Home > Computers and the Internet > New Mac “Malware”

New Mac “Malware”

May 6th, 2011

I hesitate to really even call it “malware,” because it doesn’t really do what most malware does. It’s more like a scam, social engineering upon social engineering.

If you visit certain web pages, javascript code may automatically download a ZIP file on to your Mac. If Safari is set to automatically unzip files, you will be presented with an Install window which prompts you to install software called “MACDefender.” If you are careless enough to install an app you didn’t even look for, and click “Continue,” and then type in your admin password and complete the install, even then the software apparently doesn’t really “infect” your computer, not like malware usually does.

Instead, it sets itself to start up when your computer does, and informs you, with odd grammar (“This unique module allows to do unbelievable things”), that your computer is infected, and tries to sell you anti-virus software. If you’re still naive enough to buy all of this, you will be led to a web site where, if you buy a license, the fake virus alerts will stop while your credit card account is cleaned out. It is likely, however, that the web site will soon be abandoned, leaving the fake software merely annoying. One can apparently also rid oneself of the software just by throwing it in the trash, though it would be best also to stop its processes, remove mention of it from Startup Items, and see if you can dump any related files from the Library.

This barely qualifies as malware, in that it is software and tries to do something bad. However, it is qualitatively different from viruses, worms, rootkits, and even trojans in that it is nothing more than an avenue to steer you to a scam web site. I would class this more with risks like falling for the guy who claims that his wife is in the hospital across the state and he desperately needs a few bucks to get enough bus fare to see her.

On a similar note, Facebook “malware” is on the rise. People are getting tricked by various scams where you get prompted to see or try something that sounds interesting on Facebook, but it turns out to be a scam which somehow hijacks your Facebook account and sends copies of the scam to your friends. I’ve seen at least three in the past week: one promised to show you people who are “stalking” you on Facebook; another advertised an app that would age your photo by 20 years; and a third, the most pervasive, promised to show pictures or videos of bin Laden dead.

In all of these cases, clicking the link takes you off of Facebook to a site which gives you a snippet of Javascript code, telling you to paste it into the browser window and execute it, promising the desired result if you do. Clearly, trusting that is the mistake people make.

Needless to say, you should never copy and paste any such script into your browser URL window and hit “Enter.” Just as with email spam or viral attachments, it doesn’t matter if it came from a friend. And since this is Javascript in a browser, it doesn’t matter if you have a Mac or a PC. Some of these scams use different methods that may be more platform-specific–a general rule of thumb, then, should be to stay away from anything bin-Laden-oriented if it doesn’t come from a major news site.

Categories: Computers and the Internet Tags: by
  1. Troy
    May 6th, 2011 at 10:31 | #1

    The browser in 10.7 no longer executes JS this way.

  2. Luis
    May 6th, 2011 at 10:33 | #2

    You mean Safari? Or all browsers? Anyway, really good idea.

Comments are closed.