http://arstechnica.com/apple/news/2011/05/fake-mac-defender-antivirus-app-scams-users-for-money-cc-numbers.ars

Security firm Intego announced Monday that a fake antivirus program for Mac OS X has been discovered in the wild. While the threat potential remains low, inexperienced users could be fooled into paying to remove fake viruses "detected" by the software, and in the process, could end up giving credit card information to scammers.

The fake antivirus software calls itself "MAC Defender," perhaps the first hint that it should not be trusted (Apple makes "Macs," not "MACs"). Those behind the malware used SEO poisoning to make links to the software show up at the top of search results in Google and other search engines. Clicking the links that show up in search results brings up a fake Windows screen that tells the user a virus has been "detected," another clue that something is fishy. JavaScript code then automatically downloads a zipped installer for MAC Defender.

If the "Open 'safe' files after downloading" option is turned on in Safari, the installer will be unzipped and run. Since the installer requires a user password, it won't install without user interaction. However, inexperienced users may be fooled into thinking the software is legitimate.

I'll give them credit, the fake antivirus app looks pretty professional (except for the "MAC" mistake). But as usual with recent malware, particularly for OS X, even if you manage to accidentally download it with the "open safe files" option checked, you'll have to input your password for the installer, and eventually your credit card information, manually. So bottom line, don't be fooled and be smart and aware.

Also, if you aren't already running a separate non-admin account for day-to-day computing, this is a good time to start. And make sure your passwords are different, and the admin's is particularly strong.

Do what he says.

Seriously. It took me a while to hunt it down and make sure it hadn't made a happy home in the dark recesses of my computer.

Don't be me.

It sounds a lot like the Win7 Internet Security that I caught last Saturday night. It messed up my account and pissed me off. Luckily I had another Windows user account to come here and ask for help...

Thank you kuwisdelu! I've had pop-ups with that and had wondered about it. I would NEVER respond to a pop-up, but it's nice to be forewarned.

You're a lifesaver, Kuwisdelu. Thank you so much. I don't have a Mac, but this information will be useful to me when I get one myself or if I meet and befriend a Mac user. So far, as far as I know, everyone I know personally has Windows.

Sounds like this is mostly propagating through Google image searches. You go to an image and you get a url redirect to the page with fake virus warnings and an automatic download begins.

I was lucky enough to run across it while searching for wallpaper. Alas, I forgot to screenshot it before stopping the download. But avoiding it is as simple as stopping the download and deleting the .zip file.

For everyone else's sake, I hunted down a link for an infected page again so I could get a screenshot for you all:

http://dl.dropbox.com/u/143553/Apple/malware-macdefender-screenshot.png

(Note that the pop-up "window" is a fake. It's just part of the webpage. Don't click it. This is a common tactic on Windows, too. Just close the webpage like usual. I like cmd + w, since there's no chance of the keyboard shortcut accidentally hitting any fake buttons.)

Just don't give in to scareware, and anything like this is easy to avoid. The more you know. ;)

If you come across anything like this, just cancel the download and delete the file. If it completes, just delete the .zip file without opening it. If you still have "Open 'safe' files..." checked, go uncheck that now, but otherwise just cancel out of the installer and delete the files in your Downloads folder.

Thank you for taking the time to do this. You're awesome.

(Note that the pop-up "window" is a fake. It's just part of the webpage. Don't click it. This is a common tactic on Windows, too. Just close the webpage like usual. I like cmd + w, since there's no chance of the keyboard shortcut accidentally hitting any fake buttons.)
Bolding mine.

This is good advice for everyone.

Don't click something that seems suspicious. If you're using Windows and can't close the webpage normally, bring up Task Manager and kill the process. Better safe than sorry.

For anyone with a Mac worried they might fall for this trick, Security Update 2011-003 was pushed out this Tuesday and address the issue. The MacDefender malware is detected upon download and when it is detected, you will be warned that the software will harm your computer and be prompted to move it to Trash. The update also includes support for automatic daily updates to malware signatures. (link (http://www.macrumors.com/2011/05/31/apple-addresses-mac-defender-threat-with-security-update-2011-003-for-snow-leopard/))

The malware authors released a new variant of MacDefender only 8 hours after this software update was pushed that the isn't recognized by the initial security update's dictionary of signatures. (link (http://www.macrumors.com/2011/06/01/new-variant-of-mac-defender-quickly-evades-apples-security-update-as-cat-and-mouse-game-begins/)) However, Apple seems to intend to fight malware aggressively, and has since already issued an automatic update to the list of malware signatures that identifies and protects against the newest variants. (link (http://www.macrumors.com/2011/06/02/apple-responds-quickly-to-evolving-mac-defender-threat-with-updated-malware-definitions/))

Everyone — and particularly those who are less tech-savvy — is encouraged to install the security update as soon as possible, just to be safe. Further analysis here (http://arstechnica.com/apple/news/2011/06/apple-malware-cat-and-mouse.ars).

Had this thing try to trick me (back before the update). Fortunately it requires that you actually install it yourself, and I knew better than that. Still it was a bit of a shock having my first run-in with any sort of Mac malware. I just wanted an Aperture Science wallpaper!