Win32 Virus Removal

Over the past two months, I have written extensively about the sustained malware attack that OS X users had to deal with throughout the month of May, until the criminal gang behind it suddenly shut down on June 23.

Anyone who tries to argue that this was no big deal has simply not been paying attention. It was enough to thoroughly disrupt Apple’s normally smooth-running support operation, and Apple responded in unprecedented fashion by publicly adding significant new malware detection and removal features in an update to Snow Leopard that was also incorporated into the new Lion update. Making that sort of system-level change is neither easy nor cheap.

This is a confusing story, one that evolved significantly over time. If you’re trying to make sense of it all, this timeline should help. It includes a link to each post I published on the subject, with the date/time stamp and an excerpt. (I’ve also included a link to one excellent third-party post.)

Just scanning this chronology should give you a better understanding of how this attack evolved. Click any link to dig a little deeper.

Coming soon to a Mac near you: serious malware

May 2, 2011, 9:42am PDT

[N]ow that Macs have achieved a critical mass of success in the marketplace, they’ve attracted the attention of malware authors. According to a report from a Danish IT security company, an underground group has completed work on a fully operational kit specifically designed to build malware aimed at the Mac OS platform.

Why malware for Macs is on its way

May 5, 2011, 12:02pm PDT

The guys who run these operations are not master hackers—they are thugs who use point-and-click malware construction kits that they buy from rogue programmers. It’s a thriving business. And so far that software category, like so many legitimate software businesses, has been built on Windows. Its overwhelming market share meant that’s where the money was.

[…]

A gain of a few percentage points in the Mac market might not seem like a lot, but in a universe with a billion Internet-connected devices, each percentage point equals a potential 10 million victims. A market with 60 million, 80 million, or even a hundred million Mac users is big enough for the bad guys.

[…]

My prediction is that the bad guys are still “testing market conditions,” and waiting for the right time for their grand opening. I think we’ll see a few more of these tentative probes—beta tests, if you will—before anyone unleashes a truly widespread attack. The trouble is, in this market, Mac users aren’t the customers—they’re the product.

Photo gallery: Mac malware in the wild

May 6, 2011 12:39pm PDT

What a Mac malware attack looks like

May 6, 2011, 1:09pm PDT

It is easy to dismiss this as a crude attempt, and indeed, I don’t think many people are likely to fall for this attack. But dismissing this sample because it’s not particularly well done is like dismissing an entire computing platform because of a single poorly written app.

[…]

And note that the bad guys get better over time. This attack might be crude, but that doesn’t mean the next one will be. I have seen some remarkably effective phishing attempts. In the hands of a skilled gang of thieves, this approach could cull out the weaker members of the Mac herd and create some genuine headaches for the friends or co-workers who have to provide emergency technical support.

An AppleCare support rep talks: Mac malware is “getting worse”

May 18, 2011, 5:21am PDT

Over the weekend, I got an e-mail from an AppleCare support rep, who was responding to my recent reports of Mac malware being found in the wild. At least one prominent voice in the Mac community dismisses these reports as “crying wolf.” The view from inside an Apple call center says it’s for real: “I can tell you for a fact, many, many people are falling for this attack.”

A May 19 post by Jacqui Cheng at Ars Technica, Malware on the Mac: is there cause for concern? confirms many details of the scale of this problem:

A support specialist who we’ll call Carl works at an Apple Authorized Campus Store and threw in his two cents as well. “I have never had to remove a virus or malware from a Mac until this month,” Carl told Ars. “Now we have had a handful of people come in with MAC Defender on their computer.”

[...]

It gets worse as the stores scale up. We spoke to another Apple Store Genius, who we’ll refer to as Andy, whose store services a couple thousand Macs per week. “There’s been a very real uptick in the number of malware instances we’ve seen,” Andy, said, adding that in the past, 0.2 percent of the Macs brought into Andy’s store might have a malware problem—”most always DNS trojans.”

That has changed in the last three weeks. Nowadays, something like 5.8 percent of machines Andy’s store sees have a malware-related issue, almost entirely made up of MAC Defender or some variant.

Crying wolf? Apple support forums confirm malware explosion

May 18, 2011, 11:00am PDT

Yesterday I spent several hours going through discussions.apple.com and collecting requests for help from Mac users who have been affected by this issue. I found more than 200 separate discussion threads, many of them from people who have been tricked into installing this software and are desperately trying to remove it. It started with four posts on April 30; this past weekend there were 42 unique, new discussion threads on this subject.

I am not unfamiliar with Apple’s forums. I’ve done similar searches in the past, especially after reading some of those same posts that Gruber called out from 2008. I have never found more than one or two in-the-wild reports. This time, the volume is truly exceptional.

Apple to support reps: “Do not attempt to remove malware”

May 19, 2011, 5:00am PDT

Apple is actively conducting an internal investigation into the Mac Defender malware attack I wrote about yesterday … An internal document with a Last Modified date of Monday, May 16, 2011 notes that this is an “Issue/Investigation In Progress.”

The document (shown below) provides specific instructions for support personnel to follow when dealing with a customer who has called AppleCare to request help with this specific attack.

[…]

• Do not confirm or deny that any such software has been installed.
• Do not attempt to remove or uninstall any malware software.
• Do not send any escalations or contact Tier 2 for support about removing the software, or provide impact data.
• Do not refer customers to the Apple Retail Store. The ARS does not provide any additional support for malware.

Page 2: Apple responds –>

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications.