MAAS History
Archives
Friday
May202011

Mac Defender and Mac Protector Removal Script

We have created a script to help you remove MacProtector and MacDefender which you can download below. Please note that this is not Anti-Virus product, this is only a script which removes these particular malware applications. Users should backup their computer and confirm the hash below the file download. We have used it successfully and will have an improved on by Sunday. 

The instructions are as follows after unzipping and mounting the Disk Image File.

  • Close MacProtector's or MacDefender's annoying window and stop any scans it is performing, THEY ARE FAKE!.

 

 

 

 

  • Double click on RemoveMacDefenderProtector.
  • You will be in the Applications folder, scroll down and find either MacDefender or MacProtector, MacSecurity.

 

 

  • Choose the one you wish to remove and eventually the MacProtector/defender indicator will close.
  • The application will be moved into the trash. Confirm this by opening the trash.
  • Your browser will direct you back to our site which includes some tips for settings in Safari.

 

If you have any questions please use the contact form on our site. For more information about our investigation please see our draft report page. Please note, our site has no ads and we do not wish to track your. This script we have used with our clients and have determined that we can release it publicly.

System requirements- MacOSX 10.6 

 MagmaticMalwareRemove5_02v.dmg.zip

SHA(MagmaticMalwareRemove5_02v.dmg.zip)= dc795ac2fcc92a284802090048a20e38e147918e

 http://magmatic.com/storage/publicscript/MagmaticMalwareRemove5_02v.dmg.zip

Wednesday
May182011

Analysis of MacProtector and MacDefender Draft Report

That recent malware that targeted Mac OSX systems, MacDefender and MacProtector, are fake anti-virus products designed to steal users personal information including credit card accounts. We think version OSX/MAcDefender.F tries to steal two credit card numbers by bouncing one and directing the user to another site. Below is our pending draft analysis for OSX/MacDefender.A , OSX/MacDefender.D and OSX/MacDefender.F.

Our analysis  includes takeaway’s of the evolution of key inherited traits within each rouge application followed by an detailed technical breakdown or the woking three variants we have. Our format is broken into stakeholder sections for executives, users, researchers and experienced MacOSX administrators. This report is a draft and may change without notification. 

Excerpts From Our Analysis 

Files 

/Contents/MacOS/MacDefender (OSX/MacDefender.A)

MD5(MacDefender)= 2f357b6037a957be9fbd35a49fb3ab72

SHA(MacDefender)= 470e1c99d7b5ec6d00b26715f4fa37bc70984fb4

/Contents/MacOS/MacProtector (OSX/MacDefender.D)

MD5(MacProtector)= 1f8e9cd3f0717a85b96f350e4f4a539a

SHA(MacProtector)= 361ba7b420e1a9ec0af5f7811e84dc95d04624a9

Added 05_21_2011

 /Contents/MacOS/MacProtector (OSX/MacDefender.F)

SHA(MacProtector)= a94bd6a52bcb275a8ff1cd15977167f709b7ab04

UPADTE PENDING

MacProtector (OSX/MacDefender.F) 
It is our theory that this version of MacProtector will trick the user into to providing two credit card numbers by directing them to two separate sites. It also can ensure that if one site is down the other will continue to steal credit cards. 
//
@interface URLMaster : NSObject
{
}
+ (id)getBuyPageIP; // IMP=0x000000010000f1f7
+ (id)getBackupBuyPageIP; // IMP=0x000000010000f1e8
+ (id)getSoftInstallLink; // IMP=0x000000010000f391
+ (id)getBuyPagLink; // IMP=0x000000010000f30d
+ (id)getBackupBuyPageLink; // IMP=0x000000010000f289
+ (id)getSendTicketLink; // IMP=0x000000010000f0a8
@end

@interface URLMaster : NSObject{}
+ (id)getBuyPageIP; // IMP=0x000000010000f1f7+ (id)getBackupBuyPageIP; // IMP=0x000000010000f1e8+ (id)getSoftInstallLink; // IMP=0x000000010000f391+ (id)getBuyPagLink; // IMP=0x000000010000f30d+ (id)getBackupBuyPageLink; // IMP=0x000000010000f289+ (id)getSendTicketLink; // IMP=0x000000010000f0a8
@end

  • Both installers have the "ru.lproj" indicating the developer spoke Russian.
  • Localizations for .nib files set to English.
  • Localizations for application set to English.
  • Xcode build for both was 10M2518, Xcode 3.2.6 / iOS SDK 4.3 gm which include Russian and English.
  • The build machine which created both was running OSX seed 10J869, 10.6.7.
  • Minimum system version is 10.5.
  • Both use “df -lg|awk” to get disk space information.
  • Both create and then write the output to a file named dmem.txt in the users ~/home folder
  • Both use “ps -e|awk” to get process information.
  • Both create and then write the output to a file named proc.txt in the users ~/home folder.
  • Both use random number to seed timers, determine time to indicate infected file. (int)GetRndNum:(int)arg1:(int)arg2;
  • Both use a method (void)setTimeIntervalForFirstVirAppearing to set the random time for first fake indication of virus to appear. 
  • MacProtector has a superior coding operating structure as compared to MacDefender.
  • MacDefender opened the default browser to make a purchase, MacProtector has the Webkit framework opening a WebKit container  to a site all built into the application
  • MacDenfender link is dead, MacProtector link is still active remains active.
  • MacDefender connect to 69 50 214 53 using default browser. (Site offline.)
  • MacProtector connect to a nginx server 91 213 217 30. (Web and Reverse proxy) 
  • MacProtector manages and obfuscates the IP address but the serial numbers are still stored in plain text, MacDefender does not obfuscate the site IP address. 
  • MacProtector @Interface RegWindow handles the registration process, for example http : //91 213 217 30 / js / payform3 .js (Do not visit this link.)
  • MacProtect uses token and cookies in the false activate product process.
  • MacProtector uses various class methods to get ip address and confirm cookie from site.
  • MacProtector sends data to 91 213 217 30. 
  • MacProtector receives cookies from 91 213 217 30. 
  • MacProtector uses methods (void)createURLForSerialNumberCookieSearch; and (void)OnCheckCookieForRegkey; to handle checking for registration cookie.
  • MacProtector has a text file in resources called ksms.txt which contains the number “4”.
  • MacProtector’s post flight script does not “reveal” the application in the Finder and does not use AppleScript.

Downloads-DRAFT

Update-Draft report v2.

Magmatic_Analysis_MacDefender_MacProtectorv2Draft.pdf (MAJOR UPDATE PENDING)

SHA(Magmatic_Analysis_MacDefender_MacProtectorv2Draft.pdf)= 72b17c4250da23ae3c744fb26508d2b1889ae49e

Draft report v1

Magmatic_Analysis_MacDefender_MacProtector(DRAFT)

sha=5a708a3751c3ddd7bf38fcf240d8abc676514452

Magmatic_Analysis_MacDefender_MacProtector(DRAFT)

sha=c20f74b6eef02667033ddf50ff8a4ef1a10c7f13

Class Diagrams

MacProtector (OSX/MacDefender.A)

OSX_MacDefender.A_ClassDiagramDraft2.pdf

  SHA(OSX_MacDefender.A_ClassDiagramDraft2.pdf)=d4b9902967f842773a563b215cae49ac5d3bde40

MacProtector (OSX/MacDefender.D)

OSX_MacDefender.D_ClassDiagramDraft2.pdf

SHA(OSX_MacDefender.D_ClassDiagramDraft2.pdf)= 2a92c951b9378d2370d559cbcbce873660fcc12d

MacProtector (OSX/MacDefender.F)

OSX_MacDefender.F_ClassDiagramDraft2.pdf

SHA(OSX_MacDefender.F_ClassDiagramDraft2.pdf)= 2b80717c46157cd2606dcbe6a7817e5993fb7ace

Class Dumps

MacDefenderOSX_MacDefender_A_ClasssDump (OSX/MacDefender.A)

SHA(MacDefenderOSX_MacDefender_A_ClasssDump.txt)= 5087f008da46bdd3cfacaf1be9d3729f19916f65

MacDefenderOSX_MacDefender_D_ClasssDump (OSX/macDefender.D)

SHA(MacProtector_OSX_MacDefender_D_ClassDump.txt)= a53cc5a8c9cd2f19726e56beed8b07a097d7b8e2

MacDefenderOSX_MacDefender_F_ClasssDump (OSX/MacDefender.F)

SHA(MacProtector_OSX_MacDefender_F_ClassDump.txt)= f26c0091ab26b1ca998d8f58e9ee133d967c5bd8


 **Note-This is draft data and contains raw information, final release of the document and addition updates will be located at here. All information is provided as is and falls under the copyright located on this site and within the draft report. Any questions use the Contact Us Link and put "MacDefenderProtector Report" in subject line. 

Wednesday
May182011

Removal of Rouge Mac Anti Virus MacProtector/MacDefender/MacSecurity

Background

  • MacDefender, MacProtector, MacSecurity and MacGuard are all rouge mac Anti Virus products.
  • They are crime-ware designed to steal your Credit Card information.
  • Created by Criminals out of Russia. 

What if I purchased it?

Call your Credit Card company and report the card compromised. Review all charges on all your accounts. Remember they also have you address and phone number so exercise caution to phone solicitations. 

How to remove MacDefender, MacProtector and MacSecurity if I installed it?

1. Open the Activity Monitor in the Applications/Utilities/ directory.

 

When the Activity Monitor opens up find the rouge application based on its name from the process list. Once you find either MacDefender, MacProtector or MacSecurity select it in the list.

2. Quit the Process.

 

 

3.  Trash MacDefender, MacProtector or MacSecurity

Move the application to the

thrash and then select

Finder>Secure Empty Trash.

 

 

4. Remove it Login Items.  

Go into your Apple Menu>System Preferences and open accounts. Select you account and tab to the Login Items Pane.  

 Make sure that once you are done to change your password and all other passwords on the Mac. Close System Preferences and then restart your Mac to ensure removal. 

 

 

 

 

 

5. Check Safari and Chrome consider the following settings.

  • Do not install any program that installer open directly from the Web.
  • Make sure "Open Safe Files" is de-selected in Safari Preferences.
  • Select "Clear Auto-Opening" settings in chrome://settings/advanced.
  • Download files only to the Download folder that is in each users home directory.
  • Set Remove Downloads to "When Safari Quits." Manually clear this folder for other Browsers.
  • Make sure that "Block Pop-Up Windows" is on.
  • Never do Web Surfing as the Administrator, carry out daily task as a user that does not have administrator privileges.
  • Never use Safari on a Mac OSX Server.
  • Make sure "Auto Fill" is de-selected for all.
  • Download and confirm the hash before installing any files on assets in your control. (Recommended for enterprise customers.)

If you still are having problems removing MacDefender, MacSecurity and MacProtector and your computer is within the United States we can help. Go to the Contact Page and put Remove into the Subject and we will contact you to see if we can help. We are only asking for suggested payment of $19.99 + NYS Sales Tax for remote repair service which covers our cost. We only expect you to pay if we remove it and your happy with the results. This about the cost in lost time and transportation of going to the Genius Bar. 

Friday
May132011

New Flash Preference Pane Still Struggles to Help Protect Privacy of Users

Adobe has added a new Preference Pane for Flash for Mac OSX, which allows you to control Flash Privacy and Update Notification via a standard MacOSX Preference Pane. While this is a good step, the problems which existed with the Setting Manager still exist in the Preference Pane when it comes to the handling of Local Shared Objects (LSO) otherwise know as Flash Cookies. Below we expose the various issues with the Preference Pane, mainly when you select Storage>Delete All and Advance>Delete All site data remains. 

The Flash Player Preference Pane

 

The Flash Player Preference Pane replaces the clumsy Setting Manager for Flash which ran directly from the Browser. One great feature of the pane is the management of Flash updates which was horrible in the Setting Manager. The Advanced tab enables you to determine the version installed and provides a direct link to the About Flash Player page. You also have the capability to set storage and privacy controls for the camera and microphone. "Private Browsing" is supported in Safari 5.0.5, thus private browser session information including Flash content is not stored in the usual directories ~/Library/Preferences/Macromedia/Flash Player/macromedia.com or ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects. 

Sounds Good, So What is the Problem

We have discovered that if you visit a site with "Allow sites to save information on this computer" enabled in the Preference Pane or had previous sites that stored information the "Delete All" button does not provide the protection describe here on Adobe's site and below.

After reading this you would expect buttons labeled "Delete All" to perform as advertised and remove all content saved from sites. This is not always the case, and some data remains, similar to the failures in the Setting Manager, thus the "Delete All" does not perform as expected. In our demo we will clearly show that the Flash Player Preference Pane does not work properly resulting in Flash Cookie (LSO) data remaining on the system. 

Note : (For our demo we will be using Philipp Kostin Flash Site Demo titled "Flash Cookies: Local Shared Objects" to create the data and Flash Cookie (LSO).)

Follow these steps to duplicate our results in the video that follows:

  • Go to ~/Library/Preferences/Macromedia/Flash Player/macromedia.com and leave open.
  • Go to ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects and leave open.
  • Select System Preferences>Flash Player>Storage and enable  "Allow Sites to save information on this computer"
  • Visit a site that writes some date via a Flash Cookie (LSO), in our example we used Philipp Kostin Flash Demo. 
  • Write some information using the demo or from any other Flash Site of your choice.
  • Change your settings in System Preferences>Flash Player>Storage to "Block all sites from storing information on this computer."
  • Click on "Local Storage Settings by site" and view any site information. Did a site show up?
  • Try "Delete All" in System Preferences>Flash Player>Storage and System Preferences>Flash Player>Advanced.
  • Notice that the data in the Flash Cookie (LSO) remains. 

 

Wasn't This Always a Problem?

In previous versions of Flash Player for Mac OSXdeleting site storage did not remove all the Flash Cookies (LSO) including the .sol file and a folder with the site name. This was one of the many issues which made using the Setting Manager very frustrating. Flash Cookies (LSO) have raised all kinds of privacy issues since they were first used, and that continues to be the case even if Adobe has introduced a Preference Pane. 

In the Flash Player Preference Pane the language is clear so we expect that "Delete All" would do exactly as expected. In our demo this was not the case. The only solution that worked one hundred percent of the time was to manually remove Flash Cookies (LSO) and then enable "Block all sites from storing information on this computer."  

Conclusion

In the current state the Flash Player Preference Pane for Mac OSX does not work as advertised, thus it continues to be a work in progress. The Flash Player Preference Pane clearly does not improve the management of Flash content privacy. In fact, the Flash Player Preference Pane will result in users having a false sense of privacy. It is our hope that Adobe was making an attempt at making Flash privacy easy to manage and not trying to layer the issue of privacy in a veil of confused user interaction. Take a chance Adobe, your business goals can be met while providing users and developers with clear dependable controls over Flash Cookies (LSO) and their privacy. The other option is to agree with Steve Jobs and move away from the Flash Platform.

Monday
May022011

MacDefender Rouge Anti-Malware Program Removal and Defense

Intego has reported a new rouge Anti-Malware program targeting Mac OSX and Mac products. There are several things that can be done to mitigate the risk of this rouge product. Do not attempt to purchase this application via PayPal or Credit Card. If you have purchased it then report your credit card or PayPal account compromised immediately. 

Currently the risk from this product is low but users in various discussion forums are reporting that they already have downloaded and installed it. 

To remove the rouge Anti-Malware software if you downloaded it:

  • If you have purchased this product call your credit card company or contact PayPal and report your account compromised immediately.
  • Boot your Mac into "Safe Mode" by holding the shift key at startup.
  • Clear out your "Downloads" folder or the folder you download files to. (Do this for all users.)
  • Clear out you "Web History." (Do this for all users.)
  • Go into System Preferences>Accounts>Login Items and remove MacDefender from the Startup list for any users. (Check every user including the local administrator account.)
  • In Finder>File> Select search "This Mac." Enter Filename Contains "MacDefend."
  • Select the "+" button and scroll down to Other and add "System files."

 

  • Select "System Files are Included"

  • Delete the Application by moving to the trash along with items in the Startup folder or files associated with MACDefender. This includes web pages in the cache /Library/StartupItems or ~/Library/StartupItems.
  • Securely Empty Trash.
  • Change all passwords for administrators and users on your Mac.
  • Change your keyChain Password, make it different from the login password.
  • As a precaution we also higly recommend that you change your passwords saved in browsers from Web Sites, especially iTunes and mail providers. (This is a good monthly or bi-monthly practice depending on your organization.)

How to Protect yourself:

  • Do not install any program called MacDefender.
  • Make sure "Open Safe Files" is deselected in Safari.
  • Select "Clear Auto-Opening" settings in chrome://settings/advanced.
  • Download files only to the Download folder that is in each users home directory.
  • Set Remove Downloads to "When Safari Quits." Manually clear this folder for other Browsers.
  • Make sure that "Block Pop-Up Windows" is on.
  • Never do Web Surfing as the Administrator, carry out daily task as a user that does not have administrator privileges.
  • Never use Safari on a Mac OSX Server.
  • Download and confirm the hash before installing any files on assets in your control. (Recommended for enterprise customers.)
  • Make sure "Auto Fill" is de-selected for all.
  • Install a full featured anti-virus software, XProtect does not scan Meta Package File (.MPKG). (See references below.)

We continue to evaluate the risk created by rouge installers and malware related to Apple products. The "Human Interface Guidelines" which are key for any successful Apple developer to follow also creates risk skewed by users expectations of the Apple experience. We expect this to only increase in the future.

In our independent testing, using XCode and very little effort, we created various rouge installers which successfully convinced many Mac OSX users and Administrators they were safe to install. Far more Mac users were convinced by the Malware's ability to conform with the Apple operating system experience and never considered the source.

In our view the most threatening form of malware for Apple Productions is one that focuses on the MacOSX or iOS experience for the user. (This is very true for all GUI based computing devices, just more so on a platform that is experience driven.) Windows administrators and users have had to deal with this threat for sometime, whose experiences can beneficial as this threat continues to grow.

If you have not done so already we recommend installation of a complete Anti-Virus and Internet security package. Our favorite in Intego's Internet Barrier and we are very excited about F-Secure's beta offering. (Beta is not recommended for production critical systems.)