Malware on my Mac??!?

IceBus · 29 May 2011 at 14:06

Hey all... Was just surfing around as per usual using Chrome and went to my Drudge Report for my usual daily news fix.

I had it in a separate tab and then suddenly it switched to that tab, where it had navigated to an IP address (173.XX something) and there was a pop-up saying "Caution! Your computer contains a variety of signature viruses and malicious programs. Your System requires immediate checking AntiVirus! The system will perform a fast and free check your PC for viruses and malicious programs".

Obviously realised this wasn't right so did a Force Quit of Chrome and am now using Safari to post this, while running MacScan which was the first hit I got when I searched for Malware removal.

Any ideas on this? I want to make sure I'm back to a secure computer and I've never had this on a Mac before...

Thanks a lot for any help!

theheyes · 29 May 2011 at 15:48

It sounds like you stumbled across a Windows-targeted fake antivirus to me and therefore don't need to worry too much.

picnic · 29 May 2011 at 15:55

theheyes said:
It sounds like you stumbled across a Windows-targeted fake antivirus to me and therefore don't need to worry too much.

LOL - surely you've not missed the news that there is a variant of this for the Mac.

IceBus · 29 May 2011 at 16:20

I've done a full scan and apart from some tracking cookies I haven't found anything. What do you reckon, Time Machine restore from a few days ago?

picnic · 29 May 2011 at 16:29

I think the theory is if you didn't follow the links nothing got downloaded and installed. If you did then you'd know about it as it's in your face all the time.

There was stuff about it on The Register and App Advice.

IceBus · 29 May 2011 at 17:26

OK... Looks like I'm alright then as I did a Force Quit right away.

Other folks might want to read this: http://reviews.cnet.com/8301-13727_7-20066173-263.html?tag=mncol;txt

It seems to be able to now automatically install itself if you're logged in as the administrator - so you might want to follow the advice above to avoid it.

Rroff · 29 May 2011 at 17:32

theheyes said:
It sounds like you stumbled across a Windows-targeted fake antivirus to me and therefore don't need to worry too much.

More likely targeted at Chrome.

IceBus said:
OK... Looks like I'm alright then as I did a Force Quit right away.

Other folks might want to read this: http://reviews.cnet.com/8301-13727_7-20066173-263.html?tag=mncol;txt

It seems to be able to now automatically install itself if you're logged in as the administrator - so you might want to follow the advice above to avoid it.

Always force quit with these (or in the case of windows task manager and end task) I've seen a variant of this (on windows) still somehow manage to infect a couple of PCs even if you click the close button - seems to be a vulnerability in both Chrome and Internet Explorer - tho not enough experience to know if the same can happen on the mac. Personally I don't rate Chrome as highly security wise as some people seem to - it has almost as many potential security weaknesses as IE.

IceBus · 29 May 2011 at 17:34

Back to Safari it is for me then

It's a pity, as I was just starting to like Chrome. I'm almost tempted to do a full system restore from a few days ago just to be safe.

Rroff · 29 May 2011 at 17:36

Aslong as you killed the task when the popup appeared and didn't close it via the close button or click ok/cancel you should be ok - your probably fortunate you decided to take that action from a quick skim of the site you linked to, as I know from the Windows side this one gets right through Chrome even if you click close.

Annoys me a bit as its an age old IE/Webkit flaw that any programmer with half a brain should see the problem with that I thought would be left behind when we moved on from IE6.

AbsenceJam · 29 May 2011 at 17:37

Err there seems to be a lot of wrong info and paranoia in here.

You have to actually download and install the application, the installer no longer requires administrative permission but that doesn't mean it gets on your system without any interaction, you still have to go through the install process.

All the thread starter got was a popup ad to try and trick him into it downloading and installing some malware, nothing unusual. And given that his popup referred to "PC" then it probably wasn't even the macdefender malware......

Oh and Chrome is WAY more secure than Safari.

IceBus · 29 May 2011 at 17:41

I don't know if it said PC or not, I copied and pasted the description in my first post off the first google hit for "Caution! Your computer contains a variety of signature viruses..." as I'd already quit it by then.

Does seem like I've dodged a bullet on this one somewhat though.

Rroff · 29 May 2011 at 17:43

AbsenceJam said:
Err there seems to be a lot of wrong info and paranoia in here.

You have to actually download and install the application, the installer no longer requires administrative permission but that doesn't mean it gets on your system without any interaction, you still have to go through the install process.

All the thread starter got was a popup ad to try and trick him into it downloading and installing some malware, nothing unusual. And given that his popup referred to "PC" then it probably wasn't even the macdefender malware......

Oh and Chrome is WAY more secure than Safari.

No idea on the Mac side in regards to the installation of this specific malware, but its not wrong info/paranoia, usually just closing these popups doesn't do anything but one of the latest variant gets right through Chrome and older versions of IE even if you click the close button even if your running updated software, anti-virus, script blockers, etc. I've seen it happen twice with my own eyes - the first time I even said "you can just click close nothing will happen" - theres a couple of threads on it on these forums too where people have had it go right through Chrome without them clicking ok and start installing itself in the background.

EDIT: That site says:

This program will still require user interaction in order to install, so you will see an installer program running and will have to click through a couple of installation windows in order to get it on your system;

so looks like on a mac you'd have to manually click ok a few times on the installer for it to do anything apparently (tho if it can launch an installation package on its own I'd wonder what else it could execute), on windows it installs itself with no user input required.

AbsenceJam · 29 May 2011 at 17:53

IceBus said:
Does seem like I've dodged a bullet on this one somewhat though.

Nah, even if it was the recent mac malware you'd have to be daft enough to download it and go through a whole install process.

Rroff said:
No idea on the Mac side

Yeah, doesn't happen on a Mac, and the installer does not launch itself. This mac malware that has been spread about recently is also unrelated to anything for windows.
There are hundreds of dodgy pieces of software for windows that use such fake scan result ads to try to get on your system, and those which don't require interaction don't even bother with the fake scan results as they don't need to. But irrelevant here either way, this isn't the Windows forum.

theheyes · 29 May 2011 at 19:26

picnic said:
LOL - surely you've not missed the news that there is a variant of this for the Mac.

Nah, well aware of MACDefender but the OP's description didn't sound like it at all and just a generic PC fake AV. We're going to see a lot more of this sort of thing for OSX though.

IceBus · 29 May 2011 at 19:48

Just to reiterate, it did seem like MacDefender - I just didn't describe it well in my OP because I'd never heard of it. It showed some graphic about Apple Security Center etc. and wanted to run a system scan.