Page 1 of 2

Be aware of MAC Defender malware!

Posted: Mon May 02, 2011 8:33 am
by bluesky
Be aware of this malware targeted at Mac OSX users.

Please pass this info on to other Mac users you know. ... llibility/

Re: Be aware of MAC Defender malware!

Posted: Mon May 02, 2011 9:19 am
by Stephen Hart
Note that it's fairly common (or at least used to be) to see such scams on web sites. And there are a number of other related ways advertisers try to get you to download software.

Most of this is Windows software, and won't harm a Mac. Apparently MacDefender does work on a Mac. I'll be interested to see if it really bypasses the usual OS X warnings about downloaded software. Those are so general that I bet the software does not bypass that.

Bottom line: never download any software unless you specifically went searching for that software. Never run software that you didn't deliberately download. Never answer yes if your Mac unexpectedly asks if you want to run a downloaded application.

And if you're wondering about antivirus or antimalware software, ask here first.

Re: Be aware of MAC Defender malware!

Posted: Mon May 02, 2011 2:22 pm
by bluesky
Also read more about it on the MacWorld web site here.. ... ws_h_crawl

Re: Be aware of MAC Defender malware!

Posted: Mon May 02, 2011 2:47 pm
by Stephen Hart
That is a good article David.

And, just as I thought, Macworld says it does not break OS X's security. It relies on the user to enter an admin password.
As nefarious as MAC Defender might be, the level of concern over infection remains low: Users must be tricked into downloading and installing the program, as well as entering their administrator password.
Remember that any application can include code that qualifies as malware. This one seems relatively crude.

Re: Be aware of MAC Defender malware!

Posted: Fri May 06, 2011 9:42 am
by bluesky
MACDefender malware evolves into new forms
updated 03:20 pm EDT, Thu May 5, 2011

Name, contents may vary

The MACDefender malware made public on Monday has already mutated into different versions, says security company Intego. A given example is "Mac Security," a fake antivirus program. As with MACDefender an attack begins when a person clicks on a malicious web link. This pops up a fake Windows Explorer window, claiming that a computer is infected with a prompt to remove offending code.
Clicking on Cancel actually begins downloading a ZIP file with an installer inside. Should a person click Install, and then enter their account password, Mac Security can then launch and pretend to find non-existent threats. The app's real purpose is to push people to "register" their copy of Mac Security by paying the malware's creator.

Several versions of the malware are said to be in the wild. Intego adds that these may have different names and/or payloads. They may be relatively easy to protect against though, as if they copy MACDefender and Mac Security they require a victim's permission to install.

Read more: ... z1Laxpdnvq

Re: Be aware of MAC Defender malware!

Posted: Tue May 10, 2011 9:15 am
by Stephen Hart
MACDefender updated yet again.
As usual, I add the admonition to never, ever download software unless you specifically went searching for that software.
If you're concerned about viruses or other malware on the Mac platform, ask here before you do anything.

Also note that this thread describes my attempt to help someone with the MACDefender trojan exploit.

Re: Be aware of MAC Defender malware!

Posted: Wed May 18, 2011 5:05 pm
by Stephen Hart
from Macintouch:

K. M. Peterson
All I can say about this is, "wow".
Anonymous AppleCare Rep, quoted by Ed Bott, on the the "Mac Defender" malware:
Over the weekend, I got an e-mail from an AppleCare support rep, who was responding to my recent reports of Mac malware being found in the wild. At least one prominent voice in the Mac community dismisses these reports as "crying wolf." The view from inside an Apple call center says it's for real:
I can tell you for a fact, many, many people are falling for this attack. Our call volume here at AppleCare is 4-5x higher than normal and [the overwhelming majority] of our calls are about this Mac Defender and its aliases. Many frustrated Mac users think their Mac is impervious to viruses and think this is a real warning from Apple. I really wish I could say not many people will fall for this, but in this last week, we have had nothing but Mac Defender and similar calls.
I contacted this person and arranged an interview. I've edited our conversation to remove any details that might identify this individual or the call center location, but otherwise this is a verbatim transcript.
Full interview at:An AppleCare support rep talks: Mac malware is "getting worse".
[See also: What a Mac malware attack looks like. -MacInTouch]
I'll just reiterate. This is not a virus. For any harm to ensue, a user must
1. decide to download an application, then
2. decide to run that application, then
3. decide to override OSX's warning, then
4. decide to fill in a form with personal information

Let's make sure SMUG members don't get taken in by this scam. If any SMUG member sees a warning about virus protection, ask here first!

By the way, this is the usual way scammers get personal information. They ask, sometimes politely. No legitimate bank, software manufacturer, anti-virus campaigner, etc., etc. will ever ask for personal information in an unsolicited web popup or e-mail or phone call. Anything that even remotely looks like that should be ignored.

Here's my credit union's statement:

Re: Be aware of MAC Defender malware!

Posted: Fri May 20, 2011 7:39 am
by Stephen Hart
More reports of this malware on Macintouch today.
One person claims to have found the downloaded file in her Downloads folder without having downloaded anything deliberately. As that's the only report of that type I've heard of I doubt that story highly.
There's no need to buy anti-malware software for this threat. Just pay close attention to anything you download. And pay close attention to OS X warnings about downloaded applications and about applications being run for the first time. There's no excuse for not heeding these warnings.

Re: Be aware of MAC Defender malware!

Posted: Mon May 23, 2011 9:26 am
by bluesky
The Sourcefire Vulnerability Research Team (VRT) has a great blog on MacDefender, the rogue antimalware trojan currently spreading on Mac systems. ... iants.html
This malware is known by a variety of names, including "Mac Defender", "MacProtector", "Mac Security", "Apple Security", and "Apple Security Center". The blog is filled with excellent technical details and images, and it also has clear and easy procedures for removing it, which I will repeat here:

1. In Safari under "Preferences", at the bottom of the "General" tab (the first tab), uncheck "Open safe files". This will prevent Safari from starting threats like MacDefender automatically after downloading them.
2. Open up "Activity Monitor" (this is in your Utilities folder within Applications)
3. Find "MacDefender" (or whatever the malware is being called, MacProtector, Mac Security, etc)
4. Highlight it then click "Quit Process" which looks like a big red stop sign at the top right of the Activity Monitor screen.
5. Next, open System Preferences, and go to "Accounts". When it appears click on the "Login Items" button, select the program, and then click the "minus" button to remove it from Login Items.
6. Next, navigate to your Applications folder, find the program, drag it to the trashcan, and then empty the trashcan.

Yes. It's really that simple to remove.

Re: Be aware of MAC Defender malware!

Posted: Mon May 23, 2011 4:04 pm
by Stephen Hart
Great post David.

I'd only add that in Activity Monitor, there's a "Filter" field at the upper right corner. You can type in there a key word from every version of this trojan horse that you know about.