Mike's Mostly Tech blog

MacDefender trojan/malware is currently spreading on Mac systems – let’s kill it!

MacDefender, is the rogue antimalware trojan currently spreading on Mac systems. This malware is known by a variety of names, including "Mac Defender", "MacProtector", "Mac Security", "Apple Security", and "Apple Security Center". It is a great example of how ‘social engineering’ can be used to trick people into harming themselves. Below are clear and easy procedures for removing it, read the quick summary or follow the links at the end for walk-throughs with loads of screen shots

I have written recently about this here, but it appears more people are being ‘snagged’.

Apple support is being of absolutely NO help either! In fact they are telling their people,"Do not attempt to remove malware.." Read about that BS here if you wish. So I thought I’d again provide some tips.

Here is the simple summary of what to do:

In Safari under "Preferences", at the bottom of the "General" tab (the first tab), uncheck "Open safe files". This will prevent Safari from starting threats like MacDefender automatically after downloading them.
Open up "Activity Monitor" (this is in your Utilities folder within Applications)
Find "MacDefender" (or whatever the malware is being called, MacProtector, Mac Security, etc)
Highlight it then click "Quit Process" which looks like a big red stop sign at the top right of the Activity Monitor screen.
Next, open System Preferences, and go to "Accounts". When it appears click on the "Login Items" button, select the program, and then click the "minus" button to remove it from Login Items.
Next, navigate to your Applications folder, find the program, drag it to the trashcan, and then empty the trashcan. Yes. It’s really that simple to remove.

Here are the two best links I could find for simple walk-throughs. I would rather not repeat the tutorials they have already taken the time to do.
Their work is much appreciated.

Now the super links with detailed screen shots and some additional tips:
The HowToGeek.com site has a great walk through here.

VRT-blog has some good information on this also, read that here.

Folks, if you use a Mac and you connect it to any systems – especially the internet, please realize that you are vulnerable to attacks and hacks. NO system is immune to attack! Although Mac’s and Linux systems have benefited by a more secure file system/OS structure (for the most part) than previous Windows systems AND the fact that their numbers were small – about 8% of all network connected desktop machines and presented a ‘low volume’ target they are now increasingly being attacked. This is especially true since many Apple uses have been lied to and told they are invulnerable to attacks.

BE SAFE FOLKS!

New Mac Trojan horse and Security tips from the NSA

There is a new Mac Trojan horse masquerades as virus scanner – read about that here . This is another example of social engineering – tricking users into making security mistakes.
Users looking for legitimate protection against viruses on their Macs might be duped into downloading and installing this. Essentially this is ‘ransomware’. It requires payment to ‘stop’ the ‘infection’. AND the payment information is often then sold to other nefarious people.

Remember that NO operating system is immune to attack. And since every system is utilized by humans they remain the biggest weak link – humans that is.

Also in other security news the NSA has released some good advice and documents for better security practices with your home network, and Operating Systems (including Mac OSX).
Read about that here. [via PCMAG Security watch blog].

Nearly all of this contains information that I and other security people have been saying for years but is well worth reading.

More Maleware in the wild ‘E-Card’

Hi folks just thought I’d pass this on.
The folks at Shadow Server have found this propagating.
There are loads of new security threats – many using tried and true vectors.
This one uses the ‘E-Card’ email route.
One that STILL somehow get people! Please NEVER, EVER, EVER open up these type of links!
They often look like this.

Microsoft also has information on this latest threat here:

http://blogs.technet.com/b/mmpc/archive/2010/12/31/unhappy-new-year.aspx

Please folks be careful and exercise caution when opening email or ‘clicking’ on links. and keep your systems up to date.

Another reason to use Firefox and Add-ons/Extensions

As I’ve previously written more than a few times I use Firefox as my primary Internet Browser because of extensive amount of add-ons and scripts available. This helps to make the browser a ‘super tool’ for me. With Firefox I can block unwanted adds and scripts, stop annoying ‘auto play’ music and videos, download just about any video, picture or file, FTP from within my browser, download/convert to PDF nearly any web page and many other cool and productive things.

Now I can add virus scanning files BEFORE I download files to that list.
The VTzilla Firefox extension adds a Scan with VirusTotal option to Firefox’s right-click context menu and file download dialog that allows you to scan any file for a virus before you commit to downloading it to your computer.

VirusTotal is a service that analyzes suspicious files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and web analysis toolbars.
It’s a brilliant web service that scans any file you send it against 42 of the best malware scanners available.

They now have an add-on for Firefox that let’s you scan via a simply ‘right-click’ on a file you intend to download.

Get Started

The first thing you must do is to install the add-on itself, you can do this by clicking on the following this link while visiting this site with Firefox.

Note: By default, VTzilla turns on a new toolbar in Firefox. To disable it, navigate to View -> Toolbars, then uncheck VirusTotal Toolbar.

After installing the component you will have to restart Firefox to start making use of it, below you can find some examples of use.

Scan suspicious links with VTzilla

Imagine you have logged into your Gmail account and you have received a suspicious email from your bank. The email is informing you about an unauthorized access to your account and is asking you to follow a link and provide your credentials to view the account access log.

Since you are a smart guy, you know that this mail is probably a phishing case. Even though you know that this is a scam, you are committed to help others, hence, you right click on the suspicious link and select the Scan with VirusTotal option from the context menu:

This will open a new tab in the same browser window, such tab will show the report for the requested URL scan. Note that the scanning process will also download the file/site of the target link, so do not forget to click on the View downloaded file analysis link.

Scan downloads before storing them

Let us suppose your good friend John Doe has sent you an email with a slide presentation. You know that very often these slides contain exploit code that will compromise your computer. When you click on the slide presentation in your webmail a download dialog appears, you are a cautious user, you therefore decide to scan the file first with VirusTotal:

Once you have checked the file, you will decide whether or not to download it to your PC.

Simple.

Warning!!: VirusTotal is not a substitute for any antivirus software installed in a PC, since it only scans individual files on demand. It does not offer permanent protection for users’ systems either.

OS X Security and Malware

Please folks practice safe computing – keep your systems up to date, don’t install pirated software (including music and videos), clear your browser cache often, and don’t install ‘helpers’ or ‘codecs’ you cannot thoroughly verify.
Using the line, “I have a Mac I don’t get worms or virus’ etc.” is not only naively silly, it can also be costly.
Remember OS X is built on a Unix foundation and Unix has been around since 1969! So you can bet as the Mac user population increases the number of hacks ‘ported’ to OS X will start to grow exponentially. That coupled with the Apple’s misleading marketing campaign saying, “Mac’s don’t get virus’ etc.” often leads to poor computing habits that can, and I am sure will be exploited more and more.
So keep safe out here.
Some scary info:
http://www.sophos.com/blogs/sophoslabs/v/post/4811

http://www.sophos.com/blogs/sophoslabs/v/post/3710

Peace out

Conflicker Worm is here!

Yes folks, it looks like the worm is very active again.
Please take the time to protect yourself and your data. A few minutes of safety can save hours or days of frustration and money.

The worm started spreading late last year, infecting millions of computers and turning them into “slaves” that respond to commands sent from a remote server that effectively controls an army of computers known as a botnet.

The Worm is quietly turning personal computers into servers of e-mail spam, flooding users with malicious emails that in turn can spread the worm again.
It is loading more malicious software onto computers under their (botnet creators) control.
According to Russian-based security researcher Kaspersky Lab.
“Conficker installs a second virus, known as Waledac, that sends out e-mail spam without knowledge of the PC’s owner, along with a fake anti-spyware program.
The Waledac virus recruits the PCs into a second botnet that has existed for several years and specializes in distributing e-mail spam.
Conficker also carries a third virus that warns users their PCs are infected and offers them a fake anti-virus program, Spyware Protect 2009 for $49.95.
If they buy it, their credit card information is stolen and the virus downloads even more malicious software.”

Please don’t be one of those who get scammed, lose control of their system or lose their data altogether.

Microsoft has some good resources here:
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

And offers a great free scan that I recommend here:
http://onecare.live.com/site/en-us/default.htm

For further steps you can take read my two previous posts:
http://mycraniumdrain.blogspot.com/2009/03/conflicker-protection.html

http://mycraniumdrain.blogspot.com/2009/03/more-conflicker-check-for-infection.html

Peace and safe computing

Let’s Kill Some Spyware!!

I recently had to help some people remove some serious spyware/malware/virii.
No normally if I can’t ‘kill’ the bad stuff fairly quickly. I will simply get the persons ‘data’ – documents, pics, music etc. – off the machine and then delete the partitions. wipe the drives, re-format and re-install the operatiing system clean.
But sometimes in a business situation this is not always possible.
Or sometimes all the needed applications are not available for ‘re-install’
For this you must try and ‘save’ your system without the ‘nuclear option’.
So here is one of the best methods I use on a ‘running’ active system.
Read all the instructions and download ALL of the suggested applications from a ‘non-infected’ machine 1st.
Then place them on a portable drive – usb or a directory on the infected system [c:\killmalwareapps or something]
Ok let’s start.
1st on the infected machine delete the ‘hosts’ and ‘lmhost’ files.
They will be located in the c:\windows\system32\drivers\etc folder.
[Possibly c:\winnt\system32\drivers\etc]
First try an online scan from Trend Micro.
To do this safely – using an ‘external non-infected browser’ you need to run ‘Firefox portable’ off USB drive.
This will allow a ‘clean run’ of a browser for a live malware/spyware scan:
How To:
The article here:
http://firefox-fangirl.livejournal.com/1977.html
explains how to download the latest portable Firefox builds and how to correctly install it as a ‘portable app’ on a separate folder or usb drive. I ‘install’ it to a directory called ‘portablefirefox’ and then I copy that to my USB drive.

Then go to Trend Micro USING THE PORTABLE FIREFOX and run their housecall application and run a scan:
http://housecall65.trendmicro.com/
Make sure you do NOT use any browser installed on the infected system!!!
Use the ‘Firefox Portable’ application to get to the web.

Other tools to have on hand (on your usb drive) before starting.
From Sysinterals
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Get the following apps. Download on clean system and transfer to usb.
Autoruns – Finds all the crap actually loading at startup.
You will finds all kinds of ‘crap’ that shouldn’t be there.
http://download.sysinternals.com/Files/Autoruns.zip
Extract and run this to show EVERYTHING that is loaded at start up.
This includes applications, scripts, drivers, active X controls, dll’s and more.

Process Explorer
http://download.sysinternals.com/Files/ProcessExplorer.zip
This helps find unwanted running strigs and helps in there termination.
Run the application to see every currently running process/application on your system.

You will often need some or all of the following applications to ‘kill’ bad processes.
That is, malicious programs that are running ‘un-authorized’ processes.

unlocker
http://ccollomb.free.fr/unlocker/

wholockme
http://www.dr-hoiby.com/WhoLockMe/

file assassin
http://www.malwarebytes.org/fileassassin.php

A great spyware finder:

spybot s&d;
http://www.safer-networking.org/en/spybotsd/index.html
I install this as my online scan is running (if possible).
Don’t confuse this application with other that are trading on the ‘Spybot’ name and are in and of themselves ACTUALLY spyware. The one and only original FREEWARE application is here.
http://www.spybotupdates.biz/files/spybotsd162.exe

Remember to have all these files already downloaded and copied to your portable drive.

And to assist in cleaning our all ‘temp’ type files:
CCleaner
Especially usefull if there is an ‘unseen’ internet app (ie or firefox) downloading malware in the background continually
I will run this over and over while running spybot scans.

http://www.filehippo.com/download_ccleaner/download/d1565b7fb77b48a3692a199d871845fd/

Anyhow this is just a quick but I think fairly thorough way of cleaning an infected system if you don’t have a ‘Live’ type of utility or rescue disk available such as UBCD (ultimate boot cd), Hiren’s, or a custom Bart PE disk.