Yesterday, Apple released an update to Java on OS X to include a removal tool for common variants of the Flashback malware. A few minutes ago, Apple also released a standalone version of the Flashback malware removal tool, which contains the same code found in ”Java for OS X 2012-003″.

The removal tool has also been released in a standalone package installer for those users who don’t have Java installed on their computers. Once installed, if malware is found, ”a dialog will be presented notifying the user that malware was removed”. In some cases, completely deleting the Flashback malware might require a system restart.

Apple’s Flashback malware removal tool can be downloaded here. In the past week, a number of third-party removal tools have also surfaced online.

If you run an organization that runs a rogue pharmacy business and provides malicious support for fake anti-virus programs, then it’s likely you’re going to get caught. Such is the case with ChronoPay, whose offices were raided by Russian authorities at the end of July after the co-founder was arressted for allegedly launching denial-of-service attacks against payment processing firms in an attempt to undercut his competitors. The firm under inspection, ChronoPay, has been found with “mountains of evidence” that show the company running illegal anti-virus scams including MacDefender, which plauged Mac users earlier this year with fake pop-ups that scared users into thinking they had viruses, and even tricked users into supplying their credit card information via registration through the fake virus-removal app. MacDefender was crticized by Ed Bott as the start of something big, although security and malware news has been quiet last month, and the MacDefender threat itself could be diminished after this recent raid.

MacRumors writes,

The last release of MacDefender occurred on June 18. ChronoPay’s offices are raided June 23. A coincidence perhaps, or Russian law enforcement saving Mac users from fake antivirus software.

Companies in the business of writing and supporting malware such as MacDefender can rake in a lot of money in a short period of time. It’s an incredibly profitable business, feeding off the fear of individuals whom become victims to the scare tactics malware and phishing scams employ. While the takedown of ChronoPay will have a significant negative impact in revenues against cyber criminals in the black market, these raids are only short-term wins.

Given fake AV’s status as a reliable cash cow, the industry is likely to bounce back rapidly. Fake AV is extremely profitable, in large part because it is easily franchised.

Individual affiliates can quickly make a lot of money. Fake AV distribution networks pay affiliates between $25 and $35 each time a victim provides a credit card to pay for the junk software.

To spread malware, companies like ChronoPay can hire affiliates who can deploy malware and get paid based on how many systems are infected (how many programs are installed). The end result is that business is profitable for all the parties involved: fake anti-virus programs can offer “malware-removal” at the same market prices as legitimate anti-malware programs (the victim doesn’t know the difference), the distributors of malware are also paid wealthy amounts based on how successful that malware is, and you can begin to see how and why these types of businesses function in black markets. MacDefender was efficient since it preyed on Windows-to-Mac converts who are unfamiliar with legitimate solutions available, and thus fell for its tricks. MacDefender, while it garnered a lot of attention, has seemingly died down and is hopefully squashed for good with ChronoPay out of the picture.

MacDefender wasn’t some malware written by a couple young adults in their basement as we’d expect — this was a rare case of serious malware backed by a company (with a lot of money and mal-intent) and its affiliates. Hopefully, if evidence against ChronoPay turns out to be the real-deal, it’ll lead to more arrests and a safer Internet. The battle is far from won when it comes ot malware, but its always comforting knowing that there’s one less threat to deal with.

[Krebs on Security via MacRumors, (Image via ZDNet)]

Last night, we reported Apple issued a Security Update for Snow Leopard users to update the OS X malware definitions, enhance File Quarantine’s functionalities and, more importantly, automatically find and remove known variants of the Mac Defender malware that’s been spreading among Mac users in the past month. By enabling OS X to update definitions daily in the background with a new daemon, Apple is taking the necessary measures to make sure new versions of Mac Defender and, overall, malware targeting Mac machines in the future can be removed safely and quickly a few hours / days after they’re discovered. As reported by Ed Bott at ZDNet, a new variant of Mac Defender coming with a new installer package has already been released, and it’s capable of circumventing Apple’s new security update and work exactly like Mac Defender and Mac Guard used to until yesterday.

The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released. On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

Bott suggests this “cat and mouse” game is just the beginning, and Apple will have to begin addressing new variants that are discovered every day. The system put in place by Apple to provide updated definitions for easy removal of malware should allow users to prevent computer infections by automatically finding suspicious packages downloaded from the Internet. [via MacRumors]

The promised software update to automatically find and remove known variants of the Mac Defender malware has just been released by Apple and it’s now available in the Software Update panel or Downloads website. The KB article HT4657 explains Apple has added a “OSX.MacDefender.A” definition to the malware check within File Quarantine. On Mac OS X 10.6.7, the installation process of the security update “will search for and remove known variants of the MacDefender malware”. Users will also be notified after a MacDefender variant is removed, and Apple offers more details and information in this article as well.

Mac OS X malware list is now updated daily in the background without the need of a manual software update:

Apple maintains a list of known malicious software that is used during the safe download check to determine if a file contains malicious software. The list is stored locally, and with Security Update 2011-003 is updated daily by a background process.

Security Update 2011-003 provides additional protection by checking for the MacDefender malware and its known variants. If MacDefender malware is found, the system will quit this malware, delete any persistent files, and correct any modifications made to configuration or login files. After MacDefender is identified and removed, the message below will be displayed the next time an administrator account logs in.

Mac OS X 10.6.8 was rumored to be the software update to include a fix for Mac Defender, but it’s likely that Apple also pushed a security update for users that will keep running the older 10.6.7 Snow Leopard version, with 10.6.8 getting the Mac Defender fix built-in. (more…)

[image via]

A new support document surfaced on Apple’s website today reveals the company will release a Mac OS X software update in the next few days (likely a security update) that will automatically find, block and remove the popular Mac Defender malware from infected OS X machines.

A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender “anti-virus” software to solve the issue. This “anti-virus” software is malware (i.e. malicious software).  Its ultimate goal is to get the user’s credit card information which may be used for fraudulent purposes. The most common names for this malware are MacDefender, MacProtector and MacSecurity.

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants.  The update will also help protect users by providing an explicit warning if they download this malware.

Whilst an internal AppleCare document leaked last week suggested Apple was telling employees not to remove the Mac Defender malware from users’ computers (also telling the same employees to redirect users to the Mac App Store to find proper antivirus software), it appears the company is taking the necessary steps to make sure Mac Defender won’t spread even further — they’re also offering in the same support document updated today a handy removal guide to manually find and delete the malicious application. Mac Defender began spreading quickly in early May, when hundreds of users reported online they discovered a malware-scanning utility on their computers that they did not want to have installed. It turned out Mac Defender still required a manual installation to be activated, though downloads effectively happened without a user’s consent when visiting certain webpages, often linked on Google Image Search. [via]

An internal AppleCare document posted earlier this week reveals that Apple is investigating ‘Mac Defender’ – a recently unleashed malicious application that pretends to be an anti-virus application when users download it. The document, which Apple clearly notes is for internal use only, tells its employees not to confirm or deny whether the application has been installed on a users computer, not to attempt to remove it or escalate the issue.

The bizarre document, which is posted in full after the break, seems to be instructing Apple employees to take no part in resolving malware issues on a users computer.

AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer’s Mac is infected or not.

However, the document does tell employees to instruct customers that if the Mac Defender installer pops up on their screen, to cancel the installer and delete the installer immediately. Whilst if the application is already installed they are told to tell the customer to make sure all security updates have been installed with Software Update and then direct them to the “What is Malware?” document. But the document is clear in saying that Apple doesn’t deal with malware – even recommending anti-virus software in the Mac App Store.

Explain that Apple does not make recommendations for specific software to assist in removing malware. The customer can be directed to the Apple Online Store and the Mac App Store for antivirus software options.

[Via ZDNet]

(more…)

Those running Skype on OS X are vulnerable to an exploit that allows attackers to gain root access on target machines. Through an instant message, attackers could deliver a malicious payload that would give them remote access via a shell. The severity of the issue has already been addressed by the Skype team, and should be fixed in a future update. In the meantime, a proof of concept reveals the need for caution with recent OS X security warnings and concerns.

(more…)

According to several discussion threads posted on Apple Support Communities, a new malware called MacDefender.app is quickly spreading among Mac users using the Safari browser to visit certain websites, especially Google Images. The application, disguised as a virus scanning tool and completely unrelated with the official MacDefender software, gets installed automatically without a user’s consent upon opening a webpage, although it’s not clear what kind of websites allow this kind of installation, and whether MacDefender “phones home” once running on a Mac to download additional pieces of code (like most malwares on Windows do). Some users are reporting they found the app installed on their Macs after visiting webpages linked on Google Images, some say it’s only happening with the Safari desktop browser, others claim the app can’t be removed with a simple drag & drop to the system’s Trash as, once installed, the process will beging running automatically on OS X. Again, it’s not clear what kind of malware MacDefender.app is and the proportion of this “spreading” across Mac OS X machines, but the number of threads on Apple Support Communities seems to suggest at least hundreds of people have experienced the issue in these past few days. (more…)