Jump to content

Does Malwarebytes stop "Silver Sparrow"?


Recommended Posts

I'm reading about the new bit of malware called "Silver Sparrow":

  • https://redcanary.com/blog/clipping-silver-sparrows-wings/
  • https://appleinsider.com/articles/21/02/20/more-malware-found-to-target-apple-silicon-macs
  • https://www.macrumors.com/2021/02/20/m1-macs-silver-sparrow-malware/

I'm reading the Malwarebytes is aware of the malware and that they are involved with detection.

Question: Does Malwarebytes protect me?

 

Link to post
Share on other sites

Probably, for now, but the media is making way too much of it. At this point in time, it doesn't appear to even be harmful to Mac users, but that could quickly change. Any malware that is compiled today using the latest Xcode will produce the code necessary for it to work on the new M1 Macs and most intel86 only code will run on an M1 Mac thanks to Rosetta 2, so I don't understand what the big deal is that we are finding M1 malware now.

Edited by alvarnell
  • Thanks 1
Link to post
Share on other sites

alvarnell,

Thanks for your comment but could you please clarify. "...for it to work on the new M1 Macs and most intel86 only code will run on an M1 Mac thanks to Rosetta 2..."  left me in the dark because I'm not that tech savvy. Could it affect a 2020 Macbook Pro running Catalina if it becomes malicious via a payload?  I know it's supposedly not doing anything at the moment but as I understand it, it could in the future cause harm, so I'd like to remove it if possible.

Thanks for your time,

winm

Link to post
Share on other sites

2 hours ago, winm said:

"...for it to work on the new M1 Macs and most intel86 only code will run on an M1 Mac thanks to Rosetta 2..."  left me in the dark because I'm not that tech savvy.

You left off the beginning of that statement, which was really about two different scenarios. 

Any malware developer that compiles their code using the current version of Xcode will automatically get Apple Silicon code that runs natively on M1 Macs. So the fact that there are at least two such malware samples out there today shouldn't really surprise us.

Also, anybody with an M1 Mac that tries to run an app or process that was compiled for use on an Intel Mac only will be offered the opportunity to download an Apple process known as Rosetta 2. That process will add Apple Silicon code to the Intel only app so that it should run on the M1 Mac from then on. In the case of old intel only malware that is downloaded to an M1 Mac that has Rosetta 2 on it, that malware will attempt to run after first launch. Some of them will crash, but most will be able to do whatever they were designed to do (mostly adware).

But neither of those comments was meant to specifically address Silver Sparrow which could, of course, affect a 2020 Macbook Pro running Catalina if it becomes malicious via a payload. Malwarebytes is capable of disabling Silver Sparrow today by quarantining key components of it. If something changes in the future to somehow re-enable it, I feel confident that the signature writer will quickly update the database to account for that.

Edited by alvarnell
  • Like 1
Link to post
Share on other sites

I'd like to know whether Malwarebytes has updated its signature yet to include Silver Sparrow.  Simple question.   I know the media is making too much of a big deal.  I know it's not doing anything malicious, etc etc.  Still, I'd like to know if my Mac is protected.  Simple yes or no, and if no, then when.

  • Like 1
Link to post
Share on other sites

Sorry, I thought I had made that clear above. Those signatures were updated a few days ago, while it was still being examined by several individuals, including those in Malwarebytes Lab. As stated earlier, I have verified the presence of at least two signatures and I would guess there are more that I can't verify yet without a sample.

Link to post
Share on other sites

Malwarebytes will no doubt communicate their response via their usual messaging methods.  (enewsletter, bulletins and website resources) If there were something serious to worry about; they would have told their users with expediency and urgency.  If you are following recommended Mac security protocols - you should not be concerned.  If you are following recommended Mac security protocols AND running M-Bytes - your machine should be free of Silver Birdie (removed/quarantined) and you should not be concerned.    I'd chill and move on.  This is not a big deal ---really.

Link to post
Share on other sites

TREED is the authoritative source from Malwarebytes, but for some metrics....

"According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany," Red Canary's Tony Lambert wrote in a report published last week.

https://www.zdnet.com/article/30000-macs-infected-with-new-silver-sparrow-malware/
 

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

I'm not quite sure why you posted to this topic as the Scan results you posted are not related to Silver Sparrow.

In any case, it does appear that MalwareBytes has located the active process files associated with two infection types, so as long as you next hit the "Quarantine" button to remove those files to Quarantine, nothing else should be required.

Link to post
Share on other sites

5 hours ago, alvarnell said:

I'm not quite sure why you posted to this topic as the Scan results you posted are not related to Silver Sparrow.

In any case, it does appear that MalwareBytes has located the active process files associated with two infection types, so as long as you next hit the "Quarantine" button to remove those files to Quarantine, nothing else should be required.

Thank you, I do believe it is the same silver sparrow malware.. I accidentally download/installed the "Flash Player" which I thought was necessary to install because I was trying to install another program

After that malware bytes showed this malware

Link to post
Share on other sites

54 minutes ago, spenksponk said:

Thank you, I do believe it is the same silver sparrow malware.. I accidentally download/installed the "Flash Player" which I thought was necessary to install because I was trying to install another program

After that malware bytes showed this malware

LMAO !     How do you "accidentally" download  AND then install Flash?    OMG......       

  • Thanks 1
Link to post
Share on other sites

  • Staff

Hello @spenksponk,

The detected threat is different variant than OSX.SilverSparrow. We recommend to quarantine the detected threats and then reset the browser settings with help of article https://forums.malwarebytes.com/topic/236261-how-to-remove-the-after-effects-of-adware/?ct=1573744078 and restart the computer.

We have published blog for sparrow malware:

https://blog.malwarebytes.com/mac/2021/02/the-mystery-of-the-silver-sparrow-mac-malware/

 

Link to post
Share on other sites

7 hours ago, spenksponk said:

I do believe it is the same silver sparrow malware.. I accidentally download/installed the "Flash Player" which I thought was necessary to install because I was trying to install another program

As others have said, it very much is not Silver Sparrow. And Flash is no longer a thing as it is no longer supported by Adobe and Flash Player has been disabled on all computers that still have it installed, so you should never ever react to a message telling you to download/install it going forward.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.