[kscherer]

Just wanted to query the forum to get input on this bit of silliness called MacDefender.

Does anyone have experiences they would like to share?

If you got it, what were you searching for, etc?

We have dealt with several cases in the shop, and I have personally tackled one that was installed on a friend's computer (his daughter had his password—go figure). It is very easy to eliminate, by the way.

Stupid thing was pulling up some "interesting" images and advertising. Yeah for the children!

Anyway, your input would be helpful as we try to sort it out and make recommendations to our customers.

Edit: By the way, open Safari; open "Preferences" from the "Safari" menu; open the "General" tab; at the bottom of the list, make sure "Open 'safe' files after downloading" is unchecked. Problem pretty well goes away on its own.

Also:

Here are the steps to remove the malware;

1. Open Activity Monitor and quit any processes linked to MACDefender.
2. Delete MACDefender from the Applications folder.
3. Remove any " MACDefender" items from the Downloads folder.
4. Check System Preferences > Accounts > Login Items for suspicious entries and remove them.
5. Run a Spotlight search for "MACDefender" to check for any associated files that might still be lingering.
6. Uncheck the "Open 'safe' files after downloading" option in Safari Preferences.

[alcimedes]

Woah, malware. I feel like I'm experiencing the future. (or the OS9 past)

[PB PM]

Still so much easier to deal with than malware for Windows.

[kscherer]

Here's the funny thing. We tell our customers not to install anti-virus software, as it will cause more trouble than it solves. So what happens the first time "anti-virus" software comes along?

Yep. They install it. And guess what?

Granted, people get click-happy, and this thing is pretty convincing.

[PB PM]

Yup, considering that Apple had malware protection built into OSX, it is kind of silly. Sure Apple doesn't update it very often, but at least it is there.

The only reason to have AV on a Mac is to protect Windows users on your network.

[kscherer]

I bet it gets updated as soon as Apple has a definition ready. I bet they also update Safari to both turn off automatic opening of "safe" files, and eliminate the option altogether!

[kscherer]

The plot thickens.

[chucker]

It's just scareware, right? It doesn't really damage anything.

[PB PM]

Ugg, just another reason not to run your machine via an admin account. It's such a pain not to though, IMO. The question is, do you need to be in Safari with auto download safe files for this new version to work or are other browsers vulnerable too?

[kscherer]

Other than your children's brains!

But, yeah, it's harmless. More of a proof of concept than anything else. 15 minutes of fame. We all knew it was coming.

Trouble is, IIRC, MAC Defender made their source code available to all takers. So Apple needs to get on this issue ASAP!

[psmith2.0]

You guys need to tune in to The Talk Show, live, where Gruber and Benjamin are talking about this very thing today. Still going on, as of 2:55pm ET...

[PB PM]

Kscherer, I believe you are thinking of something different. There is a group on the internet that is purposely looking for loopholes in all software from different brands. They send information to Apple, MS etc to help them, but yes they do publicly (within their restricted forum) release the details.

[bassplayinMacFiend]

Quote:

Originally Posted by kscherer I bet it gets updated as soon as Apple has a definition ready. I bet they also update Safari to both turn off automatic opening of "safe" files, and eliminate the option altogether!

I thought Apple would do this long ago. Every time I update OS X I verify this option is turned off.

[kscherer]

Quote:

Originally Posted by PB PM Kscherer, I believe you are thinking of something different. There is a group on the internet that is purposely looking for loopholes in all software from different brands. They send information to Apple, MS etc to help them, but yes they do publicly (within their restricted forum) release the details.

I honestly don't recall the link, story or whatever. I am pretty sure it was at MacRumors, but I am not able to verify that. I simply remember reading the MAC Defender had shared their source code (likely the Java Script source that enacts the download) with anyone who wanted it, not just Apple or etc. It wasn't a security expo, or anything like that.

But I know what you are getting at.

Quote:

Originally Posted by bassplayinMacFiend I thought Apple would do this long ago. Every time I update OS X I verify this option is turned off.

I simply cannot fathom why Apple has not already shipped out a Safari patch that nukes that switch. That would have been my first move. In fact, I never realized it was on by default. Any kind of security switch like that should be off by default.

[chucker]

Turning it off by default would be an admission that the feature is flawed, so they might as well remove it altogether in that case.

[Maciej]

Newest MacDefender doesn't even require Admin password to install, since it only installs for individual users. But you would still need to open the downloaded software right? Or basically is it that if you navigate to one of these compromised sites you're f'ed?

[kscherer]

Quote:

Originally Posted by chucker Turning it off by default would be an admission that the feature is flawed, so they might as well remove it altogether in that case.

I agree. Apple could do it so quietly as to not even draw any undo attention. Why they haven't just absolutely escapes me. Is it arrogance?

Quote:

Originally Posted by Maciej Newest MacDefender doesn't even require Admin password to install, since it only installs for individual users. But you would still need to open the downloaded software right? Or basically is it that if you navigate to one of these compromised sites you're f'ed?

If "Open 'safe' files after download" is checked, you could be in trouble. But I still don't think the file can be "installed" unless you say so. It would open from a disk image. Firefox is a good example of what you could expect.

And I might be wrong, too. Perhaps there are some techie-types that could answer?

[Banana]

Quote:

Originally Posted by kscherer I agree. Apple could do it so quietly as to not even draw any undo attention. Why they haven't just absolutely escapes me. Is it arrogance?

Well, I'm no Apple but a plausible explanation is that it's simply the least worst alternative to leave this feature as it is now. IOW, they may have considered that turning it off may mean more people complaining "Hey, I downloaded this update and it broke my Safari!!!"

Not saying that I'd agree with this action but I can see them choosing not to for this reason.

[chucker]

Quote:

Originally Posted by kscherer If "Open 'safe' files after download" is checked, you could be in trouble. But I still don't think the file can be "installed" unless you say so. It would open from a disk image. Firefox is a good example of what you could expect. And I might be wrong, too. Perhaps there are some techie-types that could answer?

There's no need to install anything, though. The app is pretty much a bunch of screenshots that "inform" you that your computer is full of malware that needs to be cleaned, that the free version can only do checks, not repairs, and that you should buy the pro version in order to do so. It doesn't need special permissions or anything.

[Kraetos]

Just because it doesn't require an admin password doesn't mean it will install itself. The user still has to run through the steps of the installer, although it will launch itself automatically if "Open safe files..." is on.

Ugh. Did anyone who pays even the slightest attention to Mac security not see "Open safe files..." for the first time and think "well that's just malware waiting to happen." Because I know I did. What a stupid, stupid feature. This would basically be a non-issue if not for that damn checkbox.

[bassplayinMacFiend]

The "Open Safe Files" option has been exploited before so I don't understand why it still exists.

Here's a Gruber article from '06 (Over Five years ago!) about an Open Safe Files exploit: --> http://daringfireball.net/linked/200...-shell-scripts

[kscherer]

In other words, "Turn the damn thing off!"