Mac Virus that sends e-mails from you?
I'm about to do a Google Search - but is anyone (*coughAlanTcough*) aware of a virus on the Mac that will send e-mails from you to your entire contact list? I know back in the day when I worked at a University we ran into this on the PC in various forms. I have little-to-no Mac experience, but this appears to have happened to my wife. It's either that or her gmail account was hacked, but I don't think that is it since there is nothing in her sent items. She uses the Mac web client to check her gmail.
Any help would be much appreciated. The message go out with a blank subject line and then some semi-legit web domain but with a bogus page on that domain. |
Dola:
One of my first searches got this: Quote:
Based on the specific combination of e-mail addresses that this e-mail appears to be sent to, I do not believe this is what happened. It was sent to my work e-mail address, some specific common friends, and members of a club my wife is in that has no relation to the other two groups. So - I'm pretty sure this is specific to my wife's computer. |
Well, first of all, the second post where you had the quote that macs do not get viruses is completely false. There are known viruses for macs, unix, smart phones, etc. It is less common that macs get viruses primarily because less are written for macs. There still are some that exist, and it is possible there could be more in the future.
That said, I do not know all of the mac viruses that are out there, I don't really take much interest in mac viruses because I don't really use them regularly (Only use them when looking at mac specific network enhancements for my company). I do know the majority of mac viruses require some user intervention though (The traditional pop up message saying your whatever software is out of date, please download and install this one instead --- where you then install a virus unknowingly onto your mac). The most recent mac virus I remember off the top of my head is a dns changer. I do recall the type of virus you refer to for PC many times, but not sure if MAC has had one like it. It is possible someone did hack her gmail account password and then use some other program to send mail from her gmail account and the sent messages would not show up. You could probably learn something if you look at the message header of the sent emails. it should tell you how the mail was sent most likely and help you narrow down where the problem occured. |
The bogus email isn't from LiveHealthClub.com is it?
Someone in my family recently accidentally spammed their entire contacts list when they received an email from a relative that appeared as an invitation to join that site. When you click "not interested," it runs a script that spams everyone in your address book. Since it just happened to someone I know I thought that might be what happened here. |
I can't figure out how to see the full message header in either gmail (my personal account that she sent to) or Outlook on my work side (it may be stripped, dunno).
The gmail does have this at the bottom:
Ok - found it in Outlook (I removed all e-mail addresses and replaced with something else so it would make sense but not give out addresses): Microsoft Mail Internet Headers Version 2.0 Received: from naeanrfkeb01v.nadsusea.nads. Thu, 22 Apr 2010 04:40:39 -0400 Received: from naeanrfkeb10v.nadsusea.nads. Thu, 22 Apr 2010 04:40:39 -0400 Received: from naeanrfkeg06v.nadsusea.nads. Thu, 22 Apr 2010 04:40:39 -0400 Received: from NAEANRFKAX08.NADSUSEA.NADS. Thu, 22 Apr 2010 04:40:38 -0400 X-AuditID: 8aa20595-a98d4bb000000d36-8c- Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.157]) by NAEANRFKAX08.NADSUSEA.NADS. for <[email protected]>; Thu, 22 Apr 2010 08:45:03 +0000 (GMT) Received: by fg-out-1718.google.com with SMTP id e21so197760fga.16 for <[email protected]>; Thu, 22 Apr 2010 01:40:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime- :subject:from:to:content-type; bh= b=Yk0JDn7gC1Zx+ wmJQ3sVoTiwxApWt5Lr0E6MwlneOOo pA4EDxGCzeeJW1CfN3CDeRFNBp7QRf DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message- b= 1bpGNQKBLPPL9OQSOzyqLEobLckd/ aLqxB/ MIME-Version: 1.0 Received: by 10.223.112.13 with HTTP; Thu, 22 Apr 2010 01:40:30 -0700 (PDT) Date: Thu, 22 Apr 2010 03:40:30 -0500 Received: by 10.223.92.136 with SMTP id r8mr379933fam.40. 22 Apr 2010 01:40:31 -0700 (PDT) Message-ID: <z2rae0de4ae1004220140t74fe590 Subject: From: Mrs.Moore <mrs.moore@gmail.com> To: bunch of e-mail addresses Content-Type: text/plain; charset=ISO-8859-1 X-Brightmail-Tracker: AAAAAhPYxLgT2ZbG Return-Path: mrs.moore@gmail.com X-OriginalArrivalTime: 22 Apr 2010 08:40:38.0815 (UTC) FILETIME=[7C1122F0:01CAE1F7] |
Quote:
Nope - it appears to have grouped into groups of 5-10 e-mail addresses and uses different domains for the link in each spam message. |
For better or worse (worse it appears) there is NO virus protection on her MAC.
I knew there were viruses, but also rare - so I just didn't bother with it. |
Hm.
I have to stand corrected. This IS in her gmail sent items (just didn't synch to the Mac E-mail Program). This may be a simple gmail hacking. |
Tri-Dola - I already changed her PW this morning fwiw.
|
To anyone reading this:
Regardless, I'm installing an anti-virus app on her MAC. Any recommendations? |
Looking at those headers, it does appear to have been sent through gmail.
I would definitely assume password hack here, but the question is how did they hack the password? Usually that is through some other program or hack (not necessarily her mac if she logs in from other places too). I dont think there is enough information here to say the mac is clean, but it is not uncommon for people to have keyloggers that intercept gmail passwords |
Quote:
99% of her access to gmail is through the Mac. The only other access is when I access the account for her through my computer or my work computer, which has not happened in quite awhile (at least a month). So far none of my accounts have seen a problem, but I guess I should change passwords just in case. This work machine has Symantec on it, but it's rather old. My home machine has AVG on it. |
Quote:
I know some of the major AV vendors also have mac versions too. I don't honestly know which ones are good or not though. The only free mac AV that I have heard of is ClamAV, but I don't know if that is any good either. I know common belief in the past was you really only needed mac antivirus to protect other PC users from infected files that you might send on which wouldn't really hurt your system. That for the most part is likely still the case, so I don't want to panic you to think that the mac is the likely case here. If I had to guess I'm betting it more likely to be a password hack than a mac exploit, I just can't say for sure. |
Quote:
I'm not panicking by any stretch - so that's good. I'm just realizing I've been complacent. While the IT support I do now is application specific, in the past I have done broader IT support so I've dealt with this stuff in the past. It just opens my eyes that I need to not be lazy and assume it's a mc so it will be fine. |
My wife had a similar thing happen (as I told you :)) and it was when she hadn't opened her home computer for like a month. And her work machine is locked down. So... who knows. I think sometimes there can be a keylogger that holds on to the information for a while and then at a later date makes use of the informaiton.
|
This happened to my wife (old aol address) and my wife's grandfather (at&t I believe) recently.
Exact same thing...blank subject line, some spam link in the message (different in each message). I assumed it was just a password intercept so I changed her password. Haven't had anything happen since. |
dola
Meant to add...neither of them have a Mac. |
All times are GMT -5. The time now is 03:36 AM. |
Powered by vBulletin Version 3.6.0
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.