OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Invisible malware

Posted on October 15th, 2013 at 11:08 AM EDT

There has been a bit of talk in the security industry about a recent blog post by Daniel Pistelli, who reported on a technique that could be used to create what some are calling “invisible” malware. This technique does represent a bit of a problem to the anti-virus industry. However, it’s important to understand the full context of how Mac OS X protects against malware, and to recognize that this technique means very little to Mac users in the current malware climate.
Read the rest of this entry »

This post is more than 30 days old and has been locked. No further comments are allowed.

Apple finally adds Icefog to XProtect

Posted on October 9th, 2013 at 3:28 PM EDT

This morning at 7:52 AM EST, my computer downloaded an XProtect update. I’m told, by security researcher Ivan Sorokin, that this update adds Icefog to the XProtect definitions. And it must, since that’s the only Mac malware that has appeared in the last couple weeks. It’s not easy to tell, though, since Apple chose to call it something different than everyone else.
Read the rest of this entry »

20 Comments

New Mac malware discovered: OSX/Leverage

Posted on September 17th, 2013 at 5:21 PM EDT

Intego announced the discovery of a new trojan today, which they are calling OSX/Leverage. According to Intego’s observations, it would appear that this malware has some association with the Syrian Electronic Army. What is still unknown is exactly what its goal is, who it is being sent to and how. Like other similar malware that has appeared recently, though, it’s probably being used in targeted attacks on specific individuals or groups.
Read the rest of this entry »

9 Comments

Yontoo: adware or malware?

Posted on March 22nd, 2013 at 12:18 PM EDT

There has been a lot of talk in the last week about a new bit of adware for the Mac, called Yontoo. Adware is never popular, whether it is legit or not, and is a frequent source of disagreement in the security community. It is very rare that anti-virus companies manage to come to agreement on this topic. Even a program like FkCodec (aka Codec-M), which is without a doubt designed to trick users into installing it to earn ad revenue, is not detected by many anti-virus programs. (One of my FkCodec samples earned the lowest detection rate in my recent testing, being identified by only 7 of 20 anti-virus engines.) So why has Yontoo gotten so much attention?
Read the rest of this entry »

6 Comments

Variant of SMSSend slips past XProtect

Posted on February 11th, 2013 at 9:47 PM EDT

This weekend, I got my hands on a variant of the SMSSend malware. What I found was very interesting, and very concerning. After examining it, it’s evident that the malware is still evolving and is still an active threat. Worst of all: it seems to be capable of slipping past the current version of the built-in anti-malware security in Mac OS X (aka, XProtect)!
Read the rest of this entry »

21 Comments

Fake installer trojan targets Mac users

Posted on December 13th, 2012 at 12:38 PM EDT

Dr. Web announced the discovery of a new Mac trojan, which they call SMSSend, on Tuesday. This latest trojan masquerades as an installer for the legitimate VKMusic application. Rather than install malicious software on your computer, however, the malicious installer requests a cell phone number in order to complete the install process. Users who provide a cell phone number, and then enter the activation code that is texted to that phone, will be subscribed to a “service” that applies charges their cell phone account.
Read the rest of this entry »

12 Comments

New variant of Imuler trojan discovered

Posted on September 23rd, 2012 at 5:08 PM EDT

Intego announced the discovery of a new variant of the Imuler trojan on Friday. It is being sent to Tibetan activists via e-mail, much like other recent trojans. The details can be found on their blog, though sensitive eyes should be warned that that page contains some obfuscated profanity found in the e-mail message.
Read the rest of this entry »

This post is more than 30 days old and has been locked. No further comments are allowed.

Flashback infections becoming widespread

Posted on February 21st, 2012 at 10:16 AM EDT

A little more than a week ago, I wrote about a new variant of Flashback that displays virus-like behavior, being able to infect the machine without user interaction, in Flashback using Java vulnerabilities.  I did not take this too seriously, since the current version of Java fixes the vulnerabilities that this relies on.  However, many users evidently still have outdated versions of Java installed, as there has been an explosion of users reporting symptoms of Flashback infection.  I cannot over-emphasize the fact that all Mac users need to immediately check the version of Java that they are running, and update if necessary!
Read the rest of this entry »

7 Comments

Flashback targets XProtect

Posted on October 20th, 2011 at 9:51 AM EDT

Security firm F-Secure reported yesterday on a new variant of Flashback that targets the built-in malware protection in Mac OS X.  Apparently, this variant deletes and overwrites the XProtectUpdater process, which is responsible for keeping the XProtect malware definitions up-to-date.  This means that, if you get infected, repairing the damage becomes more difficult.  Even if you remove the malware, XProtect will have been crippled, making it easier for you to be infected by other malware in the future.
Read the rest of this entry »

This post is more than 30 days old and has been locked. No further comments are allowed.

Flashback still slipping past AV software

Posted on October 8th, 2011 at 7:33 AM EDT

A colleague sent me a link to a new copy of Flashback.A this morning.  I have visited the site and downloaded the malware.  What I found was both comforting and concerning.
Read the rest of this entry »

This post is more than 30 days old and has been locked. No further comments are allowed.