Mac Attacs

[duncan]

Apple 'refusing support' for Mac malware clean-up

By Stewart Mitchell on May 20, 2011

Filed under Applications

Macs have been targeted by a major malware attack,

with experts saying the Apple platform's popularity means it's reached a security tipping point.

Despite the new threat, a leaked document suggests Apple is apparently refusing to offer support to affected users.

 

A widespread fake security antivirus called Mac Defender uses a scare-and install tactic that has been seen countless times in the world of Windows, but with Apple gaining ground as a mainstream platform the practice has spread to Macs.

 

A pop-up notifies the user that Defender has identified malware on the computer, and that they should download the security software to remove the code, Graham Cluley, senior technology consultant at security firm Sohpos, told PC Pro.

 

According to Cluley, downloading simply installs the malware, which then demands credit card details for a version that can remove the malware.

 

Apple's forums have a significant number of threads advising how to resolve the problem, but the company itself has come under fire for the lack of support given to customers, with reports claiming Apple has washed its hands of the problem, and refused to even admit that Mac Defender is malware.

 

A leaked support document apparently from Apple seemingly directs AppleCare workers not to "confirm or deny" whether a user's Mac is infect, and not to attempt to remove or uninstall any infections.

 

The document, leaked to ZDNet, tells support workers to stress that Apple doesn't provide "help or support for removal of the malware."

 

“It appears that Apple's official response is: 'we're not going to help you clean up',” said Cluley.

 

“It's saying [users] should go and get an antivirus program because it doesn't want to take on the burden – and in the last couple of weeks, from what we've read, it has seen a significant increase in malware.”

 

Apple has yet to respond to a request for comment.

 

Tipping point

 

Apple's OS has long been seen as a safer choice than Windows, mostly because it has fewer users and therefore presents less of a target.

 

According to Gartner figures, Apple has seen a surge in popularity, and now accounts for some 10% of sales in the key US market, making it a more attractive option for online criminals.

 

“Effectively it's reached a tipping point where people are not uncommonly getting hit on their Macs," said Cluley. "On the support forums you'll see plenty of people who say they were just Googling around when a message popped up and convinced them they had a security problem.”

 

“In terms of malware, it's the biggest event to date, there were earlier viruses and malware, but this is big,” he said of the Mac Defender threat.

 

[ritchie58]

There was a time when a Mac user could say: Viruses? I don't worry about that. I've got a Mac machine! It would appear those days are gone then. So scareware is targeting Mac owners now. Like I posted before, if a vulnerability exists in an operating system, or software programs it's only a matter of time before some bad guy finds and exploits that vulnerability. Unfortunately it's usually the case that this type of rogue scarewre is notorious for being very difficult to remove once the system is infected.

[sweidre]

Hi,

When the number of users increases, of course, those users will soon be targeted by different kind of malwares developed, as well as others! It can be an increase in use of an OS ( Mac, Linux etc.) of a 64-bit system etc. There is no safe "heaven" anywhere! Regarding MS Windows, it is said that Combofix can remove rouges & rootkits (see another thread of mine in this forum regarding Combofix!). The question now is: Can Combofix also fix rouges in Mac? (and later on in Linux?)

Finally, it is unresponsible by Mac Co. not to admit the problem and try to find a solution for all its costumers, instead Mac Co. is sweeping the problem under the carpet!

Cheers,

sweidre

[ritchie58]

For Mac I believe that is not the way to go. To just rely on users knowledge of anti-virus countermeasures. Microsoft doesn't do that in general. If a patch can be created to protect the majority of users then Microsoft will spend the time and resources to develop and implement that security patch. Plus Microsoft will implement, from time to time, a Malware Removal Tool during the normal update process. Something Mac should take a lesson from I guess. Those are my thoughts anyway. ritchie58, over and out....

[ritchie58]

There is a new rogue AV targeting Mac users that doesn't require a password to infect the system. Here is some info on that:

A new version of rogue antivirus malware that targets the Macintosh operating system does not need victims to type in their administrator passwords to install and infect the machine, a security company said today.

 

The latest version of the malware has been overhauled to look like a native Mac OS X application and is using the application name MacGuard, according to an Intego blog post. But particularly concerning is the fact that unlike previous versions, which were dubbed Mac Defender, MacProtector, and MacSecurity, MacGuard installs itself without prompting for the admin password.

 

"If Safari's 'Open safe files after downloading' option is checked, the package will open Apple's Installer, and the user will see a standard installation screen," the antimalware company's post says. "If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch."

 

"Since any user with an administrator's account--the default if there is just one user on a Mac--can install software in the Applications folder, a password is not needed," Intego says. "This package installs an application--the downloader--named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original Installer are left behind."

 

The MacGuard program is downloaded by the avRunner application from an IP address that is hidden using steganography in an image file in the Resources folder of avRunner, the post says.

 

Web pages that look like a Finder window and appear to be scanning the computer are bogus, Intego said. Users should leave the page, quit the browser, and quit the Installer application immediately if anything has downloaded, as well as delete any associated file from the Downloads folder. Also, users should uncheck the "Open safe files after downloading" option in Safari's General Preferences, Intego advises.

 

In an Apple support article yesterday, the company said "in the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware."

 

The malware keeps changing names and appearances. It is designed to trick people into paying for supposed antimalware software that they don't need.

 

More information about how it operates is in this FAQ, and information about how to remove it is here and a comprehensive article about how to secure your computer against MacGuard is here.

 

Originally posted at InSecurity Complex by Elinor Mills

Read more: http://news.cnet.com/8301-27080_3-20066174-245.html#ixzz1NUkGF0SB

 

[sweidre]

There is a new rogue AV targeting Mac users that doesn't require a password to infect the system.The latest version of the malware has been overhauled to look like a native Mac OS X application and is using the application name MacGuard. In an Apple support article yesterday, the company said "in the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware."

Hi Ritchie,

Thanks for your info, even if I'm not a Mac user! Good, that Apple will soon issue an OS update, that finds & removes Mac Defender! I hope, that Apple will also develop another OS update, that will remove MacGuard! I hope, that Microsoft & Apple in the future will both develop a "Zero Day Threats - Warning" routine, that will popup a warning, when you open your browser, telling you about the latest known threats and how to avoid them! When methods to find & remove the malwares have been developed a "Zero Day Threats - Removal" should popup in a similar way. This means, that both MS & Apple should more frequently issue OS patches. (Worst case: Daily!) By the way both "Zero Day Threats - Warning" & "Zero Day Threats - Removal" can be stored in a Cloud, always up-to-date!

Cheers,

sweidre

[sweidre]

Hi, here is an article by ZDNET.com about Removal of MacDefender:

"Apple fesses up to MacDefender malware; ships removal tool"

http://www.zdnet.com/blog/security/apple-fesses-up-to-macdefender-malware-ships-removal-tool/8699?tag=nl.e019

Cheers,

sweidre

[sweidre]

Hi, here is an article by ZDNET.com about Microsoft Malware Cleaner:

"Microsoft ships free malware cleaner that boots from CD or USB"

http://www.zdnet.com/blog/security/microsoft-ships-free-malware-cleaner-that-boots-from-cd-or-usb/8712?tag=nl.e019

In my mind, Apple should go the same way as Microsoft!?

Let's see, if a cleaner on a CD or USB will do?! I think, to cope with new zero day threats an up-to-date "cloud should be used! Anyhow, we'll wait and see!

Cheers,

sweidre