Don't download MACDefender (hint: MACs are not Macs)

kuwisdelu

Revolutionize the World
Super Member
Registered
Joined
Sep 18, 2007
Messages
38,197
Reaction score
4,544
Location
The End of the World
http://arstechnica.com/apple/news/2011/05/fake-mac-defender-antivirus-app-scams-users-for-money-cc-numbers.ars

Security firm Intego announced Monday that a fake antivirus program for Mac OS X has been discovered in the wild. While the threat potential remains low, inexperienced users could be fooled into paying to remove fake viruses "detected" by the software, and in the process, could end up giving credit card information to scammers.

The fake antivirus software calls itself "MAC Defender," perhaps the first hint that it should not be trusted (Apple makes "Macs," not "MACs"). Those behind the malware used SEO poisoning to make links to the software show up at the top of search results in Google and other search engines. Clicking the links that show up in search results brings up a fake Windows screen that tells the user a virus has been "detected," another clue that something is fishy. JavaScript code then automatically downloads a zipped installer for MAC Defender.

If the "Open 'safe' files after downloading" option is turned on in Safari, the installer will be unzipped and run. Since the installer requires a user password, it won't install without user interaction. However, inexperienced users may be fooled into thinking the software is legitimate.

I'll give them credit, the fake antivirus app looks pretty professional (except for the "MAC" mistake). But as usual with recent malware, particularly for OS X, even if you manage to accidentally download it with the "open safe files" option checked, you'll have to input your password for the installer, and eventually your credit card information, manually. So bottom line, don't be fooled and be smart and aware.

Also, if you aren't already running a separate non-admin account for day-to-day computing, this is a good time to start. And make sure your passwords are different, and the admin's is particularly strong.
 

MeretSeger

The Alydar of Writers
Super Member
Registered
Joined
Feb 26, 2011
Messages
387
Reaction score
44
Location
sunny*snork*California
Seriously. It took me a while to hunt it down and make sure it hadn't made a happy home in the dark recesses of my computer.

Don't be me.
 

Snowstorm

Baby plot bunneh sniffs out a clue
Super Member
Registered
Joined
Feb 26, 2008
Messages
13,724
Reaction score
1,122
Location
Wyoming mountain cabin
Thank you kuwisdelu! I've had pop-ups with that and had wondered about it. I would NEVER respond to a pop-up, but it's nice to be forewarned.
 

kuwisdelu

Revolutionize the World
Super Member
Registered
Joined
Sep 18, 2007
Messages
38,197
Reaction score
4,544
Location
The End of the World
Sounds like this is mostly propagating through Google image searches. You go to an image and you get a url redirect to the page with fake virus warnings and an automatic download begins.

I was lucky enough to run across it while searching for wallpaper. Alas, I forgot to screenshot it before stopping the download. But avoiding it is as simple as stopping the download and deleting the .zip file.

For everyone else's sake, I hunted down a link for an infected page again so I could get a screenshot for you all:

malware-macdefender-screenshot.png


(Note that the pop-up "window" is a fake. It's just part of the webpage. Don't click it. This is a common tactic on Windows, too. Just close the webpage like usual. I like cmd + w, since there's no chance of the keyboard shortcut accidentally hitting any fake buttons.)

Just don't give in to scareware, and anything like this is easy to avoid. The more you know. ;)

If you come across anything like this, just cancel the download and delete the file. If it completes, just delete the .zip file without opening it. If you still have "Open 'safe' files..." checked, go uncheck that now, but otherwise just cancel out of the installer and delete the files in your Downloads folder.
 
Last edited:

alleycat

Still around
Kind Benefactor
Super Member
Registered
Joined
Apr 18, 2005
Messages
72,919
Reaction score
12,277
Location
Tennessee
(Note that the pop-up "window" is a fake. It's just part of the webpage. Don't click it. This is a common tactic on Windows, too. Just close the webpage like usual. I like cmd + w, since there's no chance of the keyboard shortcut accidentally hitting any fake buttons.)
Bolding mine.

This is good advice for everyone.

Don't click something that seems suspicious. If you're using Windows and can't close the webpage normally, bring up Task Manager and kill the process. Better safe than sorry.
 

kuwisdelu

Revolutionize the World
Super Member
Registered
Joined
Sep 18, 2007
Messages
38,197
Reaction score
4,544
Location
The End of the World
For anyone with a Mac worried they might fall for this trick, Security Update 2011-003 was pushed out this Tuesday and address the issue. The MacDefender malware is detected upon download and when it is detected, you will be warned that the software will harm your computer and be prompted to move it to Trash. The update also includes support for automatic daily updates to malware signatures. (link)

The malware authors released a new variant of MacDefender only 8 hours after this software update was pushed that the isn't recognized by the initial security update's dictionary of signatures. (link) However, Apple seems to intend to fight malware aggressively, and has since already issued an automatic update to the list of malware signatures that identifies and protects against the newest variants. (link)

Everyone — and particularly those who are less tech-savvy — is encouraged to install the security update as soon as possible, just to be safe. Further analysis here.
 

Fulk

Occasional Contributer
Super Member
Registered
Joined
Jun 2, 2008
Messages
571
Reaction score
40
Location
Illinois
Had this thing try to trick me (back before the update). Fortunately it requires that you actually install it yourself, and I knew better than that. Still it was a bit of a shock having my first run-in with any sort of Mac malware. I just wanted an Aperture Science wallpaper!