Every Apple fanboy will tell you that Macs are safe from malware, but it’s just not true. Recently a fake AV program has been targeting and infecting OS X computers in the wild. Here’s a quick look at how it works, how to remove it, and also how to prevent it in the first place.
每个苹果迷都会告诉您,Mac可以抵御恶意软件的侵害,但事实并非如此。 最近,一个虚假的AV程序在野外瞄准并感染了OS X计算机。 快速浏览一下它的工作原理,如何删除它,以及首先如何防止它。
The virus in question is actually a fake antivirus and trojan which goes by a few different names. It may present itself as Apple Security Center, Apple Web Security, Mac Defender, Mac Protector, and possibly many other names.
有问题的病毒实际上是假冒的防病毒和特洛伊木马,名称不同。 它可能会以Apple安全中心,Apple Web Security,Mac Defender,Mac Protector以及可能的许多其他名称显示。
Note: we encountered this malware on a handful of user workstations at my day job, and then spent some time doing analysis of how it works. This is a real piece of malware, that’s really infecting people.
注意:在我的日常工作中,我们在少数用户工作站上遇到了该恶意软件,然后花了一些时间来分析其工作方式。 这是真正的恶意软件,确实感染了人们。
Mac Protector恶意软件感染的屏幕快照 (Screenshot Tour of a Mac Protector Malware Infection)
The infection comes about from a webpage redirect which will present the user with the following page, that makes it appear like a real Mac OS X popup dialog.
感染来自网页重定向,该网页重定向将向用户显示以下页面,使其看起来像真正的Mac OS X弹出对话框。
If the user clicks remove all they will immediately begin downloading a package which will install the virus.
如果用户单击“删除”,则他们将立即开始下载将安装病毒的软件包。
Once downloaded your computer will probably automatically begin installation. Luckily, for now, you still have to manually walk through the installation process. As more vulnerabilities are found this will probably change in the future just like it has for Windows’ users in the past.
下载后,您的计算机可能会自动开始安装。 幸运的是,到目前为止,您仍然必须手动完成安装过程。 随着发现更多漏洞,这种情况将来可能会改变,就像过去Windows用户所遇到的一样。
Note: This was installed on a fully patched fresh install of OS X 10.6.7 with Symantec Endpoint Protection 11.0.6 fully up to date.
注意:此版本安装在OS X 10.6.7的完整修补程序全新安装中,而Symantec Endpoint Protection 11.0.6则是最新版本。
The installer will start and you will need to walk through the normal OS X process. Users will also be prompted for a username and password with administrative rights during the installation.
安装程序将启动,您将需要完成正常的OS X流程。 在安装过程中,还将提示用户输入具有管理权限的用户名和密码。
You may notice the new shield-like icon in the menu bar.
您可能会在菜单栏中注意到新的类似盾牌的图标。
The program will automatically run and pretend to be loading some sort of database for what we can assume is virus definitions.
该程序将自动运行,并假装正在加载某种数据库,因为我们可以假设是病毒定义。
You will then be barraged with notifications and popups letting you know about your fake infection.
然后,您会被通知和弹出窗口所困扰,让您知道您的假感染。
Just like fake antivirus programs on Windows, if you click on the cleanup button or on one of the notifications you will be told that your software is not registered and needs to be paid for.
就像Windows上的假防病毒程序一样,如果您单击清除按钮或其中一个通知,您将被告知您的软件尚未注册且需要付费。
If you click on the register button you will be asked for your credit card information.
如果单击注册按钮,将要求您提供信用卡信息。
Note: Do not fill out, submit, or even type your credit card info in this window.
注意:请勿在此窗口中填写,提交或什至输入您的信用卡信息。
If you close out of this window you will be asked to put in your serial number to continue.
如果您关闭此窗口,则将要求您输入序列号以继续。
Mac Protector / Defender移除 (Mac Protector/Defender Removal)
To remove the virus close out of all of the windows with either the command+Q keyboard shortcut or click the red orb in the top left corner.
要删除病毒,请使用Command + Q键盘快捷键关闭所有窗口,或者单击左上角的红色球。
Now browse to your hard drive -> Applications -> Utilities and open the Activity Monitor. Locate the MacProtector process and click quit process.
现在浏览至硬盘->应用程序->实用程序,然后打开活动监视器。 找到MacProtector进程,然后单击“退出进程”。
Confirm the pop-up asking if you are sure you want to quit the process.
确认弹出窗口,询问您是否确定要退出该过程。
Open your Apple menu and select system preferences.
打开Apple菜单,然后选择系统偏好设置。
Select Accounts from the new window.
从新窗口中选择帐户。
If you are not able to edit your account settings click on the lock in the lower left corner of the window and put in your admin password.
如果您无法编辑帐户设置,请单击窗口左下角的锁,然后输入管理员密码。
Select your user from the left and then click the login items tab. Select the MacProtector entry and then click the minus (-) button at the bottom of the window.
从左侧选择您的用户,然后单击登录项目选项卡。 选择MacProtector条目,然后单击窗口底部的减号(-)按钮。
Close out of system preferences and go back to your Applications folder. Find the MacProtector application that was installed and either drag it to the trash, right click and move to trash, or drag to your favorite app zapper program.
关闭系统偏好设置,然后返回到“应用程序”文件夹。 找到已安装的MacProtector应用程序,然后将其拖到垃圾箱,右键单击并移至垃圾箱,或拖到您喜欢的应用程序zapper程序。
如何防止感染病毒 (How to Prevent Getting the Virus)
There are some precautions you can take in getting this virus. First of all, use common sense when browsing the internet. If the website looks suspicious or the warnings look fishy, don’t click on them.
您可以采取一些预防措施来感染此病毒。 首先,在浏览互联网时使用常识。 如果网站看起来可疑或警告看起来像是可疑的,请不要单击它们。
There will also probably be other warnings that something may contain a virus. For instance, the virus I managed to download was later flagged by Google as being harmful to my computer.
可能还会有其他警告,某些内容可能包含病毒。 例如,我设法下载的病毒后来被Google标记为对我的计算机有害。
If you are using Safari you should also disable the setting to automatically open “safe” files after downloading. Go to your Safari preferences and uncheck the box to disable this setting.
如果您使用的是Safari,则还应禁用该设置,以便在下载后自动打开“安全”文件。 转到Safari偏好设置,然后取消选中此框以禁用此设置。
You should also scan your downloads with an antivirus program. When the installer package is scanned with Symantec Endpoint it detects the virus immediately.
您还应该使用防病毒程序扫描下载的内容。 当使用Symantec Endpoint扫描安装程序包时,它会立即检测到病毒。
If you don’t have Symantec on your Mac, the Windows scanner also has definitions to detect this virus.
如果您的Mac上没有Symantec,则Windows扫描仪还会提供检测此病毒的定义。
Have you encountered a Mac OS X malware infection in the wild? Be sure to share with your fellow readers in the comments.
您是否在野外遇到了Mac OS X恶意软件感染? 请确保在评论中与其他读者分享。
1903
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
