ehMac banner

1 - 18 of 18 Posts

·
Premium Member
Joined
·
2,539 Posts
Discussion Starter #1
Okay, I know this may seem like another hysteria thread. I was worried I came across something that *could* have been a trojan. This is not a Troll, I'm not just stirring up trouble, I just want to know what to do in this situation.

I ended up on a strange looking website hunting for an image and suddenly I got a prompt asking me for permission to download Safari.app Deny or Allow? Out of surprise I quickly hit deny. But then I started wondering where that request came from.

Now that I've tried surfing back to the site I'm not getting the same request anymore. I wanted to DL it and run it through ClamXav to see what it was.

So what do I do? So maybe it wasn't a virus/trojan (perhaps at best a clumsy oopma-loompa wannabe?) but I want to investigate further. Would there be a log somewhere that would have recorded the request that I could figure out where the download was coming from?
 

·
Registered
Joined
·
701 Posts
I get the feeling some anti-virus company is implanting those "ads" in their ads network to scare Mac OS X users into thinking Mac viruses are on their way.. Probably yet another one of those harmless popups

Patrix
 

·
Premium Member
Joined
·
8,815 Posts
"Deny or allow", eh? Doesn't VISTA ask confirm things with that lingo? My guess is that it possibly could be a veil for some form of Windows malware, worded in a way to dupe Windows users. One thing for sure is that Apple wouldn't be distributing Safari in such a manner.

What is the URL?
 

·
Premium Member
Joined
·
10,314 Posts
Well, they do make Safari for Windows now, so it's probably a pop-up from the DOS/PC world. I wouldn't worry too much about it.
 

·
Premium Member
Joined
·
2,539 Posts
Discussion Starter #5
100% sure it wasn't a popup. It was a system prompt. Similar to the kind you get when you download an application off the web and try to open it.

Vista is "cancel or allow".

I don't know... I've tried to replicate the situation a number of times but I haven't gotten the same prompt since. I also can't seem to find an image of a similar prompt.

I don't know... Too weird. Show's over nothing to see here. :(
 

·
Premium Member
Joined
·
6,427 Posts
100% sure it wasn't a popup. It was a system prompt. Similar to the kind you get when you download an application off the web and try to open it... I don't know... I've tried to replicate the situation a number of times but I haven't gotten the same prompt since. I also can't seem to find an image of a similar prompt.
I don't know... Too weird. Show's over nothing to see here.
I think it was probably some kind of pop-up that looks like the real thing. There have been reports of such things; and I have had three different ".app" files download to my machine in the past month. It is most certainly some kind of trojan, which even if it does download, can not do any real damage unless you make the "crucial step" to install it. Then, it will probably reveal itself to be some kind of malware, perhaps reporting important information back to some crime syndicate in Central Asia or Russia, or where ever.

Windoze does not use ".app" files - it uses either .COM or .EXE files, and .DLL files can also be malware hidden as an "important device driver update".

All Apple software will go through the Software Update program. With the things that have been happening, and the fact that OSX is becoming a target of malware (perhaps more so because of the very real difficulty of creating a virus that is effective and spreadable)... Windoze users are prone to using continuous virus scanning, and perhaps even multiple scanners just to try to keep their systems as secure as possible - something that Mac users have not had to worry about at all. I wouldn't install any Apple update unless it went through the legitimate Software Update program, or unless I downloaded the update direct from Apple.Com.

Malware like trojans will probably not be picked up by ClamXAV; at least until it has become common enough to add to the database. ClamAV in general misses many potential malware attacks - it's main benefit is that it is free and catches Word Macro malware that Macs are adept at transmitting. So unless I had a specific machine that I could sandbox (and that I had nothing of importance on), I wouldn't attempt to actually run any .app malware - and I certainly wouldn't do such things on a machine connected to the Internet (or a network of any sort).

Mac users will have to adjust to such things - they will become more common. It just comes down to common sense, and using the tools that are available to OSX, to keep the machines safe and secure.
 

·
Premium Member
Joined
·
6,427 Posts
I ended up on a strange looking website hunting for an image and suddenly I got a prompt asking me for permission to download Safari.app Deny or Allow? Out of surprise I quickly hit deny. But then I started wondering where that request came from.
After a moment of thought - it is probably a bad idea to hit "Deny" because if it is some kind of malware, who would think that the writer would actually mean Deny? If I was writing it, I'd make damn sure that once the user hit "Deny", the malware would be installed in the same manner that if the user hit "Install". I would make sure to just delete the window all together - and make sure that the page had not dropped a .app file into the Downloads folder. And if it is there, I definitely would not grant it the eXecute flag, even out of curiosity, unless I had a specially set aside machine that could be trashed with no problems...
 

·
Premium Member
Joined
·
2,539 Posts
Discussion Starter #8
After a moment of thought - it is probably a bad idea to hit "Deny" because if it is some kind of malware, who would think that the writer would actually mean Deny? If I was writing it, I'd make damn sure that once the user hit "Deny", the malware would be installed in the same manner that if the user hit "Install". I would make sure to just delete the window all together - and make sure that the page had not dropped a .app file into the Downloads folder. And if it is there, I definitely would not grant it the eXecute flag, even out of curiosity, unless I had a specially set aside machine that could be trashed with no problems...
I always wondered about that. Once I started designing the interface to programs I realized the cancel button has to be programmed in and it's function is arbitrary. But how do you close a system dialog without pushing one of the buttons?
 

·
Premium Member
Joined
·
17,726 Posts
I might be tempted to use Terminal and check the download folder for any uninvited invisible files. Again do not grant any unbidden requests for your password!!!
 

·
Registered
Joined
·
6 Posts
Safari.app

I got a weird request to change the font on a copy of Safari that resides on my backup hard drive this morning . I was on this website and the request popped up with the same allow or deny !!??
 

·
Premium Member
Joined
·
4,695 Posts
whenever something like that pops up on me, whether on windows or mac, I just turn off the machine if I can access it through the computer or else I just phsysically turn the computer off. I don{t even touch the pop up window.

I have had a couple weird experiences like this on my macs. I am starting to get worried.
 

·
Registered
Joined
·
161 Posts
Do you have the firewall turned ON? I get some allow or deny questions every once and a while when programs get updated.
 

·
Registered
Joined
·
516 Posts
Hmmmm.....

I had some pictures on a USB drive. The pictures were loaded from a Windows PC. After transferring the pictures to iPhoto (all .jpg), I deleted the files from the USB drive. When I went to empty the trash, my Mac asked for a password. Strange. I did enter it, and the trash was emptied, but the files on the USB drive were just hidden (with a period in front of the original name).

And when I looked for the pictures on the Mac, they were gone. Very strange.

I will have to see if it happens again.
 

·
Registered
Joined
·
853 Posts
One of the reasons that you may not have seen the site behave the same way twice is it put a cookie on your machine. With this cookie the site would have known not to run the prompt again.

Clear your browser cache, cookies, downloads etc. and try the site again. (To do this click on Safari|Reset Safari.)

If you encounter this strange behaviour again, close your browser, restart and surf somewhere else. If the impact seems to be really bad clear your browser and clear your downloads folder. If you are really wanting to see the site, go to preferences turn off plug-ins, Java, JavaScript, cookies etc. The site won't be able to do much harm then.
 

·
Premium Member
Joined
·
2,539 Posts
Discussion Starter #15
I did check through terminal, all files are accounted for, nothing suspicious (I run my DL's through ClamXav once in a while too). Deleted Safari cookies, tried going back to the site, but nothing happens.

I'm starting to realize now that perhaps it wasn't the site I thought it was. I remember seeing a bright red page with the term "electronic warfare" which is when the popup came up (so that's what might have spooked me), but the more I think about it it probably came from the page I navigated to before that one. Hmmm... Time to hunt through the logs.

I'm starting to think these things could be the beginnings of malware of but honestly it is a testament to Macs (Unix) that you have to go out of your way to allow this stuff to damage your computer.

Doubt I'll come to any conclusion over this one...

Mac 1, virus 0. :D
 

·
Premium Member
Joined
·
6,427 Posts
I always wondered about that. Once I started designing the interface to programs I realized the cancel button has to be programmed in and it's function is arbitrary. But how do you close a system dialog without pushing one of the buttons?
I don't think it was a "real" system dialog - just a look alike. I would probably just bomb out of whatever browser with Cmd-Q, or if that doesn't work, just do a Force Quit.

If it is Malware, you would have to expect that the buttons do not do what you would expect. As anything being installed under OSX needs to have the user agree to something, it would be pretty easy to sucker a user into hitting a key. It may not "install" or be able to install, but it could download automagically. This is the way that some of the recent Codec Malware attacks have been perpetrated. Pretty easy to build a web site that "requests" a special Codec - and with the number of new Mac users who are more used to the fact that Windoze does not support many file formats on it's own - it is pretty easy to get them to "install" such things.

It wouldn't take much to mutate such malware - since methods of building Rootkits are well known (and can be made to work on Macs if you can get a user to agree to something), and who knows what other malware could be constructed, once a user "agreed" to something.

So I would just say it is a judgement of common sense, and controlling the urges to watch some kind of wierd video in a non standard format, or for that matter, any kind of oddball screen savers or music files or whatever that "needs" something odd. If you can't handle it with the built in libraries that OSX has - or with commonly used utilities like Perian - or with common formats like FLAC or OGG that are not native to Mac but have very real drivers - then just don't do it.

If something does need an odd format (which I ran into when I needed to read a special CHM file) - then it takes five seconds to check it out on something like the Wikipedia. I found out that CHM is some oddball "Compiled HTML" format that is peculiar to special versions of Windoze - and that there is a completely "safe" reader for the Mac called Chmox. But I was sure to check it out first, because you just never know what these things are. Good thing to learn about because CHM files can easily be hacked into some rather bad nastiness.
 

·
Registered
Joined
·
853 Posts
If something does need an odd format (which I ran into when I needed to read a special CHM file) - then it takes five seconds to check it out on something like the Wikipedia.
Great advice!

But also make sure that the suspect site isn't spoofing you into downloading X when it really is downloading Y. I don't know if this can be done, or if it happens, but after reading this thread I'm now concerned about it.

Any opinions on this?
 

·
Premium Member
Joined
·
6,427 Posts
But also make sure that the suspect site isn't spoofing you into downloading X when it really is downloading Y. I don't know if this can be done, or if it happens, but after reading this thread I'm now concerned about it.
OSX is fairly safe in this regard, since anything you download (whether or not you want it) is dumped into your Downloads folder where it can not do anything on it's own. You would have to do something to get it to activate, changing the flags to give it eXecute priviledge, or installing it by either dragging the file to Applications or by allowing it, as a package, to install and granting it the right to do so by "agreeing".

So if it looks unusual, especially if some links brought about pop-ups, pop-overs, pop-unders, with strange countries or strage addresses - you are entirely safe in dragging it to the Trash and scrapping it. No need for paranoia - these things can only be run under OSX by granting "the crucial step" of agreeing (or perhaps by having a web browser overflow the buffer and forcing the program to run, so it is a good idea to keep up on the Apple Security Updates because this is another vector to think about.)

Really, common sense should allow you to maintain a very safe system without much effort. If a web site wants to you download some crazy Codec or Driver, yo should weight out if you want to actually download something that is oddball to look at something that is in an oddball format. All common Codecs are covered by the combination of OSX and Perian (or perhaps VisualHub, Handbrake, etc.) and you should not need anything oddball...
 
1 - 18 of 18 Posts
Top