Welcome to the MacNN Forums.

Laminar · Dec 13, 2008, 03:04 PM

I won't post the exact link here, but I was doing a Google search for the ford ax4n bolt pattern, and upon clicking the first link went to a page with a jpeg image of a flash-type video trying to load (hotlinked from the site):

And it automatically downloads an "install.pkg" file to my computer, telling me I need to install the ActiveX Object to play the video. Obviously it's fake, but is the file some sort of malware for Mac? It's a disk image that mounts and started Installer.

Here's what Pacifist shows me about the package:

Obviously I'm not going to install it, but is it actually bad? And is there a way I can report this so that if it is harmful, other people won't fall for it?

Cold Warrior · Dec 13, 2008, 03:22 PM

It's a trojan.

http://www.f-secure.com/v-descs/troj...jahlev_a.shtml

TETENAL · Dec 13, 2008, 03:30 PM

Update your Safari. This is what you get with version 3.2 and later on that web page:

Chuckit · Dec 13, 2008, 03:37 PM

EDIT Beaten by Cold Warrior and TETENAL. (Which is what I get from walking away to get cereal before replying.)

Laminar · Dec 13, 2008, 04:55 PM

Ah, I hadn't installed that update yet since it required a restart, but I'll get on that.

dzp111 · Dec 13, 2008, 05:29 PM

Is this trojan applicable to FireFox as well?

Cold Warrior · Dec 13, 2008, 05:33 PM

Originally Posted by dzp111

Is this trojan applicable to FireFox as well?

It's applicable to OS X. Depending on browser settings, the dmg may or may not automatically mount after download. On Safari for example I do not allow it to open 'safe' files after download.

seanc · Dec 13, 2008, 05:36 PM

I'm surprised that Open DNS didn't flag it, Firefox 3 did.

Simon · Dec 14, 2008, 02:09 AM

Originally Posted by Cold Warrior

It's applicable to OS X. Depending on browser settings, the dmg may or may not automatically mount after download. On Safari for example I do not allow it to open 'safe' files after download.

I think that's a good piece of advice everybody should follow. IMHO it's outrageous Apple still has this turned on default. There is no way Safari could properly determine if the file is 'safe'.

Night9Hawk · Dec 16, 2008, 11:39 AM

Originally Posted by Simon

I think that's a good piece of advice everybody should follow. IMHO it's outrageous Apple still has this turned on default. There is no way Safari could properly determine if the file is 'safe'.

Is that even at this late date the Flash installer doesn't prompt for a password and is able to install it's plug-in for all users on the computer.

Simon · Dec 16, 2008, 11:44 AM

AFAIK Safari's 'open safe files after download' setting is not related in any way to the Flash installer.

Big Mac · Dec 18, 2008, 01:02 AM

Originally Posted by Night9Hawk

Is that even at this late date the Flash installer doesn't prompt for a password and is able to install it's plug-in for all users on the computer.

Are you sure? There should be no way that can be done with out an admin password or else OS X's security would be completely FUBAR.

King Bob On The Cob · Dec 22, 2008, 02:50 PM

Originally Posted by Big Mac

Are you sure? There should be no way that can be done with out an admin password or else OS X's security would be completely FUBAR.

You can give an application your password once, and it can do some modifications that allows itself to be run as root from then on out (suid was the old method, but there's a new one). It can cause issues if the application is capable of being scripted (ARD had this security hole not too long ago).

turtle777 · Dec 22, 2008, 02:54 PM

Originally Posted by TETENAL

Update your Safari. This is what you get with version 3.2 and later on that web page:

I'm not sure if this really helps.

Safari on OS X will warn you about websites that contain known viruses and malware which affect PCs. Sure, there is always the danger of a website trying to use zero day exploits for OS X Safari, but that's gotta be very rare.

So in the end, I'm not sure if this protects the OS X user, or if it will confuse and numb them.

-t

TETENAL · Dec 22, 2008, 03:30 PM

That particular website was not (only) distributing viruses and malware that only affect PCs. That particular website was distributing a Mac trojan. Those things do exist and Mac users have been bitten by that. So I would say, yes that warning helps.

turtle777 · Dec 22, 2008, 07:19 PM

Originally Posted by TETENAL

That particular website was not (only) distributing viruses and malware that only affect PCs. That particular website was distributing a Mac trojan. Those things do exist and Mac users have been bitten by that. So I would say, yes that warning helps.

It would be nice if the warning would state the *kind* of malware that has been reported, and what OS has been reported to be affected.

Otherwise, I can see this creating more FUD than good. Imagine all the clueless Mac users that suddenly think they are so vulnerable and suddenly spread the idea that "Macs are not safe anymore."

-t

Person Man · Dec 23, 2008, 08:53 AM

Originally Posted by turtle777

Otherwise, I can see this creating more FUD than good. Imagine all the clueless Mac users that suddenly think they are so vulnerable and suddenly spread the idea that "Macs are not safe anymore."

I'm not so sure this is a bad idea. As it currently stands, most Mac users are too smug. They think that they'll never get affected by malware. But most of us here know that's not true. We know that the threat is much smaller than for PCs, but it is not nonexistent. Macs truly aren't as "safe" as they used to be. They are still "safer" than Windows machines, though.

As for being able to detect the type of malware and display a box accordingly (this is a PC trojan/this is a Mac trojan)... that could be very difficult.

turtle777 · Dec 23, 2008, 11:29 AM

Originally Posted by Person Man

As for being able to detect the type of malware and display a box accordingly (this is a PC trojan/this is a Mac trojan)... that could be very difficult.

Why ?

Safari doesn't detect the virus, it's merely consulting a database. Whoever maintains that database should feed the affected OS into it as well. If not known, then a "OS affected: unknown" is still better than no information at all.

-t

Big Mac · Dec 23, 2008, 11:33 AM

Macs were never truly "safe," Person Man. The classic Mac OS had around 100 viruses written for it over the course of its existence, and it was much more vulnerable because built-in security was essentially non-existent. We're much safer on OS X than we were on the classic Mac OS, and the classic Mac OS was still much safer than DOS or Windows.

Person Man · Dec 23, 2008, 05:08 PM

Originally Posted by Big Mac

Macs were never truly "safe," Person Man. The classic Mac OS had around 100 viruses written for it over the course of its existence, and it was much more vulnerable because built-in security was essentially non-existent. We're much safer on OS X than we were on the classic Mac OS, and the classic Mac OS was still much safer than DOS or Windows.

I know that Macs were never "truly safe," and that we are safer now on OS X because there was no security per se in the Classic Mac OS. But the "average joe" has somehow gotten the message that "Macs are invlunerable (So therefore I don't have to be careful and can install unknown software from an untrusted site because only PCs are affected by malware)."

But we know that's not true. Unfortunately it will take a particularly successful piece of malware to get the majority of people to realize that Macs can be affected by malware.

But turtle has a point, too. The tendency will be for people to go from "Macs are totally safe" to "Macs are totally unsafe now." Nothing in between.