Computer Software > Security

An OS X Malware Incident

(1/2) > >>

sevenlayermuddle:
Other half mentioned her MAC had been behaving oddly for a day or two, with weird popups and bogus security warnings. Malwarebytes found and (hopefully) removed two bad things.

I'm always interested in how we got infected, and after some detective work I found what looked like a Flash Player update package lying around in a tmp folder, and that package had been downloaded about the same time as the malware.   And yet, she doesn't actually have Flash Player installed, so why the update?   :-\

The answer may lie in bogus flash updates that apparently did the rounds last year...

https://www.intego.com/mac-security-blog/fake-flash-player-update-infects-mac-with-scareware

Signed with a valid developer's certificate, so quite easy to be taken in. :(

Weaver:
That's really good to know, thanks indeed for alerting us to that, much appreciated.

petef:
I fixed an infected MacBook Pro for a friend last year. I don’t know what the cause was but here are some of my notes.

Hotspot Shield
REMOVED following these instructions
https://discussions.apple.com/thread/5525093?tstart=0

Upgraded, including OS X El Capitan 10.11.6


Suspect processes
User id 401 unborough or obtrusionist
  intrudance
  emmetropy
  endolabyrithitis

Dodgy entries in /Libary/LaunchDaemons mostly dated 2016-05 and -06.

https://www.malwarebytes.com/mac-download/
FIXED - identified and cleaned the above names and more

sevenlayermuddle:
Yes I also used Malwarebytes and it seemed to do a good job.   It missed a few files in caches, but with the underlying process kicked out they were harmless.

Just underlines though, the danger of the modern mindset that 'updates are good', and perhaps 'especially flash updates'.

Just today, I visited a BBC news page that invited me to click on a link to install/enable flash.   I declined, as I distrust flash.   I'm not suggeting the BBC page was malicious, but it is all part of the social attitudes that the  bad guys are exploiting... 'It is inviting me to update flash player, so it must be a good and legitimate website'.  No, it may also be a very bad and malicious site, and the package it links to may not be flash player at all.

petef:
Generally speaking updates are good. Security problems are spotted, reported and then fixed. The vulnerabilities are when a third party offer a fix. The skilful exploiters are plausible. If something I use needs an update I will use the official channels from either Apple or the software company.

Navigation

[0] Message Index

[#] Next page

Go to full version