hoakley February 14, 2018 Macs, Technology

Apple updates its malware removal tool, MRT

Apple is in the process of pushing an update to its malware removal tool, MRT, bringing it to version 1.29.

Although Apple neither announces such updates nor reveals their changes, this new version of MRT adds code to deal with two malware products, named by Apple as OSX.Mudminer.A and OSX.Nwm0zjrk.A. Security experts consider that OSX.Mudminer.A is Apple’s in-house name for OSX.CreativeUpdate, which was inadvertently spread by malicious links posted to MacUpdate between 1 and 2 February 2018. OSX.Nwm0zjrk.A remains unidentified.

This new version of MRT has a build date of 9 February 2018. Assuming that OSX.Mudminer.A and OSX.CreativeUpdate are one and the same, this gives an unusually precise timeline for this:

1 Feb – release via MacUpdate
2 Feb – removal of download links from MacUpdate
2 Feb – Malwarebytes detects and removes, other products following rapidly
9 Feb – MRT new version built for release
14 Feb – Apple pushes MRT update.

Distribution of the malware appears to have ceased once MacUpdate (and secondary aggregators) removed links on 1-2 February.

Not new, but worth noting, is MRT’s coverage of several unwanted or malicious Safari extensions. These currently include:

Omnibar.safariextz, part of Genieo
GoldenBoy.safariextz
Nariabox.safariextz
Perfetnight.safariextz
Smokycap.safariextz
Smokycap-2.safariextz
SearchConnect.safariextz
SafariProxy, part of Dok.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by LockRattler and SystHist for El Capitan, Sierra and High Sierra, available from Downloads above. If your Mac has not yet updated MRT itself, you can force an update using LockRattler, or at the command line.

I maintain lists of the current versions of security data files for Sierra on this page, for High Sierra on this page, and for El Capitan on this page.

I also maintain a detailed listing of the individual malware which the current versions of XProtect and MRT detect and remove in this article.

8Comments

Add yours

1

Larry Rosenblum on February 14, 2018 at 8:19 am

I realize Apple’s malware tools are shrouded in secrecy, but it’s hard to know whether additional anti-malware tools are advisable when we don’t know exactly what we already have on our Macs. Do you know, and if so would you let us know, when and how MRT is run by MacOS? If it removes malware, does it send a message to the user, or does it only write an entry in a log, or perhaps neither? Is it possible to run MRT manually, and if so would there be any benefit to doing so?

LikeLiked by 1 person
- 2
  
  hoakley on February 14, 2018 at 9:07 am
  
  Thank you – very difficult questions!
  No, I don’t know when or how MRT is run by macOS. Apple doesn’t document it, and it doesn’t appear to make its activities known in the log. My presumption has been that, whenever files are downloaded or installed, XProtect and MRT are called, possibly by Gatekeeper during its checking. It certainly does run sometimes – some users have reported issues with it, which are manifest in Activity Monitor.
  My understanding is that MRT does inform the user in alerts if it finds and/or deals with any issues. I haven’t seen it do so, though, which may be a good thing!
  I don’t think manually running MRT from /System/Library/CoreServices does anything useful, although it is an app rather than a command tool.
  Apple just wants us to leave it all to them to address for us. That’s not the way that modern security works, though.
  Howard.
  
  LikeLike
  - 3
    
    Unique Design on March 24, 2019 at 2:07 am
    
    MRT ran when i moved 90gb of data from the root drive into the users home folder after issue with APFS on a Samsung SSD drive where it was not showing correct free space after deleting large files and also not correctly counting the size of files on external drives as noted by Lloyd Chambers from digilloyd and noted on macperformaceguide website. This amongst 2 other complete drops of the ball, iCloud Drive turned on automatically and photoanalysis scanning process, its killing older machines and slowing everything else down. Where is the off switch? No this is an automated car manual is not allowed!!
    
    LikeLiked by 1 person
    - 4
      
      hoakley on March 24, 2019 at 9:56 am
      
      I’m baffled that you say that MRT ran. Did you see it in Activity Monitor? It is very rarely observed in action, and that could suggest that there was malware to be removed, which should have brought a prominent warning.
      Yes, there are complex issues over file sizing still with APFS volumes.
      I’m also not sure how iCloud Drive could have overridden settings in the iCloud pane. Are you sure that you didn’t get trapped into putting Desktop and Documents into iCloud by mistake? It’s happened to me!
      Howard.
      
      LikeLike
5

Yara(1) | ERAvila on September 29, 2018 at 5:58 pm

[…] hoakley,”Apple updates its malware removal tool, MRT“, The Eclectic Light Company, web. Published: 2018.02.14; Visited: 2018.09.27. URL: https://eclecticlight.co/2018/02/14/apple-updates-its-malware-removal-tool-mrt/ […]

LikeLike
6

Unique Design on March 24, 2019 at 11:24 am

It was Yarascanservice that was running as a new part of MRT in Activity Monitor and I knew this the minute it ran, as for 20+ years I have install Menumeters on every Mac I have serviced and continue to service, hell you wouldn’t drive a car without a dashboard. Yarascanservice will also run if you install pirate copies of software as this is where allot of trojans on the PC get installed. All of this energy and email is still like spotting a suspicious package in a shopping centre, where is the end to end ISP stamp. Lookup Yara on wiki and also go to yararules dot com and be careful not to fall into the habit hole.

APFS is one big experiment and currently Apple have not released any documentation so that utility companies like Alsoft Disk Warrior can make a APFS version. Problem is they still have to add Hidden File Damage auto repair (like ZFS) so that their Car Autonomous Driving Software can’t be corrupted. Currently we have to clone off, format, then put back or even start again from scratch and some disks just can’t be fixed.

I have rescued at least 15 people/companies from the iCloud Drive debacle, that is no longer present in 10.14. Customers with earlier versions 10.11 10,12 that ticked iCloud Drive previously get a screen saying yes you want all iCloud and Find my Mac ticked when installing 10.13, no disclosure that your files are now going to be put in the Cloud. So I am surprised there is not a US class action over this rude prosumption and push to sell more iCloud.

There is however a class action on another rude police style action, Turning On 2 Part Authentication and NOT being able to turn it OFF by the same guy that got Apple to reveal they were deliberately slowing all older mobile phones down because they where too cheapskate to replace the faulty batteries. Now know as Batterygate.

We the greater mac community are sick of authoritarian style rulers (nanny state controllers). We want the options to turn of Scanning, copying of our data, turn off reminders to update, over security and a dialogue box, to TURN OFF, if your scanning our files (Yarascanservices) or pictures (photoanalysisd). Hell I have had a ATM card with only 4 pin number for 34 years with no issues and never had a virus is OSX or a trojan as I use different browsers for different purposes.

LikeLiked by 1 person
- 7
  
  hoakley on March 24, 2019 at 12:29 pm
  
  OK, I think that there are some misunderstandings here.
  As far as I have seen, in Mojave at least, Yara scans are XProtect (whose data files including Yara files) rather than MRT. I’ve just checked through recent MRT executables, and there’s no sign of ‘yara’ anywhere in their strings, whereas they are well-known in XProtect.
  Normally, XProtect will be called to briefly scan executable bundles and some files (such as JPEG images) when they are being opened, and most commonly scans in full when the quarantine flag has been set. I’m not sure how that might have happened with your files, but if they all had the flag set and were all being opened (not just copied), then that may explain sustained XProtect scanning activity.
  I see that there are some reports of Yara scan XPC service linked to MRT in High Sierra, but I’m not sure whether those popular explanations make sense, and they don’t seem to hold good in Mojave, for sure.
  Apple released documentation for APFS last September, and has since updated it twice. Although it isn’t as explicit as many had hoped for, the document is well over 100 pages, and Alsoft are currently testing an APFS version of Disk Warrior. I wouldn’t hold your breath waiting for it, though, as APFS is very different from HFS+ and requires a complete rethink. APFS version 1 in High Sierra also differs considerably from version 2 in Mojave, which is of full release quality now, and running on millions of Macs and hundreds of millions of iOS devices with remarkably few problems. It is now no more of an experiment than any other file system.
  APFS does include a mature implementation of fsck_apfs, and as far as anyone knows isn’t waiting for any other repair tools from Apple.
  Enabling iCloud Drive doesn’t automatically push any of your documents onto iCloud: I think that you’re confusing that with the ‘Desktop and Documents in iCloud’ option, which remains an option, although some installers etc. have tried to trick users into agreeing to it. This iMac Pro uses iCloud Drive, but not the Desktop and Documents option – I did once accidentally get tricked into agreeing to that but turned it back off immediately. It’s simple to do.
  Finally, many of these features are built into macOS, and the choice is simple: if you don’t want what is engineered into it, then switch to a different operating system. Actually my concern with XProtect, MRT and Gatekeeper is that they aren’t protective enough, and that Apple should be making them more effective, not providing any option to disable them. The same for Mojave’s privacy protection with TCC.
  Howard.
  
  LikeLike
8

cwinte on August 28, 2019 at 12:33 pm

mmm, nice measured reply there HO…

LikeLike

·Comments are closed.

Share this:

Like this:

Related