sophisticated ones aren't.

What's more, even still many of these types of attacks can be thwarted and prevented outright by even "good" antivirus firewall software.

The bottom line is, some security is better than none and multiple layers of security are better than just one. Ideally, you should look to combine:

  1. a software firewall
  2. antivirus software
  3. antispyware