More Mac malware – top tips for avoiding infection

More Mac scareware appeared overnight, with the cybercrooks following the same sort of strategy which has worked so well on Windows: regularly change the look and feel of the fake anti-virus software; use legitimate-sounding brand names (or steal genuine product names); stick to a price-point between $50 and $100; keep the fear factor high; but keep the core programming very similar so development costs are negligible.

Scareware, or fake anti-virus, is fake security software which pretends to find dangerous security threats – such as viruses – on your computer. The initial scan is free, but if you want to clean up the fraudulently-reported “threats”, you need to pay.

Once you’ve paid, the scareware stops lying to you about the non-existent threats, as though it really did clean them up. This means that many victims of this sort of fraud don’t even realise they’ve been duped. Until next time.

These latest OS X scareware variants come from the MacDefender stable, though they identify themselves during startup as Mac Shield:

Once activated, the software pretends to look through your files, pretends to find malware, and invites you to clean up:

But the cleanup isn’t free – you’re required to register:

Registration means payment. The minimum you can get away with is $59.95. But for just $40 more, you can get a lifetime software licence and lifetime support – which would be a good deal, were it not for the fact that the software is completely fraudulent, that the “lifetime” of the software ends tomorrow when the crooks move on to the next bogus brand name, and that there’s nothing to support, since there was no malware in the first place.

You even get a 30-day money back guarantee. Good luck claiming it.

Here are some top anti-scareware tips for Apple users:

* If you use Safari, turn OFF the open “safe” files after downloading option. This stops files such as the ZIP-based installers favoured by scareware authors from running automatically if you accidentally click their links.

* Don’t rely on Apple’s built-in XProtect malware detector. It’s better than nothing, but it only detects viruses using basic techniques, and under a limited set of conditions. For example, malware on a USB key would go unnoticed, as would malware already on your Mac. And it only updates once in 24 hours, which probably isn’t enough any more.

* Install genuine anti-virus software. Ironically, the Apple App Store is a bad place to look – any anti-virus sold via the App Store is required by Apple’s rules to exclude the kernel-based filtering component (known as a real-time or on-access scanner) needed for reliable virus prevention.

* Religiously refuse any anti-malware software which offers a free scan but forces you to pay for cleanup. Reputable brands don’t do this – an anti-virus evaluation should let you try out detection and disinfection before you buy.

Macworld's Editor's ChoiceIn a recent Sophos poll, 89% of respondents said they’d recommend their Mac-owning friends and family to use anti-virus software. Why not take their advice, and get Sophos Anti-Virus for Mac Home Edition today?

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

It’s free – no registration, no signup, and no password needed. It detects, prevents and cleans up malware infections.

Note: the Mac Shield scareware described here was detected proactively by Sophos Anti-Virus as OSX/FakeAV-DWN. Apple subsequently added detection to the XProtect system, using the name “OSX.MacDefender.F”.

Apple releases update to protect against MacDefender

Apple has released security update 2011-003 to address the recent increase in malware targeting Mac OS X.

Mac update 2011-003

It updates the included XProtect program to detect scareware variants we have seen attacking Mac users, including MacDefender, Mac Guard and Mac Security. It seems to still have the restriction of only working through the LSQuarantine library.

Once installed it will now check for updates to the XProtect list on a daily basis. This can be disabled in the Security preferences pane by unchecking the box “Automatically update safe downloads list”.

Security preferences pane

Upon installation this update will check for existing infections of known malware and remove it from the system if present. Additional checks are performed when an administrative user logs into the system.

I did some testing this afternoon and was able to confirm that it works. Using Safari, I visited the infected site Graham mentioned from the link spreading on Facebook.

I immediately received a warning that OS X had detected OSX.MacDefender.B, and yet it prompted to allow me to open the file. This is one of the limitations of LSQuarantine, but it is a very bad behavior. If you know something is malicious, don’t let people continue on infecting themselves…

XProtect detection dialog

To test the cleanup functionality I infected a system that had not applied the update. I proceeded to apply 2011-003 and nothing happened. I’m not sure how it is supposed to work, but it didn’t alert me nor remove Mac Guard.

I rebooted my Mac and logged in as an administrative user and within a moment or two the new removal functionality kicked in. A dialog box popped up stating:

“Malware was found and removed from your computer. The ‘MacGuard’ malware was found and removed.”

Mac malware removed

My impressions? A good reaction from Apple in a short amount of time. They are making the best of what is available in the OS X platform at this time. Unfortunately it falls short in many respects.

The biggest problem is the lack of an on-access scanning component. While LSQuarantine works to protect against downloads in most browsers, it doesn’t prevent infections through USB drives, BitTorrent downloads and other applications.

Daily updates are a good start, but it remains to be seen how frequently the criminals may release new variants. If they start moving in a polymorphic direction similar to the one the Windows malware writers have gone, XProtect will have issues.

Of course this update only applies to OS X 10.6 “Snow Leopard,” so older Mac users are left unprotected.

OS X 10.6 users should apply this update as soon as possible, and I recommend installing a more fully featured anti-virus solution like our free Sophos Anti-Virus for Mac Home Edition. It’s totally free; we don’t even ask you for your name or email.

IMF boss rape video? Mac malware spreads via Facebook links

Mac OS X malware is being spread by sick messages spreading virally across Facebook, claiming to be a video of controversial IMF boss Dominique Strauss-Kahn.

The fake anti-virus attack first appears in your timeline as a message apparently posted by one of your friends.

IMF boss Dominique Strauss-Kahn Exclusive Rape Video - Black lady under attack!

oh shit, one more really freaky video O_O

IMF boss Dominique Strauss-Kahn Exclusive Rape Video - Black lady under attack!
IMF chief Dominique Strauss-Kahn rape scandal. Mother of Alleged Rape Victim: Dominique Strauss-Kahn Did Not Want To Be President of France - ABC News

(I have obscured the image used in the message in case it causes offence).

The message’s text refers to the news story of IMF chief Dominique Strauss-Kahn who is facing charges in New York over charges that he tried to rape a hotel maid.

In terms of sick headlines to entrap users, this one ranks right up there. It’s been, of course, a very big news story – and many people have been following the case with interest. And that probably explains why the hackers have used the promise of a video as bait.

Clicking on the link takes you to a webpage, which appears to consist of a still from a sex movie. However, when I visited the page on my Apple Mac I was rapidly redirected to a “Mac Defender”-style fake anti-virus attack, written specifically with the intention of infecting my computer.

Mac malware attack

Sophos Anti-Virus for Mac intercepted the attack as OSX/FakeAVZp-C.

What’s interesting is that up until now we have mostly seen these fake anti-virus attacks target Mac users by poisoning search engine results. But now we are seeing them being distributed by viral Facebook spam campaigns as well.

Mac malware attack

It’s probably not too difficult to put yourself in the shoes of a computer user who knows that they are possibly about to watch a seedy video, only to find themselves facing a screen warning them of numerous security threats.

In many ways this is a genius piece of social engineering to frighten unsuspecting Mac users into installing the software and handing over their credit card details.

It’s just a shame that Facebook’s own security systems are currently failing to stop these links from spreading.

Download Sophos’s free anti-virus for Mac home users. It’s automatically updated to protect against the latest threats. Another step you should take is changing the default settings on Safari – it’s not a complete defence, but it can help a little.

And if you’re on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Update: It’s not just Mac users who are at risk from this attack. If you click on the link from a Windows computer it’s possible you could be taken to a webpage that attempts to infect you with the Troj/Mdrop-DMN Trojan horse.

SSCC 61 – Sony, Honda, Mac Defender and best practices on securing your organization

Sophos Security Chet Chat logoOn this week’s Chet Chat I interview one of our most experienced technical support account managers and discuss why “we’re doing it wrong”. Paul has worked as a security architect and defended against a slew of targeted attacks in very large environments.

Security is a process not a purchase… Many of us have acquired state-of-the-art high quality tools and yet we fall victim to everyday threats. Paul shares his philosophy on the techniques you can use to get the most out of your security investments.

As usual I also cover the week’s news including the latest attacks on Sony, the data loss event at Honda Canada and the evolution of the fake anti-virus threat facing Apple Mac OS X users.

If you prefer a news summary for the week in text format, visit the Sophos Security News and Trends for the latest selected hot topics or subscribe to our weekly newsletter, Sophos eNews.

(27 May 2011, duration 21:20 minutes, size 8.5MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 61 or subscribe to our RSS.