2011
New Mac OS X Trojan distributed via BitTorrent file-sharing sites
01/11/11 12:13
A new Mac OS X Trojan has been discovered on BitTorrent sites. The threat, dubbed OSX.DevilRobber or OSX.Miner, has appeared within legitimate copies of GraphicConverter v7.4, Flux v3.2.5 and CorelPainter v12, which the virus writer has modified and posted on the file-sharing websites. The Trojan is installed on your computer when the parent application’s installer is run.
The threat appears to be quite sophisticated, adopting a multi-pronged approach to harvesting personal details from your computer, including stored information from encryption software and Safari, and sends this to a remote server. In addition, the Trojan utilizes your Graphics processor (GPU) to perform calculations required to undertake bitcoin mining, hence the name. If it discovers a bitcoin wallet it will save that, too.
If your Mac becomes infected by this Trojan then the first thing you may notice is a sluggishness as it performs the bitcoin permutations required for ‘mining’. Check for the presence of a folder in your login user area called ~/Library/mdsa1331/ and a launch agent file in ~/Library/LaunchAgents/ that looks unfamiliar. The current version of the trojan creates a startup file, which at first glance appears to have come from Apple, com.apple.legion.plist.
Interestingly, the Trojan script exits if it detects that LittleSnitch, a network analyzing tool, is installed on your Mac. Presumably this is because it will highlight network traffic and raise awareness of the Trojan’s presence in the wild.
As always, we advise extreme caution when downloading software from file-sharing websites as you don’t always get what you expect. Unfortunately in this case you get a lot more than you bargained for!
ProtectMac AntiVirus detects this new Trojan as OSX.DevilRobber.
Security Update 2011-006 Released
12/10/11 11:44
Apple has published a security update for Mac OS X to compliment the latest release of Lion 10.7.2. This update also improves the security of Macs running Mac OS X 10.6.8.
There is numerous security fixes included in this update to improve the stability and security of your computer relating to core technologies, networking, file viewing and downloading and in particular Quicktime and the Application Firewall. Full details of the security update can be found on the Apple website http://support.apple.com/kb/HT5002
Update 26 Oct 2011: The Quicktime fixes are also available for Windows computers.
There is numerous security fixes included in this update to improve the stability and security of your computer relating to core technologies, networking, file viewing and downloading and in particular Quicktime and the Application Firewall. Full details of the security update can be found on the Apple website http://support.apple.com/kb/HT5002
Update 26 Oct 2011: The Quicktime fixes are also available for Windows computers.
Mac OS X 10.7.2 update
12/10/11 11:44
Apple has released and update to Mac OS X 10.7, which also includes Safari 5.1.1. This update is recommended for all users running OS X Lion and includes general operating fixes that improve the stability and security of your computer. The release also includes support for Apple’s iCloud technology that automatically stores your content and information on iCloud and syncs to all your Apple devices.
The main products and technology affected by this update are:
Further details of the new version of Mac OS X can be found on the Apple website.
The main products and technology affected by this update are:
- Email, calendars, contacts, Safari bookmarks and reading list are all automatically saved to iCloud and data pushed to all your Apple devices
- Back to your Mac provides remote access to your Mac from any other Mac.
- Find my Mac helps locate your Mac computer and display the location on a map, allowing remote locking or wiping of the computers’s content
Further details of the new version of Mac OS X can be found on the Apple website.
Apple add protection for OSX.Revir and OSX.Flashback
28/09/11 18:33
Apple has updated their built-in File Quarantine component, XProtect, with detection for the trojans that were reported late last week and earlier this week. XProtect detects the latest threats as OSX.Revir.A and OSX.FlashBack.A. and gives the user option of opening them (we don’t recommend this), canceling the operation or moving the files to Trash.
XProtect was introduced in Snow Leopard Mac OS X version 10.6
XProtect was introduced in Snow Leopard Mac OS X version 10.6
Flash Player Trojan discovered
27/09/11 10:55
A backdoor Trojan that pretends to be an Adobe Flash Player plugin has been found on compromised websites. If the Trojan runs on your computer it has the potential for remote hackers to control your Mac and retrieve sensitive information.
Users who visit a compromised website will see a link to a Flash Player Installer and because of the downloaded file extension, Safari will categorize the file as ‘safe’ and automatically run the malicious software on your computer when downloaded.
We recommend that users consider disabling the ‘Open “Safe” files after downloading’ option in the Safari General preferences to prevent Safari automatically opening downloaded files such as this and other threats like OSX.MacDefender
If users require Flash Player for Mac OS X then we also recommend that they download it directly from the Adobe website. Users should always be extremely careful when downloading any files from the internet and only download files from trusted sites.
ProtectMac AntiVirus detects the Flash Player Trojan as Trojan.Flashback.
Users who visit a compromised website will see a link to a Flash Player Installer and because of the downloaded file extension, Safari will categorize the file as ‘safe’ and automatically run the malicious software on your computer when downloaded.
We recommend that users consider disabling the ‘Open “Safe” files after downloading’ option in the Safari General preferences to prevent Safari automatically opening downloaded files such as this and other threats like OSX.MacDefender
If users require Flash Player for Mac OS X then we also recommend that they download it directly from the Adobe website. Users should always be extremely careful when downloading any files from the internet and only download files from trusted sites.
ProtectMac AntiVirus detects the Flash Player Trojan as Trojan.Flashback.
New Trojan disguised as a PDF document
24/09/11 10:05
A trojan threat that is posing as a PDF document has been discovered. The threat displays a (Chinese) PDF document when run in an attempt to hide from the user that it's an application, connecting to a remote server and further downloading a backdoor trojan, which will allow hackers remote access to your computer.
Whilst the idea of disguising a threat as a PDF document has been seen before on Windows computers, this is the first time that the virus writers have adopted this approach on Mac OS X. At the moment the risk that this threat poses is low, the quality of the code suggests that it is a proof-of-concept that is not yet spreading in the wild.
ProtectMac AntiVirus detects the PDF-style application as OSX.Revir-1 and the backdoor trojan as OSX.iMuler-1
ProtectMac recommends that users are always extremely careful when downloading any files from the internet and only download from trusted sites. As we've seen with this threat and Microsoft Word files, because a file appears to be a document does not make it harmless.
Whilst the idea of disguising a threat as a PDF document has been seen before on Windows computers, this is the first time that the virus writers have adopted this approach on Mac OS X. At the moment the risk that this threat poses is low, the quality of the code suggests that it is a proof-of-concept that is not yet spreading in the wild.
ProtectMac AntiVirus detects the PDF-style application as OSX.Revir-1 and the backdoor trojan as OSX.iMuler-1
ProtectMac recommends that users are always extremely careful when downloading any files from the internet and only download from trusted sites. As we've seen with this threat and Microsoft Word files, because a file appears to be a document does not make it harmless.
Security Update 2011-005 Released
10/09/11 12:48
Apple has released a security update for Mac OS X 10.6.x and 10.7.x.
The update contains a fix to the Certificate Trust Policy to resolve a security vulnerability whereby an attacker might be able intercept user credentials or other sensitive information.
Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.
The latest security update can be downloaded via Mac OS X Software Update. Note, after downloading you will be required to restart you computer for the update to take affect.
Further information on Security Update 2011-005 can be found on the Apple website http://support.apple.com/kb/HT1222
The update contains a fix to the Certificate Trust Policy to resolve a security vulnerability whereby an attacker might be able intercept user credentials or other sensitive information.
Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.
The latest security update can be downloaded via Mac OS X Software Update. Note, after downloading you will be required to restart you computer for the update to take affect.
Further information on Security Update 2011-005 can be found on the Apple website http://support.apple.com/kb/HT1222
ProtectMac AntiVirus Version 1.2 Released
20/07/11 14:23
A new version of ProtectMac AntiVirus has been released that is fully compatible with OS X Lion.
Users with the option Check For Updates enabled (set by default) in the ProtectMac Updating preferences will download and have Version 1.2 installed automatically whenever an update check is next performed on their computer. Or they can download and install it immediately by selecting Check For Updates from the ProtectMac menu bar icon at the top right of their computer screen.
Version 1.2 installer can be downloaded directly from here for users who need to install afresh on OS X Lion.
Note, ProtectMac AntiVirus Version 1.2 is capable of running on Mac OS X 10.4.7 through to 10.7, OS X Lion.
Users with the option Check For Updates enabled (set by default) in the ProtectMac Updating preferences will download and have Version 1.2 installed automatically whenever an update check is next performed on their computer. Or they can download and install it immediately by selecting Check For Updates from the ProtectMac menu bar icon at the top right of their computer screen.
Version 1.2 installer can be downloaded directly from here for users who need to install afresh on OS X Lion.
Note, ProtectMac AntiVirus Version 1.2 is capable of running on Mac OS X 10.4.7 through to 10.7, OS X Lion.
OS X Lion Now Available
20/07/11 14:13
Apple has released a major upgrade to their flagship operating system, Mac OS X. Unlike previous upgrades, OS X Lion (version 10.7) is only available from the Mac App Store as a 3.49 GB download and at a cost of $29.99. However, pay once and you can download and upgrade Lion on all your personal Macs running Snow Leopard 10.6.A full description of all the features and capabilities of the new operation system, including how to download and install OS X Lion, can be found on the Apple website http://www.apple.com/macosx/
Requirements:
- Mac OS X 10.6.6 or later. It is recommend that you upgrade to the latest version of Snow Leopard, version 10.6.8, via Software Update before purchasing and installing OS X Lion
- Mac computer with an Intel Core 2 Duo, i3, i5, i7 or Xeon processor. To establish your Mac’s processor type click on the Apple icon at the top left of your computer screen and choose ‘About this Mac’ from the menu options.
- 2GB of memory
- 7GB of disk space
It is also recommended that users backup important files and data on their computer before upgrading to Mac OS X 10.6.8, purchasing and installing OS X Lion.
*ProtectMac AntiVirus Version 1.2 and later is fully compatible with OS X Lion
Mac OS X 10.6.8 published
05/07/11 14:18
The latest version of Mac OS X, 10.6.8, is now available via Software Update. This update is recommended for all users running Snow Leopard and includes general fixes to improve the stability, compatibility and the security of Mac OS X. The release includes fixes that specifically:
Full details of the update are described in the following Apple knowledge base article http://support.apple.com/kb/HT4561
Information on security updates within Mac OS X can be found here http://support.apple.com/kb/HT1222
Note: Mac OS X updates and the security updates can also be downloaded directly from the Apple website http://support.apple.com/downloads/
Apple recommends that you back up your system before upgrading to 10.6.8.
- Resolves an issue that may cause Preview to unexpectedly quit.
- Improves support for IPv6.
- Improves VPN reliability.
- Identifies and removes known variants of MacDefender malware.
- Corrects timezone data in iCal for Lisbon-Portugal.
- Adds the ability to use Kerberos authentication to a web proxy server.
- Fixes an issue when saving documents from Xcode or TextEdit when using an NFS home directory.
- Fixes an issue when importing certain media files into Final Cut Pro
Full details of the update are described in the following Apple knowledge base article http://support.apple.com/kb/HT4561
Information on security updates within Mac OS X can be found here http://support.apple.com/kb/HT1222
Note: Mac OS X updates and the security updates can also be downloaded directly from the Apple website http://support.apple.com/downloads/
Apple recommends that you back up your system before upgrading to 10.6.8.
MacShield variant bypasses Mac OS X detection
01/06/11 21:47
After Apple released detection for MacDefender in Mac OS X, the virus writers have posted a new variant of the fake software a few hours later that evades the Apple detection functionality.
Whilst visiting a compromised website users will see a fake virus scan occurring within their web browser, typical of all variants. The JavaScript then downloads an installer package, mdinstall.pkg, which automatically expands and runs an intermediate file (mdDownloader) that downloads a MacDefender variant called MacShield to the Applications folder.
ProtectMac AntiVirus customers are protected against these threats OSX.MacDefender, Trojan-Downloader.OSX.Fav.A
***To prevent downloaded archives and files from being opened automatically it is recommended that you disable the ‘Open “safe”files after downloading’ option in their General Safari preferences.
Whilst visiting a compromised website users will see a fake virus scan occurring within their web browser, typical of all variants. The JavaScript then downloads an installer package, mdinstall.pkg, which automatically expands and runs an intermediate file (mdDownloader) that downloads a MacDefender variant called MacShield to the Applications folder.
ProtectMac AntiVirus customers are protected against these threats OSX.MacDefender, Trojan-Downloader.OSX.Fav.A
***To prevent downloaded archives and files from being opened automatically it is recommended that you disable the ‘Open “safe”files after downloading’ option in their General Safari preferences.
Apple add MacDefender detection to Mac OS X
01/06/11 20:25
Apple has released Security Update 2011-003 to detect and remove the MacDefender trojan within Mac OS X. Further information on the security update can be found within the Apple knowledgebase article http://support.apple.com/kb/HT4657
The trojan which has appeared across the internet in recent weeks poses as antivirus software, downloading itself to user’s Macs and installing the fake product in their Applications folder. The fake software then alerts the user to non-existent malware it has detected on their computer and attempts to persuade them to license the software so as to be able to remove the threats.
Mac users can opt out of the malware updates by unchecking the new option “Automatically update safe downloads list” in the General, Security Preferences.
The trojan which has appeared across the internet in recent weeks poses as antivirus software, downloading itself to user’s Macs and installing the fake product in their Applications folder. The fake software then alerts the user to non-existent malware it has detected on their computer and attempts to persuade them to license the software so as to be able to remove the threats.
Mac users can opt out of the malware updates by unchecking the new option “Automatically update safe downloads list” in the General, Security Preferences.
ProtectMac AntiVirus customers are protected against these threats OSX.MacDefender, Trojan-Downloader.OSX.Fav.A
Mac Defender downloader discovered with new variant
25/05/11 13:40
A Mac Trojan downloader (Trojan-Downloader.OSX.Fav.A) designed to download and install a variant of MacDefender called MacGuard has been discovered.
The downloader arrives on your computer using the same mechanism that MacDefender and earlier versions of the trojans used. Namely, whilst browsing a compromised website users will see what appears to be a scan of their computer occurring within their web browser. The JavaScript on the website downloads a small zip file to the Applications folder containing the downloader application, avRunner.
The downloader arrives on your computer using the same mechanism that MacDefender and earlier versions of the trojans used. Namely, whilst browsing a compromised website users will see what appears to be a scan of their computer occurring within their web browser. The JavaScript on the website downloads a small zip file to the Applications folder containing the downloader application, avRunner.
The malicious application then runs and downloads a MacDefender variant called MacGuard and installs this into the Applications folder. An item is also added the user's Login Items in System preferences so that MacGuard runs each time on startup.
Web traffic is hijacked, too, such that users are sent to pornographic and phishing websites to further encourage them to license the fake software to eliminate this additional problem.
ProtectMac AntiVirus customers are protected against these threats OSX.MacDefender, Trojan-Downloader.OSX.Fav.A
How to manually removal MacDefender and any variants
Manual removal instructions
Mac users can prevent downloaded archives and files from being opened automatically by disabling the ‘Open “safe”files after downloading’ option in their General Safari preferences.
Apple to release Mac Defender malware check in Mac OS X
25/05/11 09:37
Following the discovery of several fake Mac antivirus products on the internet, Apple have decided to add their own detection to Mac OS X http://support.apple.com/kb/HT4650
“In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.”
The latest security fix will be available for download via Apple’s Software Update mechanism.
“In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.”
The latest security fix will be available for download via Apple’s Software Update mechanism.
Mac Security, Mac Protector and Mac Guard - Mac Defender fake AntiVirus variants
06/05/11 08:49
Variants of the fake Mac AntiVirus software that was discovered earlier this week have appeared on the internet. Calling themselves either Mac Security, Mac Protector, Mac Guard or Apple Web Security, the variants behave in the same way as Mac Defender by pretending to discover viruses on your computer and asking that you purchase the software in order to remove the threats.
One of the main differences between these variants and Mac Defender is that the resultant scanning window that is triggered by the JavaScript code running on the compromised website looks more like a Mac desktop. The script then automatically downloads a Mac Installer meta-package called MacSecurity.mpkg.
One of the main differences between these variants and Mac Defender is that the resultant scanning window that is triggered by the JavaScript code running on the compromised website looks more like a Mac desktop. The script then automatically downloads a Mac Installer meta-package called MacSecurity.mpkg.
ProtectMac AntiVirus customers are protected against these threats OSX.MacDefender, Trojan.OSX.MacDefender
***After removing the trojan with ProtectMac AntiVirus restart your computer.
Fake Mac Defender AntiVirus software
03/05/11 10:44
A new threat that pretends to be a legitimate Mac AntiVirus product called MACDefender has been discovered on compromised websites. Typically the threat is found whilst searching for popular topics and images on the internet. Compromised websites contain JavaScript code that runs and displays a Windows-style scan of your computer.
After closing the alert a zip file named, BestMacAntiVirus2011.mpkg.zip will be downloaded, which extracts a Mac Installer meta-package called MacDefender.mpkg. Unfortunately the only thing that this software is like to remove are your credit card details!
As a general rule it is best not to respond to any prompts that you receive whilst browsing the internet. If you do require antivirus software, or anything for that matter, then it’s best to do the research yourself and choose a well known legitimate company.
ProtectMac AntiVirus customers are protected against this threat OSX.MacDefender.A.
Note: There is a legitimate Mac antivirus product named MacDefender
Security Update for Safari 5.0.5 and Mac OS X 2011-002
15/04/11 13:24
Apple has released a security update for Mac OS X and Safari. These updates contain a fix to the Certificate Trust Policy and Webkit technologies respectively.
The impact of the security vulnerabilities could mean that ’Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution’
The update is available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.5 or later and Mac OS X Server v10.6.5 or later.
Further information on Security Update 2011-002 can be found on the Apple website http://support.apple.com/kb/HT1222
The latest security updates can be downloaded via the Mac OS X Software Update mechanism.
The impact of the security vulnerabilities could mean that ’Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution’
The update is available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.5 or later and Mac OS X Server v10.6.5 or later.
Further information on Security Update 2011-002 can be found on the Apple website http://support.apple.com/kb/HT1222
The latest security updates can be downloaded via the Mac OS X Software Update mechanism.
Mac OS X 10.6.7 Now Available
21/03/11 19:45
The latest version of Mac OS X, 10.6.7, is now available via Software Update. This update is recommended for all users running Snow Leopard and includes general fixes to improve the stability, compatibility and the security of Mac OS X. The release includes fixes specifically to:
• Improve the reliability of Back to My Mac
• Fix for a file transfer problem to certain SMB servers
• Several minor Mac App Store bugs have been resolved
Full details of the update are described in the following Apple knowledge base article http://support.apple.com/kb/HT4472
The Mac OS X release also includes a number of security enhancements to several application areas. Full details of the security update can be found here http://support.apple.com/kb/HT1222
Note: the Mac OS X update and the security update can also be downloaded directly from the Apple website http://support.apple.com/downloads/
Apple recommends that you back up your system before upgrading to 10.6.7.
• Improve the reliability of Back to My Mac
• Fix for a file transfer problem to certain SMB servers
• Several minor Mac App Store bugs have been resolved
Full details of the update are described in the following Apple knowledge base article http://support.apple.com/kb/HT4472
The Mac OS X release also includes a number of security enhancements to several application areas. Full details of the security update can be found here http://support.apple.com/kb/HT1222
Note: the Mac OS X update and the security update can also be downloaded directly from the Apple website http://support.apple.com/downloads/
Apple recommends that you back up your system before upgrading to 10.6.7.
OSX.MusMinim RAT detected
01/03/11 09:14
MusMinum is a Mac version of a Remote Access Tool which has the ability to open up a backdoor on your computer.
In its current state the threat is quite basic and even warns you in flawed English if you become infected. Furthermore, if the threat is running then it is displayed in the list of processes as "BlackHole" and can often appear on disk in a folder of the same name.
The trojan should pose little risk to Mac users at present, but we are continuing to monitor the situation closely as all indications are that the author is developing a more sophisticated variant.
As the threat is likely to appear as some kind of trojan on the internet, our recommendations as always is to be vigilant when downloading any application from the internet and only visit well-known reputable sites.
In its current state the threat is quite basic and even warns you in flawed English if you become infected. Furthermore, if the threat is running then it is displayed in the list of processes as "BlackHole" and can often appear on disk in a folder of the same name.
The trojan should pose little risk to Mac users at present, but we are continuing to monitor the situation closely as all indications are that the author is developing a more sophisticated variant.
As the threat is likely to appear as some kind of trojan on the internet, our recommendations as always is to be vigilant when downloading any application from the internet and only visit well-known reputable sites.
ProtectMac AntiVirus Version 1.1.5 Released
21/02/11 11:52
A new version of ProtectMac AntiVirus has been published, containing the following enhancements:
Version 1.1.5 will be downloaded automatically by the background update scheduler. The new version can also be downloaded manually via the ‘Check For Updates’ option in the menu bar icon. Users can view the new version details in the ProtectMac AntiVirus application’s About box.
- Scanning of NTFS-formatted disks has been made more reliable.
- Improved performance of the file-access scanner.
- Minor changes have been made to the application GUI.
Version 1.1.5 will be downloaded automatically by the background update scheduler. The new version can also be downloaded manually via the ‘Check For Updates’ option in the menu bar icon. Users can view the new version details in the ProtectMac AntiVirus application’s About box.