9 Comments

Summary:

F-Secure is reporting on the first, widespread rogue Mac application that comes in the guise of security software: MacSweeper. It is hosted at http://www.macsweeper.com, but I do not recommend visiting that site. I’m not convinced this is the first rogue Mac application ever to hit the […]

F-Secure is reporting on the first, widespread rogue Mac application that comes in the guise of security software: MacSweeper. It is hosted at http://www.macsweeper.com, but I do not recommend visiting that site. I’m not convinced this is the first rogue Mac application ever to hit the internets, but the F-Secure folks are top-notch researchers who keep better tabs on such minutiae than I.

The software purports to be an Ad Aware-type application (that’s a Windows product) and manages to always find a problem on each scan. Freeing your system from those evil discoveries will cost you, though, and the software is almost impossible to remove. While long-time OS X users will probably not be enticed to run such software (since they “know Macs are so secure”…right), recent Windows converts are used to having to run these types of programs on almost a daily basis and are much more likely to fall prey to this attack vector.

Perhaps the saddest part of this discovery is what the F-Secure researcher heard when talking with a journalist:

“I visited the macsweeper.com website. I know I probably shouldn’t have but I used a Windows PC so I knew I wouldn’t get infected.”

Ouch.

Remember to always double-check the reputation of a company and a piece of software before downloading/installing and make sure you are running with some type of anti-virus program since we can expect more reports of these types of rogue Mac applications as the year progresses.

  1. Can this infect you just by visiting the site in Safari?

    I had a popup advert for this a few days ago with a HTML fake scanning thing and it set its .dmg file auto downloading. Didn’t open it obviously and “open ‘safe’ files” was turned off in Safari.

    Or do you need to run the program to get infected.

    Share
  2. but I do not recommend visiting that site

    Are you suggesting that that a mac can become infected simply by visiting the site? Or, must one download a file? Or, must one download a file and open it with admin privileges? You should be more clear.

    make sure you are running with some type of anti-virus program

    I am dubious that anti-virus is either needed or desirable on a mac. Can you back this up with corroboration (not by the anti-virus software industry) which makes the case for it.

    Share
  3. I’d guess that you have to enter your admin password to really get into trouble, but I’m not going to experiment to find out.

    Share
  4. @James: you need to download and run the program.

    Some further resources: http://www.news.com/8301-10784_3-9850942-7.html and http://forums.macosxhints.com/showthread.php?t=83219

    @Anon: I *did* link to the full research report.

    As for whether anti-virus software is useful on the Mac, I would say it absolutely is for the average user and definitely for the switchers. It takes a decent amount of experience and expertise to know what is good and what is bad and most users just do not have this knowledge. The evolution of anti-virus software on the PC has led to fairly sophisticated heuristic analysis routines that do protect users from even non-signature-based malware. That is where all OS X anti-virus/anti-malware programs need to be heading if they aren’t there yet.

    Security, though, is ultimately a risk appetite question. If you – @Anon – personally feel the risk of acquiring an infection from malicious software is low, then you will probably make the determination that you do not need anti-virus software. How many users do you – @Anon – know that are capable of making a truly informed risk appetite decision?

    Share
  5. @Bob Rudis: Thanks for your comment. I hope you realize that I was not being snarky or anything like that. It was a legit question.

    I am by no means a sophisticated Mac user (just your average user), but I have been running one Mac or another since 1988. OS X seems very secure to me as long as I take a few precautions (such as disabling open safe files in Safari and running in non-admin mode). Of course, it relies on user common sense as well. No system can really protect against downloading and installing malware. My concern is that the OS does not allow this to happen without me initiating and confirming the process. As long as that is the case, I don’t really see the advantage of virus software for OS X.

    But I am not an expert so it’s not like I am saying anyone should listen to me. If I have erred in describing OS X operates, please feel free to correct me.

    Share
  6. A Letter to Mac Community

    We’d like to address the community of Mac users on behalf of the creators of MacSweeper. Our product has been slandered a lot recently. It has been accused of being a “rogue” application and imputed false functionality to. We’d like to dispel this misguided opinion and show you that MacSweeper is a really useful application and the best of its kind.
    1) What is MacSweeper and why would you need it?
    MacOS is considered one of the most secure operating systems in the world. Nevertheless security in general depends not only on the OS but on the user and programs running under it. That’s why for user’s data protection MacSweeper was developed.
    Removing Cookies belonging to sites in the blacklist
    Different companies use Cookies for tracing user activity, some of them have dubious reputation since malicious software has been transmitted through their networks or from their domains. Such domains are put down to the blacklist. MacSweeper prevents user’s data from being spread by removing those cookies while keeping user’s personal cookies safe.
    Cleaning user’s and system cash
    Our security experts have found that a lot of private information is stored in application cash and can be accessible for malicious software somehow launched on your mac. Moreover, by cleaning application cash you can free lots of space on your hard drive.
    Cleaning application and system log files
    Log files mostly contain information that an average user will never need which can be deleted trouble-free making additional free space available.
    Universal Binaries & Languages
    Mac applications are commonly assembled for different architectures and with multi language support. Users never use architectures other than their native and seldom use different languages. So it is possible to compress all these applications according to the needs of a specific user.
    Therefore MacSweeper is not an antivirus, antispyware or antimalware application. Also MacSweeper has nothing to do with “rogue software” though many influential companies have labeled it this way and try to convince all users of it. But if you just read the definition for “rogue software” here http://en.wikipedia.org/wiki/Rogue_software and then launch and activate our product to study its functions you’ll realize MacSweeper is NOT a “rogue software” and we don’t use anything mentioned in the definition.
    «Rogue security software is software that uses malware (malicious software) or malicious tools to advertise or install itself or to force computer users to pay for removal of nonexistent spyware.»
    2) Our advertisement pages
    Many authoritative companies don’t like our ads pages saying they display lies. Here let us draw an analogy to creating and selling toothpaste as a simple commonplace example. So imagine yourself you are sitting back on your couch and you see this toothpaste advertisement which says using this toothpaste once will keep your breath fresh 24 hours. But when you buy it and clean your teeth in 100% cases your breath won’t stay fresh that long. Nevertheless you’re not going to run out in the street shouting that a certain company produces “rogue toothpaste”. Our advertisement pages are just the same – nothing more than a usual ad, simple animated pictures.
    3) Other false opinions
    Some users who had installed our product later wrote on forums that MacSweeper finds a number of objects on an absolutely clean machine. Our answer is – of course it does and before making statements as the one above you need to understand what the program finds. Every clean system, even a brand new Mac, has lots of trash files, universal binaries & languages and that’s why MacSweeper wil find a lot of objects there.
    4) Analyzing our product by authoritative companies
    We were amused by the fact that a certain authoritative security software development company with a big name and experience wrote a review on our product based on its design and used pictures. However as we could see from a review, the company employees hadn’t even activated the product, they just decided to earn some points for themselves and promote our product in the press saying they were the first to find it. But they didn’t even understand what they found, and they couldn’t, because they hadn’t activated the product. It’s like talking about the quality of the toothpaste without even opening the tube. And after that they accuse us of telling lies.

    In conclusion we’d like to thank Dan Kaplan of SC Magazine for being the only person of mass media to ask for our opinion after publishing a state on our product unlike other people from mass media and security software development companies.
    We’d also like to thank all Mac community for such a reaction on the information about “first scareware“ application which MacSweeper isn’t. To prove this will give away 1000 free licenses on our site http://macsweeper.com.
    Use the full version of the product, share your experiences and leave your opinions on different sites and be sure they’re based on real facts and not popular reviews. We intentionally haven’t changed a single line of code in the application since the latest events, the code is exactly the way it was.

    Thank you for your attention!

    Share
  7. These scammers have been posting the same message all over the blogosphere. They even posted it at the Apple support forum using the same account that they had previously used in their “astroturfing” campaign where they pretended to be a happy customer.

    They’re quite pathetic, really.

    Share
  8. So should we write different Letters on different forums? Yes we are protecting what we have done.
    More information you can read on this forum:
    http://blog.iantivirus.com/2008/01/deeper-look-on-macsweeper.html

    And our original Letter here:
    http://forum.macsweeper.com/viewtopic.php?t=2
    Where you can leave your thoughts about all this.

    Thank You!

    Share
  9. as for me I protect my mac with ProteMac NetMine

    Share

Comments have been disabled for this post