Defending against MACDefender - By Glenn Brensinger

**Bernie** · May 17th, 2011, 07:29 PM

The following came to me by Small Dog Electronics out of Vermont. I subscribe to their Small Dogs Tech Tails Newsletter which is a wonderful resource and has taught me much about Macs and OS-X over the years. Visit their site at http://www.smalldog.com

Defending against MACDefender
By Glenn Brensinger

Recently, a new form of malware has been making the rounds and causing distress among Mac users. While surfing the web—typically Google Images—a message may pop up claiming your Mac is infected with a virus and recommending that you install a security program to clean it off. The program will then automatically prompt you for your system password to allow itself to install. After entering your administrator password, the next time you start your Mac, you will receive a message stating your machine is infected with a virus, and that the only way to get rid of it is to pay to register the software. Your system might also start randomly showing adult websites and Viagra ads to further “prove” it it is infected. While some of these symptoms may seem convincing, the good news is, they are all fake—there is no virus on your Mac.

The idea of “scareware” is not new. In the case of MACDefender, all of the warnings shown are fake; registering the program will do nothing more than remove them. Not only does MACDefender not clean anything, there was nothing to clean in the first place. This malware exists solely to dupe users into giving their credit card numbers to a scammer. For a the long time, these scare tactics were limited to Windows systems, since a “virus scanner” could install itself in the background without user intervention. A window appearing to be a legitimate Windows error screen would pop up and ask if you wanted to install a program to clean your system. Unfortunately, in this instance regardless of what you selected, your PC would already be infected. Thankfully, Macs are immune to this kind of browser exploit.

MACDefender appears to be a different animal as it isn’t a web page made to look like an application warning, it’s actually a Mac application. Many fake warnings use very poor grammar, so they are typically easy to spot as scams. While MACDefender is better than most, it still has its share of grammatical mistakes. For example, the “About” information contains the phrase: “The largest worldwide companies trust MAC Defender their nets and security.” However professional it may look, any malware appearing on OS X is bound by its built in security model: An application cannot be installed and modify system settings without an administrator password. In order to trick you into entering your password, the application makes it sound like the only smart choice is to install it. This is the critical step. If you do not enter your password, the application cannot install and no harm is done. If you did register the program and entered credit card information, you should call your bank immediately to alert them to watch your account activity.

Though any financial information given to the app unfortunately cannot be rescinded, it is at least relatively easy to remove MACDefender from your machine:

Open System Preferences and go to the Accounts pane.
Look at the login items for your account and find the listing for MACDefender. (It may also be called Mac Defender, Mac Security, Apple Security, or Mac Protector.) Select the entry and click the “-” sign to delete the it. Do not delete any other entries unless there is more than one listing for MACDefender.
Restart your system. The fake “warnings” should not come up.
Go to Applications and look for a program named one of the aforementioned titles. Drag this application to the Trash, and empty the trash.
To help prevent an attack like this from happening again, we recommend visiting Safari preferences and unchecking “Open safe files after downloading.” This will prevent applications from automatically launching. We also suggest visiting Sophos and downloading its free Mac scanner, which will warn you the next time something like MACDefender tries to infiltrate your computer.

To clarify a few points: Google Images is not the source of the problem. Whoever is trying to spread garbage like MACDefender is setting up web pages to spread it, and manipulating Google’s search engine to rank their sites higher. No matter what you search for, their site will appear—an attack such as this is called SEO poisoning. Second, MACDefender and its ilk are not technically viruses. A virus spreads itself without user intervention. Due to the security model built into OS X, a virus would not be able to install itself. MACDefender is considered to be malware, which can be as bad as a virus but cannot spread on its own from computer to computer. The best way to prevent malware is to pay attention to what you’re clicking on. If you go to a web page and are prompted for your system’s administrator password, you should navigate away from that page immediately.

**Videoskooter** · May 19th, 2011, 04:44 PM

I think this could be interesting 2!

http://blog.intego.com/2011/05/02/ma...seo-poisoning/

**remicks** · May 19th, 2011, 06:19 PM

*****
this is interesting.
I'm using Windows , not Mac, but ---

a couple of weeks ago , while downloading an image from googles images (Donna Summer CAT WITHOUT CLAWS lp cover specifically) suddenly a wild pop up came on warning I was being attacked by a virus and then an appearance that my files were being rapidly searched .

I immediately turned off my computer but when I restarted using firefox the same thing continued . So I shut down again and re- began using Bing ....no problem.

then after a couple of days , I erased all my history before I returned to firefox & it was OK.

but ya..... now i hesitate to use GOOGLES images.

**Videoskooter** · May 20th, 2011, 05:05 PM

Originally Written by remicks

a couple of weeks ago , while downloading an image from googles images (Donna Summer CAT WITHOUT CLAWS lp cover specifically) suddenly a wild pop up came on warning I was being attacked by a virus and then an appearance that my files were being rapidly searched

Remmy, this is becoming a pain in da butt. Even when I'm looking for car pics, fake virus scanners pop up.

http://community.websense.com/blogs/...-poisoned.aspx

http://blog.trendmicro.com/blackhat-...ch/#more-33877

http://blog.unmaskparasites.com/2011...earch-results/