: Intego discovers new ‘MACDefender’ malware threat for Mac OS X


ehMax
May 2nd, 2011, 12:10 PM
Apparently not a big deal, and of course a company selling Mac anti-malware software is the first to report it, but Intego is reporting that "MAC Defender Rogue Anti-Malware Program Attacks Macs via SEO Poisoning (http://blog.intego.com/2011/05/02/macdefender-rogue-anti-malware-program-attacks-macs-via-seo-poisoning/)"

"Intego has discovered a rogue anti-malware program called MACDefender, which attacks Macs via SEO poisoning attacks. When a user clicks on a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file. In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open “safe” files after downloading in Safari, for example), will open. The file is decompressed, and the installer it contains launches presenting a user with the following screen:

http://blog.intego.com/wp-content/uploads/2011/05/macdefender1.png

If the user continues through the installation process, and enters an administrator’s password, the software will be installed.

http://blog.intego.com/wp-content/uploads/2011/05/macdefender2.png

It is important that users not continue with any unexpected installation of this type."

mguertin
May 2nd, 2011, 12:15 PM
Moral of the story ... if you go to a website and then a software installer runs don't do it.

It's funny how Intego "finds" these things. With the few that they've presented in this manner I've never seen in the wild at all and even when searching very extensively for them can usually only find reference from their site (and sometimes links from other sites to their site for the PR).

imactheknife
May 2nd, 2011, 12:36 PM
Seems kinda of funny, and fishy. These companies seem desperate to try and find viruses and malware for OSX. I still haven't used any anti-virus or malware software since I started using macs in 1997.

John Clay
May 2nd, 2011, 12:39 PM
So, like any dangerous software for OS X, it requires the user be dumb enough to install it.

screature
May 2nd, 2011, 01:21 PM
So, like any dangerous software for OS X, it requires the user be dumb enough to install it.

A bit harsh, not knowledgeable enough, is a much nicer and probably more accurate way of putting it.

pm-r
May 2nd, 2011, 06:46 PM
A bit harsh, not knowledgeable enough, is a much nicer and probably more accurate way of putting it.

+1.

And I was just reading some posts at the Apple Discussions thread and a recent switcher got hit with all kinds of alert notices while attempting to download a pdf file.

Knowing that Macs were virus free (which the notices were displaying that he was infected) and Apple is good about protection of such stuff etc., he followed the directions to install it all which he gathered was supported by Apple.

Then some nit-picking reply post that stated that he should have noticed that some filename or some such was missing from the installer that he should have noticed. Gheese.

eMacMan
May 2nd, 2011, 09:20 PM
Mac Anti-Virus Software has been traditionally more dangerous than that from which it claims to protect.

pm-r
May 21st, 2011, 11:18 PM
Well, well, well. Guess what I discovered on our G4 MDD that's basically my wife's Mac when I went to use it, and the Safari preferences are set to download any files to to the Desktop, rather than the default user's 'Downloads' folder.

Three copies of "MacSecurity.mpkg" awaiting to be opened and installed!!!
Just one of the Mac Security Fake Antivirus malware names: (aka MacDefender, MacSecurity, MacProtector) installers.

She doesn't do any of the Mac "update stuff" as that's my job, and she likes a VERY clean desktop and she also thought that the newly downloaded files were something I was doing or working with on her Mac.

The G4 is only seldom used for her email and just a few Safari gardening and various friend's blog sites and she has NEVER clicked on anything to download when using Safari, so it's interesting to see the various malware installers on her desktop or how they even got there.

Unfortunately I had not installed "DownloadComment" to her user account, but it is now, to see the originating source if it occurs again - if it would even show the site or which site was actually possibly responsible for the download of the malware installer.

These (aka MacDefender, MacSecurity, MacProtector) installers may be more generally quietly and surreptitiously downloaded and more insidious than as first reported - at least for the uninformed Mac user.

Dr T
May 21st, 2011, 11:31 PM
...
These (aka MacDefender, MacSecurity, MacProtector) installers may be more generally quietly and surreptitiously downloaded and more insidious than as first reported - at least for the uninformed Mac user.

Thanks, I will pass this on.

ehMax
May 25th, 2011, 12:01 AM
Apple has released a tech article "How to avoid or remove Mac Defender malware (http://support.apple.com/kb/HT4650)"

Last Modified: May 24, 2011
Article: HT4650

Summary
A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender "anti-virus" software to solve the issue.

This “anti-virus” software is malware (i.e. malicious software). Its ultimate goal is to get the user's credit card information which may be used for fraudulent purposes.

The most common names for this malware are MacDefender, MacProtector and MacSecurity.

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.

In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.

Products Affected
Mac OS X 10.4, Mac OS X 10.6, Mac OS X 10.5

Resolution
How to avoid installing this malware

If any notifications about viruses or security software appear, quit Safari or any other browser that you are using. If a normal attempt at quitting the browser doesn’t work, then Force Quit the browser.

In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password. Delete the installer immediately using the steps below.


Go into the Downloads folder or your preferred download location.
Drag the installer to the Trash.
Empty the Trash.


How to remove this malware

If the malware has been installed, we recommend the following actions:


Do not provide your credit card information under any circumstances.
Use the Removal Steps below.


Removal steps


Move or close the Scan Window
Go to the Utilities folder in the Applications folder and launch Activity Monitor
Choose All Processes from the pop up menu in the upper right corner of the window
Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector
Click the Quit Process button in the upper left corner of the window and select Quit
Quit Activity Monitor application
Open the Applications folder
Locate the app ex. MacDefender, MacSecurity, MacProtector or other name
Drag to Trash, and empty Trash


Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.


Open System Preferences, select Accounts, then Login Items
Select the name of the app you removed in the steps above ex. MacDefender, MacSecurity, MacProtector
Click the minus button


Use the steps in the “How to avoid installing this malware” section above to remove the installer from the download location.

pm-r
May 25th, 2011, 01:14 AM
Thanks for the updated info, and the upcoming Apple software notice is interesting from the URL provided:

"In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware"

I hope it isn't too long before its being released for those who haven't already been targeted, and for those that might have and run the malware via the installer and actually get it all removed with the Apple update.

greydoggie
May 25th, 2011, 09:37 PM
Guess what I saw pop up out of nowhere the other day??:yikes:

broad
May 26th, 2011, 12:15 AM
naked dudes?

fjnmusic
May 26th, 2011, 01:46 AM
naked dudes?

Where did that darned like button go? (for the response, not the dudes)

pm-r
May 26th, 2011, 02:29 AM
Forget the 'Like' button that seems to have recently disappeared with the recent update and a certain members request for a 'dislike' option, as neither seem to exist now.

But some recent web posts seem to indicate the recent Mac malware has taken on a new twist with no admin password required.

From New 'MACDefender' Variant Installs Without Admin Password Requirement - Mac Rumors (http://www.macrumors.com/2011/05/25/new-macdefender-variant-installs-without-admin-password-requirement/)

"Antivirus firm Intego today reported that it has discovered a new variant of the "MACDefender" malware that ups the ante by not requiring an administrator password for installation. The step is accomplished by installing the application only for the current user. ..."

Surprise, surprise, the announcement comes from "Antivirus firm Intego".

Hmmm... is that just me and with an unfounded judgement????

Anyway, something with a new twist to be aware of.

macintosh doctor
May 26th, 2011, 02:29 PM
Surprise, surprise, the announcement comes from "Antivirus firm Intego".

Hmmm... is that just me and with an unfounded judgement????

Anyway, something with a new twist to be aware of.

what are you saying? are you saying they are behind it?
kind like that guy who runs tomorrowsgaspricetoday.com
he says prices go up they go up? LOL
:lmao:
so if we rid ourselves him and his website we will have normal prices...?

I very much doubt Intego is behind it..

broad
May 26th, 2011, 02:37 PM
i think he's saying that often the ones who are ringing the alarm the loudest are those that stand to profit from the alarm being rung

usually when intego starts foaming at the mouth WRT mac security problems its often much ado about nothing. in this case though i would say this is a genuine issue.

pm-r
May 26th, 2011, 04:27 PM
That's about it.

But at least their latest announcement sure got the word out and someone is looking out for the Mac user, and maybe their own interests. So thanks to Intego for doing so.

My comment was not meant to be disparaging to them in any way.

BTW: I don't see many such public announcements coming from some of the other Mac anti-virus/malware folks.

fjnmusic
May 26th, 2011, 04:33 PM
i think he's saying that often the ones who are ringing the alarm the loudest are those that stand to profit from the alarm being rung

usually when intego starts foaming at the mouth WRT mac security problems its often much ado about nothing. in this case though i would say this is a genuine issue.

This is the premise for many a Law and Order show I've watched. Always be suspicious of the one you think you can trust most.

BTW, if there were any real threat to the Mac OS, I think we'd hear about it pretty quickly from Apple itself. Companies that stand to gain from the sales of anti-virus software for non-existent viruses are about as trustworthy as companies that offered to safeguard your computer against the dreaded Y2K bug. And sorry, scareware and phishing schemes do not count as viruses.

krs
May 26th, 2011, 09:59 PM
But some recent web posts seem to indicate the recent Mac malware has taken on a new twist with no admin password required.

From New 'MACDefender' Variant Installs Without Admin Password Requirement - Mac Rumors (http://www.macrumors.com/2011/05/25/new-macdefender-variant-installs-without-admin-password-requirement/)

"Antivirus firm Intego today reported that it has discovered a new variant of the "MACDefender" malware that ups the ante by not requiring an administrator password for installation. The step is accomplished by installing the application only for the current user. ..."

and continues:

Unlike the previous variants of this fake antivirus, no administrator's password is required to install this program. Since any user with an administrator's account - the default if there is just one user on a Mac - can install software in the Applications folder, a password is not needed. This package installs an application - the downloader - named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original installer are left behind.

The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application's Resources folder.

----------

I don't get this.
I'm the only user on my Mac.
My account is an admin account.

But regardless, I have to enter my user ID and my password every time I want to install an application.

Is this an option - not to require a password?
Since any user with an administrator's account - the default if there is just one user on a Mac - can install software in the Applications folder, a password is not needed.

pm-r
May 26th, 2011, 11:23 PM
That's the whole point regarding some of the latest malware variants - no password is needed. Period.

It downloads its own 'installer' which bypasses the normal Mac's OS installer where a password is normally required.

But besides that, if you're the ONLY user on you Mac, then YOU ARE the admin User, and your User name would normally be used, so you must have changed some setting somewhere if you're having to enter BOTH your user ID as well as your password for any "NORMAL" Mac install stuff.

krs
May 27th, 2011, 12:04 AM
Well - if MACDefender downloads its own installer that totally bypasses the nomal Apple installer then User ID and password become a moot point.
I'm a bit surprised that this is even possible - downloading an alternate installer that bypasses the Apple one.

As to normal installations - I haven't made any changes from the norm, I always need to enter the User ID and password - the user ID is prepopukated, the password I need to type in.
But of course if the Apple installer is not used at all to install that software, neiher one of those two fields would show up.

pm-r
May 27th, 2011, 01:26 AM
The recent malware 'MacDefender' which is a takeoff of the legitimate 'Mac Defender' application (with a space) that adds even more confusion to this isue, DOES need and uses the Mac's built in application installer.

It's the later variants, such as 'MacGuard' and possibly other additional names now, that don't normally need the logged in user to enter or type in any user ID or password.

So i'm guessing that you must be using the "Name and password' option in your 'Accounts' pref pane and no 'Automatic login' user has been set. ???

PS: I love the 'prepopukated' word. And quite descriptive. ;-)

krs
May 27th, 2011, 10:11 AM
I think there is some confusion here.

I do use 'automatic login' on the Mac only I use, but that has nothing to do with authorizing the installation of an application.
"Automatic login" only happens when you need to log onto your account, either when you boot up the Mac or change accounts (if there is more than one). I run my Mac 24/7 so I normally don't log in at all - I stay logged in permanently.

However, whenever I install an application, either a .dmg or a .pckg version, at some point early in the install process, I'm asked to "authenticate" by providing my user ID and password. It's the same user ID and password that I would use o log in if I hadn't set log in to automatic, but this authentication doesn't happen automatically even if I have set log in to auto.

Now what I understood is that the MAC Defender software uses the normal Apple installer, the Apple installer asks for authentication and at that point the light should go on that something is amiss.

With MacGuard there is a different rogue installer downloaded which MacGuard uses to install the software - that rogue installer doesn't require any user ID or password, so you never get any warning that way.
What is not clear to me if one still has to go through the various installation steps (ie windows) with MacGuard or if that all happens automatically as well without any user intervention.

pm-r
May 27th, 2011, 02:23 PM
Normally if the auto login is set with the user account name selected in the Account pref pane options, the user name is automatically added to the 'authorization' window and then just the password (if one is used) needs to be entered and a click on the OK button.

I have come across some instances where the user name wasn't automatically added into the 'authorization' window and if I recall correctly, the fix was to change the auto login settings to something your DON'T want and restart and then set them to what one DOES want.

Regarding the MacGuard 'install', if you Google around I believe there are some sites with images that show what's going to happen and how it works.

Jenergy
May 27th, 2011, 02:34 PM
:eek: that was literally my facial expression lol

krs
May 27th, 2011, 05:38 PM
Regarding the MacGuard 'install', if you Google around I believe there are some sites with images that show what's going to happen and how it works.

Haven't found an explanation yet.
All I get googling is this:

If the software is download on an admin acount (the default account on most OS including Macs), the installer will start and run automatically without prompting for a password. This program will still require user interaction in order to install, so you will see an installer program running and will have to click through a couple of installation windows in order to get it on your system; however, the difference now is that it can be installed without an administrator password.

As I said before, I am the only user on my Mac, my account is an admin account but I still have to enter my password every time I install software.

pm-r
May 28th, 2011, 01:16 AM
Have a look at such sites as Watch Out for the New Mac Malware | Riches Corner | Make Money Online (http://www.richescorner.com/watch-out-for-the-new-mac-malware/) if you need to see some of the basic install routines it can use.

But the bottom line with the latest 'MacGuard' "installer" it uses, is it's NOT the normal Mac OS X "installer" that it uses, but it's own and quickly deleted installer that bypasses all the normal Mac 'authorization' stuff.

You can see some images at places like Watch Out for the New Mac Malware | Riches Corner | Make Money Online (http://www.richescorner.com/watch-out-for-the-new-mac-malware/)

Any other "normal" software installs that uses the *normal* Mac OS installer will still need to have the admin username listed, which should be normal and automatic with an auto-login as you said you were using, and then that user's password entered (if one is used) would need to be entered.

Maybe I'm confused but I thought you said your were using the auto login account option and had to enter *BOTH* the username AND the password in the installer's 'authorization window' which shouldn't be necessary. Just entering the password for the logged-in admin username that should be automatically shown should work.

mguertin
May 28th, 2011, 03:53 AM
Any other "normal" software installs that uses the *normal* Mac OS installer will still need to have the admin username listed, which should be normal and automatic with an auto-login as you said you were using, and then that user's password entered (if one is used) would need to be entered.

I might have missed this earlier in the thread and I apologize in advance if I did and you can skip this post ... but that information is incorrect. Using the standard Apple install mechanism (ie. installing from a .pkg file) will NOT prompt for and does not need the admin username and password (or any username and password for that matter) if it's installing into your home directory and not into an area that needs administration access. This is most likely what they are "taking advantage" of here ... if you can call it that. Again, even if you're NOT using an admin account this local method will still install into your home folder without further prompting or permissions required.

The long and short of it is this:


Turn OFF the automatic launch of "safe" document types in Safari (and any other web browser, whoever thought this was a good idea was in err big time). You'll have to turn it off manually for now and in the long run hopefully apple stops this from being the default. If you're too much of a newb to be able to get past this stage of downloading something from the internet to install then you either need to RTFM a bit or buy an iPad (and wait until the malware is targeted there to worry about things). It does not matter if your account is an admin account or a standard account, this "local" installation (into your home directory) will work without requiring any authentication. The only exception to this would be a controlled account that has restricted access (i.e. a child's account that's not allowed to do anything but launch a few applications).

User education. If you load a web page and all of a sudden it's saying you need to install software, DON'T. Plain and simple. It doesn't matter how much protection is put into place if users just blindly click through any install dialog box that pops up in front of them or enters their username and password on demand without knowing why. Unless the "bad guys" are taking advantage of a true exploit (which thankfully we haven't seen in the wild yet) then it's all still a matter of social engineering and user incompetence. The most foolproof system ever designed won't help you if you give away the farm.



It's also sad to say that there are a ton of other ways that OSX's default packaging/installer system can be exploited and it's just ripe for the picking. OSX is literally many many years behind most other popular *nix based OSes when it comes to this sort of security and doesn't use even the most rudimentary security for packages (signed packages, checking package hashes, etc), let alone anything more serious. Anyone with a little knowledge of the way the .pkg bundles are built and some basic command line scripting has the tools available to cause some pretty serious mayhem if Apple leaves things the way they are. But that said even with package security an approach like the current one would still work, this is taking advantage of a loophole (the auto launch of it when downloaded) and taking advantage of the fact that people will just click through it and do whatever they are told without question. The issue of the security in packaging is a whole different disaster (and was how the malware/trojan happened in the pirated iLife package a couple years back and is still wide open to happen again).

If this has already been said then I apologize ... sometimes I skim too quickly over the previous posts to avoid the rants or OT discussion and miss things ;)

krs
May 28th, 2011, 09:41 AM
Maybe I'm confused but I thought you said your were using the auto login account option and had to enter *BOTH* the username AND the password in the installer's 'authorization window' which shouldn't be necessary. Just entering the password for the logged-in admin username that should be automatically shown should work.

I think I might have confused the issue.
I wrote that both the user ID and password had to be entered but that the user ID is pre-populated.
So I only enter the password manually myself but the system requires both.

krs
May 28th, 2011, 09:52 AM
I might have missed this earlier in the thread and I apologize in advance if I did and you can skip this post ... but that information is incorrect. Using the standard Apple install mechanism (ie. installing from a .pkg file) will NOT prompt for and does not need the admin username and password (or any username and password for that matter) if it's installing into your home directory and not into an area that needs administration access.

I tried that a few times yesterday with software that I downloaded from the net.
The software was a zip file that expanded to a .pkg file. the installation was into my home directory, the installer was the Apple installer, and the installation process did prompt me for user ID (pre-populated) and password.
In fact, I can't remember ever installing any application on my Mac where I didn't need to enter the password in addition to the pre-populated user ID.
That goes for .dmg files as well.

Now if this malware somehow downloads and installs its own installer and uses it rather than the Apple installer, then I can understand that user ID and password are not required - but how does it install its own installer in the first place without any authorization.

The authorization process is one of the main elements to prevent malware from getting onto the Mac and here you're essentially telling us that whole process is broken and always has been.

mguertin
May 28th, 2011, 12:57 PM
I tried that a few times yesterday with software that I downloaded from the net.
The software was a zip file that expanded to a .pkg file. the installation was into my home directory, the installer was the Apple installer, and the installation process did prompt me for user ID (pre-populated) and password.
In fact, I can't remember ever installing any application on my Mac where I didn't need to enter the password in addition to the pre-populated user ID.
That goes for .dmg files as well.

Now if this malware somehow downloads and installs its own installer and uses it rather than the Apple installer, then I can understand that user ID and password are not required - but how does it install its own installer in the first place without any authorization.

The authorization process is one of the main elements to prevent malware from getting onto the Mac and here you're essentially telling us that whole process is broken and always has been.

Try it with some other software maybe then. It's possible that whatever you were trying still needed to modify something that needed authentication. I've had quite a few pieces of software that used the Apple installer that did not require authentication to install. Try something simple like a preference pane (and install for only your user when it asks you).

krs
May 28th, 2011, 08:04 PM
Try something simple like a preference pane (and install for only your user when it asks you).

I have never downloaded and installed a preference pane separately - that would explain why I haven't seen that install without asking for a password.
But then again, I wouldn't call a preference pane an "application".

I just checked what preference panes I had on my Mac, there are only three in my home folder, Growl, Opera and Perian.
Those were all downloaded with these applications and I'm pretty sure my password was required for each one of these applications.

mguertin
May 28th, 2011, 10:27 PM
It's not just preference panes, I was just using that as an example. It's pretty obvious that you're of the mind that if you can't reproduce it and haven't seen it that it can't work that way so whatever, you'll have to either trust me or keep trying on reproducing things (or go read some more documentation).

pm-r
May 28th, 2011, 11:21 PM
Just doing a fairly quick Google search on 'Mac OS X installer apps that don't need admin user password' as an example search provides lots of hits and various threads why there maybe so many variations and conditions as to if and when an admin username AND password may or may NOT be required.

And then again, there is some software doesn't even follow the rules and get's itself installed regardless if the user isn't careful, ie: one of the points of this thread.

krs
May 29th, 2011, 03:50 AM
What you're saying is that having to enter user ID and password to install an application is just smoke and mirrors.

From day one, one of the key elements that supposedly keeps malware from being automatically downloaded to the Mac and installed without the user's knowledge (as in Windows) is the fact that the administrator has to enter a password before the installation can proceed - and now you're telling me that this isn't true at all, that lots of applications can get installed without any warning.
That would make the user ID and password approach totally useless, what's the point of that applying to only some apps - it would be totally useless.
An application that uses the installer is typically downloaded as a zip file, zip files can be set up to open automatically after download to get the ,pkg file and from there it's not hard to have the Mac automatically just launch the .pkg file and step through the install windows if no password is required.

I googled using the term 'Mac OS X installer apps that don't need admin user password'
About half the hits were about MACDefender, a bunch of others were people asking how to turn off the prompt for the password (which apparently isn't possible.
The only application I came across where people claimed it could be installed without a password was 'handbrake' - so I treid that.
For one, that is a .dmg application which is not what we are talking about, but even so, first time I tried to launch handbrake after dragging the .dmg file to the app foldr, I get a warning message that this was downloaded from the Net and do I really want to open it.

Chealion
May 29th, 2011, 11:52 AM
Any application (installer or not) can request authorization to access files it would not normally have access to.

When you make an installer for Mac OS X the only time you need to set the authorization required flags is when you will be installing files that the user installing does not have privileges to already installed. (The Applications folder is an example - you can drag and drop apps into there without having to enter a password if you're an admin user)

That said any executable program distributed by dmg or zip gets a quarantine flag on it popping up the "is a program downloaded from..." dialog box.

Turn OFF the automatic launch of "safe" document types in Safari

I really wish they would remove this feature. It's the first thing I disable on any computer I work with. Thank god it works with MCX.

pm-r
May 29th, 2011, 02:41 PM
What you're saying is that having to enter user ID and password to install an application is just smoke and mirrors. ... ... ...

Sigh.... I don't know who or what you're referring to or how you came to such a conclusion, but if that's what you want to think, then just carry on I guess.

At least you should be aware of some of the various "install" methods that can be used by now.

krs
May 29th, 2011, 03:12 PM
The Applications folder is an example - you can drag and drop apps into there without having to enter a password if you're an admin user.

Yes, but that doesn't seem to apply to .pkg applications where one goes through the install process - that's what we are talking about.
I am the only user with an admin account and I have to enter the password every time with a .pkg application (.dmg is different but that is not the way this malware is distributed)

That said any executable program distributed by dmg or zip gets a quarantine flag on it popping up the "is a program downloaded from..." dialog box.


Does that happen with the latest version of this malware as well?


I really wish they would remove this feature. It's the first thing I disable on any computer I work with. Thank god it works with MCX.

I had mine disabled initially, but that was a pain because so many sites now decide to provide the information one wants in pdf format.
With that feature disabled, one downloads the pdf file, the has to go into the download folder, find the file and then open the file.
With the feature enabled, all that happens automatically - much more convenient from a user point of view.
I have now disabled that feature again but it makes getting info from the web much more awkward.

Is MACDefender and its versions including the latest one actually a "real" application?
It doesn't seem to do anything to the Mac, ie destroy files etc. other than trying to dupe people into providing their credit card information, just like any malware that depends on social engineering to get information.
Could MACDefender or the others make changes to the data, or collect data that is stored on the Mac?

krs
May 29th, 2011, 03:20 PM
At least you should be aware of some of the various "install" methods that can be used by now.

I knew about the various install methods before but that is not what we are discussing.
My question was specifically related to MACGuard and how it gets installed without a password.
I haven't seen that malware yet but I understood this was also a .pkg "application" where one goes through the install process (not a .dmg file) but nowhere during the install process is there a request for a password.
Some people claim it uses its own installer, others state it uses the Apple installer but somehow bypasses the requirement to enter a password.

I would love to find at least one legitimate .pkg application that doesn't require a password for installation - I haven't come across any.
And if they exist, what's the point of having some applications that require a password if not all of them do - that's my 'smoke and mirror' comment.

pm-r
May 29th, 2011, 04:40 PM
Take a trip to see how it works at The Mac Security Blog » INTEGO SECURITY MEMO – New Mac Defender Variant, MacGuard, Doesn’t Require Password for Installation (http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/)

If you have Little Snitch installed and enabled you'd also see that it wants port access which should also alert the user as being a bit unusual for any installer.

I think you've come pretty close with the keyword in your "....pkg application that doesn't require a password for installation" statement — the keyword being legitimate!!!!

Oh, there might be one that's only available from a small developers own protected site somewhere, but even if so, I'd have to be trusting the site I was at in the first place. ie: know where the software is actually coming from.

Anyway, I think we've flogged this thread long enough for now. ;-)

mguertin
May 29th, 2011, 07:57 PM
I would love to find at least one legitimate .pkg application that doesn't require a password for installation - I haven't come across any.
And if they exist, what's the point of having some applications that require a password if not all of them do - that's my 'smoke and mirror' comment.

That's because most .pkg files you've installed probably went to paths outside your home folder (or at least some component of them did, or whoever made the package was lazy and just ticked off the option to require username and password and they didn't strictly require it). Try to find a pkg file that installs a very simple application and that allows you to change the location of the install. Change the location to somewhere in your home folder (i.e. at your base dir of your home make a folder called Applications and then tell it to install there.

The username and password being asked for has nothing to do with the specific fact that you're installing something ... it's merely a side-effect that most times happens when you're installing something. The dialog specifically is requesting permission for accessing areas of the filesystem that require super user access levels -- you're having to copy files to areas of the filesystem that your user doesn't "own". In command line terms this dialog is roughly the equivalent of prefixing a command line command with 'sudo' if that description helps you understand it. Any "Administrator" account in OSX is basically the equivalent of a unix user having super user, or sudo rights -- meaning you can run that command as required to make modifications normally only the super user could make, such as change system level components, etc. Having an admin level account on OSX does not give your user much else really, it just tells the operating system that if you give your username and password then you can have limited/time restrictive rights to access parts of the filesystem that require super user access to copy in new files or modify existing ones, run super user only (command line) tools, etc. Also worth mentioning again is the fact that logging into your account (either from login screen or from locked screen saver) doesn't change the super user rights -- they might look the same but they don't give the same permissions.

The only true (user level) "sandbox" that OSX currently has is the "you have downloaded this file from the internet, do you really want to run it" dialog and that only happens with things that you double click to run for the most part as far as I know. I've never seen any type of this dialog for anything I've ever downloaded and executed on the command line or with a shell script (which should also tell you something about how secure that sandbox is for people who understand the mechanics of things). On a worse note, again, the Apple installation backend used for pkg installs is horribly bad for anyone that knows their way around things ... I won't spell out any specific examples of how to take advantage of it here for obvious reasons. If you don't trust me find yourself another Unix geek to take a look at how it's all put together and how it mechanically runs in the backend of things and ask their opinion.

pm-r
May 29th, 2011, 09:00 PM
Thanks mguertin for your interesting points and comments.

For the Mac OS X users who have asked me "why all the password requirement stuff", and especially with pre-OS X users, I have just suggested that, yes they own and can control the use of their OS X Mac up to a point, but the OS System and Root are the REAL owners and bosses of the OS, and that they allow at least one admin user and and maybe some others to use their OS X Mac.

And isn't that nice of them to allow the owner and user to use actually their Mac, but on their terms!!! ;-)

PS: Your comments reminds me of my youngest son, a sometimes programmer and developer, when he's needing and using Terminal. And in such situations it seems that HE IS THE BOSS and I guess System and Root just let him do what he needs to do!!

Definitely not something an average Mac OS X user would be doing, or how to for that matter. ;-)

SuzyP
May 30th, 2011, 09:04 AM
I mentioned this to my husband and he thought it could be done using PHP and the exec command, or perhaps even using QuickTime. I am totally non-techie and he is quite the opposite, so no idea what he meant! :D

ehMax
May 30th, 2011, 02:22 PM
Just for anyone joining coming straight to this thread, very good article written by CanadaRAM: How do I secure my Mac (https://www.ehmac.ca/anything-mac/95104-how-do-i-secure-my-mac.html), that has some good tips for precaution and steps you might want to take.

Niku
May 30th, 2011, 08:22 PM
The recent malware 'MacDefender' which is a takeoff of the legitimate 'Mac Defender' application (with a space) that adds even more confusion to this isue, DOES need and uses the Mac's built in application installer.

It's the later variants, such as 'MacGuard' and possibly other additional names now, that don't normally need the logged in user to enter or type in any user ID or password.

So i'm guessing that you must be using the "Name and password' option in your 'Accounts' pref pane and no 'Automatic login' user has been set. ???

PS: I love the 'prepopukated' word. And quite descriptive. ;-)
Finally, the information that I needed. Thanks for telling me that there is a legitimate Mac Defender. Now I just have to check to see if the Defender i've installed on a temporary basis is one or two words.

pm-r
May 31st, 2011, 12:03 AM
If you've never downloaded and installed or used the real, legitimate "Mac Defender" utility, which like some other legitimate sites with a similar name seem to have gone into hiding with that latest malware install threats etc., then I guess only you will know what recent Mac Defender etc. stuff you might have or waiting for you to install.

The malware version has already gone through various name changes and I'm sure that there are some scumbabgs out there creating the same malware with various other names and just waiting for some to download and 'install' it.

Bottom line: Don't just rely on the actual name any more!! Things change too fast.

For all I know, another duplicate one just re-named 'mac 10.6.x security update' etc. could be released any day.

hayesk
May 31st, 2011, 04:27 PM
It's also sad to say that there are a ton of other ways that OSX's default packaging/installer system can be exploited and it's just ripe for the picking. OSX is literally many many years behind most other popular *nix based OSes when it comes to this sort of security and doesn't use even the most rudimentary security for packages (signed packages, checking package hashes, etc), let alone anything more serious.

I thought OS X did support signed packages?

mguertin
Jun 1st, 2011, 12:27 PM
I thought OS X did support signed packages?

I'm not positive if they do or do not yet ... but they certainly don't require it if they do support it.

rgray
Jun 1st, 2011, 05:12 PM
Cross posted to New Variant of 'Mac Defender' Quickly Evades Apple's Security Update - ehMac.ca (https://www.ehmac.ca/showthread.php?p=1099891#post1099891)

This window just opened behind this Daily India page (http://www.dailyindia.com/show/442829.php). It is the latest in the Macprotector/Macdefender series. I post it so that others may recognise it. Obviously I didn't use it having just done a series of client calls cleaning up after it. I have to say it is fairly slick. No wonder some fall for it.....
20104

hayesk
Jun 2nd, 2011, 08:03 AM
I'm not positive if they do or do not yet ... but they certainly don't require it if they do support it.

I just checked. They don't require it, but they do support it.

Regardless, this is rarely the problem. A signed package is mainly used to determine if a package comes from who it says it comes from, or if it's been edited. A malware writer could send out AppleScripts instead of packages and convince users to run them. With trojans the responsibility ultimately ends up with the user.

The real security hole here is not lack of signed package or any other checklist of security features, but it's Safari's irresponsible "Open 'safe' files after downloading" preference that defaults to on. The preference should not even be there, or at least turned off by default.

mguertin
Jun 2nd, 2011, 12:49 PM
I just checked. They don't require it, but they do support it.

Regardless, this is rarely the problem. A signed package is mainly used to determine if a package comes from who it says it comes from, or if it's been edited. A malware writer could send out AppleScripts instead of packages and convince users to run them. With trojans the responsibility ultimately ends up with the user.

The real security hole here is not lack of signed package or any other checklist of security features, but it's Safari's irresponsible "Open 'safe' files after downloading" preference that defaults to on. The preference should not even be there, or at least turned off by default.

Yep agreed about the open safe files being the scariest option -- I was just commenting that unsigned packages are also a spot for huge potential issues ... it's insanely easy to inject something into established packages and if they are not signed no one would be the wiser (i.e. what happened with that pirated version of iLife). With all the companies that use mirrors for downloads these days anyone with access to a mirror machine could cause some serious havoc.