“Less than a day after Apple released a new security update nuking Mac Defender from orbit, a new variant has appeared that skirts around the protections of the update,” John Brownlee reports for Cult of Mac. “Called Mdinstall.pkg, this variant hit the scenes especially fast: with a time stamp of 9:24PM Pacific Time, the Mac Defender malware evolved within eight hours time.”
“This shouldn’t be a huge deal,” Brownlee reports. “The latest security update also included new functionality that allows OS X’s anti-malware definition file to update itself without manually downloading and applying a security patch, so Mdinstall.pkg will probably only have a shelf life of a day or less before Apple nukes this variant too.”
Read more in the full article here.
MacDailyNews Take: Here’s our usual reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their computers, should not be surprised to find their computers are compromised.
Related articles:
Apple releases Security Update 2011-003 (Snow Leopard); blocks and removes MACDefender trojan – May 31, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Apple malware: 6 years of crying wolf – May 6, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011
Why doesn’t Apple just update Safari to disable “Open safe files” by default? And why is that not part of your own take?
+1
Apple should definitely disable the “open safe files” option in Snow Leopard and earlier, and remove it entirely from Lion. That alone would stop a lot of this malware nonsense in its tracks.
Add me to that list.
Makes no sense to leave that on…
This feature does not apply to executable files.
…yet it applies to software installer packages, which is enough of a vulnerability to make it a significant concern. If this option didn’t exist, we wouldn’t even be talking about Mac Defender as a problem today.
Alternatively, I suppose Apple could simply remove software installer packages from the list of files Safari considers “safe”, and that would also resolve this issue.
And now that I think about it, this is probably an even better course of action – why is a software installer considered “safe” to begin with, anyway?
“Alternatively, I suppose Apple could simply remove software installer packages from the list of files Safari considers “safe”, and that would also resolve this issue.”
THIS!!
this would take the least effort, easier than the end user doing it.
drop my support from unchecking the box by default, add me to this list.
“why is a software installer considered “safe” to begin with, anyway?”
Because installers require user interaction, IE the user must authorize the install (and additionally provide the system password if any system directories are to be touched)
this is true even if the user is permitted to administer the computer
An Administration user in OS X is NOT root user and is not the same as windows “administrator” (which is essentially equivalent to a unix root user
Apple can not and should no protect users from themselves. Do not install software you are unsure of (particularly if it pops up unexpectedly!) and do not give you system password to anything you are not ~100% sure of.
“Apple can not and should not protect users from themselves”
Funny, Microsoft did this for two decades and we all blasted them for doing nothing to protect users and as a result waste billions every year on fixing up their mess.
A downloaded image or movie is “safe” (the rare flaw in the renderer notwithstanding–easy to fix with an update), so okay, auto-open it after downloading. Auto-mounting a disk image, or unzipping a file, okay. But auto-launch an installer? No! Not unless it’s registered with and cryptographically signed by Apple (and maybe not even then).
Require an additional double-click, or Cmd-O, or whatever, but DO NOT auto-mount a disk image and then auto-launch the enclosed installer!
Not the same
Apple can not prevent users from installing software, that is a ridiculous construct.
What people are down on MS about (and rightly so) is their abysmal security and also their supressing news of viruses they know are in the wild simply because they want 9 months to make the patch (and then announce the virus and then the patch 10 days laster and claim a short turnaround.
MS’s track record on security is horrid that is what they have been (and are) being held accountable for.
It takes basically the same amount of user interaction to open an installer and click next 4 times as it does to see an installer and click next 4 times.
I don’t see how stopping the installer from opening automatically fixes anything.
Because when it opens automatically, it can fool people into thinking it comes from Apple – they will then go thru the steps of installing it.
By preventing it from opening automatically, people probably won’t even realize this thing has been downloaded at them until they check their “Downloads” folder, at which time they would most likely trash the unexpected files they find there.
So, preventing them from opening automatically would indeed go a long way toward preventing this from having the desired impact.
I always love it when people talk about malware “evolving”, as if it were some completely automated natural-selection kind of thing. Silly pundits, malware takes programming know-how!
Sounds like Apple was pretty shrewd in implementing daily update functionality for malware detection with this latest update – seems like they had a good sense of what they were going to be up against, or had planned for this eventuality, and responded accordingly. While it remains to be seen how things will progress, so far I’m confident that Apple has things under control.
The same thing apply to biology. Scientists use to say something like “the ants evolved from wasps and loose their wings”. When a non-scientist read this, he or she understands that there is an inherent intelligence that decides to drop wings or get a smaller body etc. But, when you ask a biologist with this in mind, they claim: “No! It is natural selection. How could I explain?”.
In biology: natural selection, not evolution…
I have not seen any of these places where you get infected by this. Maybe I just don’t go where it’s at? Has anyone actually seen a Mac with this malware?
Me either.
But I don’t use safari on Mac.
If safari had NoScript or similar, I might.
NoScript, ad block plus, clicktoflash/flashblock, littlesnitch, and I have never seen this Trojan.
Oh yeah, and blocking anything with google in the domain. 😉
Try using Google.
I’m not kidding. Google the word fish, set the size filter to Large and when you see a nice fish you like, click on it. You’ll be taken to the site that has the original picture of the fish. On the right-hand side of the page, you’ll see some text indicating that the original image is x-times larger than the thumbnail.
When you click on the link for the x-times version, Safari will be p0wnd.
You may not get lucky on the first try. These bait links aren’t arbitrary and are usually attached to the larger version of the images in your search.
I was p0wnd twice within twenty-minutes, while searching for a picture of a nice big fish.
I should mention, the second search involved the word potatoes. The picture I clicked on was a bunch of potatoes gathered in a pile, in a field surrounded by potato plants.
I wanted the larger version and boom goes the dynamite. I caught my second malware install.
Looking forward to soon-to-be-published “G4 Dualie’s Guide To Fish & Chips”
Nothing has happened ….. followed your instructions many times and… nothing, zero, nada…..
Dualie
Help me here. I followed what you said. I did exactly the fish and the potato bit. Clicked on the X-times and got a bigger pic plus of course the web site. Did I get p0wnd? I did not see any change and went back to my normal surfing? Have I downloaded something awful or what. What I need to know is what is p0wnd? I googled it but did not understand what it is. Help please?
I have seen the google image which kicks you to a page that does the windows thing of…… “download this? and only yes exists as an option. It downloaded “anti-malware.zip” everytime.
OK, what no one addressed is this.
The original version was a trojan and had to be manually accepted by using admin password…
The second version (according to articles) could install without a password.
Can this current new version self install when visiting an infected web site??
Just curious.
en
It can only self install if you are logged in as an admin – and you press all the continue buttons in the installer.
….so, unless you have a form of Tourette syndrome which involves involuntary mouse-clicking movements when the installer window pops up, then no, it can’t self-install. 😉
But, I thought the second version of the trojan was able to install with out password?????
Was the article wrong or just my understanding of it??
en
it did, but it STILL needs user input.
just not admin password.
version 1. Admin password, and user clicks to install password.
Version 2. User clicks to install it.
version 3. Bypass Apple’s update, user clicks to install. (may need password)
At least from what i could understand from the whole mess. I run Firefox and have never seen it.
From what I understand, it doesn’t attempt to install to a location which requires an administrator password – most likely, it just tries to install to a location in the user’s own folder instead.
Regardless of where it tries to install, it still opens the installer window, and requires the user to go thru the steps of actually installing the thing.
So everyone disable “open safe files after downloading” from there Safari general preferences by unchecking that box.
You are now done and anything that pops up saying it has found any kind of virus, spyware or malware on your screen when you are browsing the internet, please just close out of the window.
Some malware spoofs the close button and is actually the OK or install button. Very common malware trick.
A new-to-Mac friend emailed me a screenshot wondering what she should do when MacDefender popped up. I wondered if she had bought MacDefender sometime in the past without knowing it, and then I saw at the bottom of the picture it said something like “41 viruses detected”. I knew right then it wasn’t legit. Even if you add all the for-demo-purposes-only viruses for all of OS X’s history and they wouldn’t equal 41!
Now, if they had left off the virus line, but just left “malware/spyware” I would have had to keep digging. Silly hackers.
A recent post on Rixstep lays the blame for all of this squarely on Apple. They contend the problem is not with the UNIX base, but changes Apple has made over the years to add “features”.
If true, that would mean Apple has been less than vigilant concerning security and auditing. With 10’s of Billions in the hopper this is inexcusable.
Huh? Please explain how an ill-judged “open ‘safe’ files after downloading” option in Safari is somehow a corruption of Mac OS X’s secure UNIX foundations.
What if a “safe” file is not?
The point is that Apple has modified the UNIX base to enable or ease functions to make OSX “features” work. Otherwise- the hole was introduced by Apple’s mods.
Wow, the amount of people that actually misunderstand what’s actually happening is frightening. Firstly, removing ‘Open safe files after downloading’ completely (from Lion for instance) won’t happen. I personally still have that checkbox checked. Why? when I download PDFs, or iCalendar files or Pages docs, I want them to open in the given application automatically. Turning this off, I’d need to go into the Downloads folder and open the downloaded files manually, every time. Why is everyone so scared? This is by no means a huge problem and I can give one piece of advice to everyone: browse sensibly. And don’t install anything, as MDN says, if you don’t know what it is.
I fail to see how this is a “frightening” misunderstanding of the situation. Mostly, it’s a lot of responsible, concerned Mac users looking for a way to stop this stuff dead in its tracks – particularly for the less computer-savvy users, who are the target audience for this malware.
The most sensible alternative is to simply remove software installer package files from the list of files Safari considers “safe”. Yes, this would result in a minor inconvenience when downloading installers, but really, how often does the average person do something like that?
This would then allow you to download your PDFs, iCal (not iCalendar), Pages, etc. documents without having to to through the extremely horrendous task of double-clicking the file’s icon in Safari’s download window. Or – heaven forbid – clicking on the little spyglass button to actually go look at the file in the Downloads folder! The horrors!! 😉
it’s not ME thats scared.
it’s people like my Mom that WILL type in password, and WILL click all the buttons to install it. Even though i tell her NOT to do so… why? cause she is AFRAID that if she doesn’t, she WILL become infected.
thats EXACTLY how the malware works…
Any download in Safari appears on the Downloads window. Turn off “safe downloads” and just double-click the file in the Downloads window – job done!
=:~)
There should be NOTHING downloaded from 3rd party sources that is allowed to auto-launch.
Nothing!
Apple’s own software updates are a different story.
I basically agree. In the old days, you could be pretty safe opening pictures, pdfs etc. But today, the code is INSIDE the picture….
Download by physically clicking,
open by physically clicking,
open and run executible files by entering password
ANY FILE that tries to end run around these options, gets killed at once. I really hate that,,,, “do you want this? and the only option is yes…. and you cannot close the window or do much else until you cancel safari or click yes.
en
Well, I guess this is proof that, as Mac market share goes up, the intelligence of the average Mac user goes down. It used to be that the Mac was used primarily by the very tech-savvy. Now that the “scared grandma” market is buying Macs, the Mac user market is becoming easier to trick.
It’s like what happened to the Internet after AOL let all their users in.
——RM
Let the games begin! Viruses and Malwares will affect Macs from here on in and Apple will be the new Microshaft! Karma for Apple and all Mac users who thought Mac OS was secure and touchless! LoL
Uh, Marco, please read the following. It’s been a while since I posted it, but it’s all still true.
Mac OS is not impregnable. There are currently several Trojans which can be downloaded and run on a Mac. They have to be ACTIVELY downloaded and PERMITTED to run by a user with an administrative login.
Having said that, OS X is a version of UNIX, which was designed to be networked, unlike Windows, which was designed to be stand-alone. Windows has massive holes and spaghetti code where all sorts of malware can run without the user knowing.
In UNIX, nothing can run unless it’s been approved to run by an administrator. Also, every piece of software resides in a library, and there are a limited number of them. There’s really not much room to hide, and if the virus is not running on the Admin account, very little damage can be done anyway. Read more about that here: http://daringfireball.net/2004/06/broken_windows
Additionally, Macs are virtually invisible on the internet right out of the box. Even without a firewall on, you are essentially in “stealth mode.” “… by default, OS X doesn’t leave many ports open. In contrast, most versions of Windows ship with a bunch of open ports, which is one reason that operating system is a riper target for malicious hackers. And while Leopard leaves open more ports than earlier versions of Mac OS X, so far there have been no known attacks on those default services.” http://www.macworld.com/article/132558/2008/03/connect2504.html
Because Macs are hard to crack, and Windows is easy, the goons target Windows. But that doesn’t mean they haven’t tried. Read about the “Hack-my-Mac” challenge here: http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=181502078
Finally, Windows is inherently easier to run malware on because of the way it handles DLLs compared with the way Linux and OS X do. See this: http://arstechnica.com/microsoft/news/2010/08/new-windows-dll-security-flaw-everything-old-is-new-again.ars?comments=1#comments-bar
To argue that Macs will soon be just as riddled with “Viruses and Malwares” is pointless. When hackers realize they are getting very little in return for their hard work creating malware for the Mac, they will stop bothering.
You still have to click through the installer to allow this thing to be installed, regardless of whether or not it asks for a password.
There are still no reports of self-replicating viruses for Mac OS X – all malware attacks (such as this one) require tricking the user into installing it. Unlike the self-replicating malware mess on the Windows side, this still relies on social engineering to spread.
Still, I suppose it’s easier to attack a straw man, isn’t it?
@Marco
Your village called. They’re missing their idiot!
=:~)
Wow! Very intriguing! I made the switch to Macs about eight years ago. This is the first time I have seen and heard this much concern and discussion about malware on the platform. Times are truly changing.
Wake me when the malware just installs and runs without me ever doing anything. Until then, all the Windows people who are happy are like people living in Compton saying Beverly Hills is JUST AS DANGEROUS because a few people got robbed one week (and those people who were robbed let the “nice man” in their home first).
“He was dressed as a police officer. He said he saw someone break into my house and that he wanted to check and see if the perpetrator was still in here. He was dressed like a police officer, so I just let him in.”
See… if anybody falls for that, they DESERVE it.
I’ve been using Macs forever… And in OSX, I’ve never had an app that used the actual installer to NOT ask for the admin pw. So, the fact that an app can install without it really surprises me and should be revoked at a system level otherwise a real-world Mac virus is only 1 step away.
FUD FUD FUD… the only reason there’s a variant *not* asking for admin password, is because it’s looking to be installed in the user’s own folder. The reason admin passwords are required for other installers, is because those installers are usually looking to do admin or root level type stuff.
And you still have to click thru the installer to install this, regardless of whether or not it asks for a password, so let’s stop panicking unnecessarily, yes?
You are buying into the hype.
Spade and the rest are correct. Most installers ask for the password because they are trying to be installed to the applications folder. This may be the standard that apple requires all installers to do, applications by default. After all you are installing an application.
If you install an app to the users home dir… No admin password is needed. BUT the user STILL has to click next 3-4 times for this malware to actualy install.
I have a picture I will post in a bit when I get home, shows a “virus” alert saying I’m infected with multiple malware, virus, etc. Even shows me where it’s installed, and asks me to click next to continue.
Except they show me a windows directory…. And it’s a pop up in safari on my iPhone… Oops.
Mac users, and iOS users will laugh at it. Windows users may fall for the trick.
That’s exactly what this is, it is trying to fool the user into installing the malware.
Apple can’t protect users from themselves…
ok here’s the picture.
As you can see… my iPhone is infected by 7 viruses….
I had to open this page up on my iPhone to show someone that what they clicked on… was NOT real. and it was nothing more than malware trying to fool them into installing it.
They thought that it was legit.
the MacDefender probably acts the same way, haven’t seen it myself.
There should be a million dollar reward for info leading to the arrest and conviction of these trojan creators.
MacUsers, keep your eyes and ears wide open…let’s find these guys….
Of the hundreds of thousands of Windows malware, and the dozens or hundreds that are especially virulent and have cost the economy billions of dollars, how many authors of those do you think have been caught? You think a second-rate (by comparison) Mac virus will get any attention by the authorities?
Oops meant to say Mac *malware*, not virus.
Apple needs a security department staffed with retired Navy SEALS to pay visits all over the world to the nobs who write this crap.
I am one of those who got a visit from this trojan. It was on Sunday night, and I was drunk. Suddenly my mail program popped to the front, and there was this big scary warning from the “Apple Security Center” that said I was infected with viruses. It told me to click this button to remove the viruses. There were red dots with numbers inside them next to several of my mail folders. The “Apple Security Center” icon and text did not have the fit and finish of what you would expect from Apple.
At any rate, their silly trojan didn’t even make it past my inebriated state and I just quit Mail, and rebooted and ran Disk Utility. I haven’t had any more visitations since.
Hi all, I came across your internet site by means of Google while looking for a connected topic, your internet-site emerged, it’s beneficial. I have got saved for you to this favourites types|combined with favorites.
Appreciating the dedication you put into your website and
in depth information you offer. It’s awesome to come across a blog every once in a while that isn’t the same out
of date rehashed material. Great read! I’ve saved your site and I’m including
your RSS feeds to my Google account.