Wednesday, 4 May 2011

Fake Antivirus program warning for Mac users


Mac security specialist Intego issued a memo on Monday warning users of Apple's desktop and laptop computers to keep any eye out for a crafty new antivirus program called MAC Defender. As fate would have it, the app is nothing more than a nasty virus in sheep's clothing, and a few accidental clicks on search engines such as Google might mess up your day rather badly."

The MAC Defender software uses commonly searched terms to get prominent placement in search engine results. So, users looking for legitimate protection against viruses on their Macs might be duped into downloading and installing MAC Defender instead. Clicking the links that show up in search results brings up a fake Windows screen that tells the user a virus has been "detected," another clue that something is fishy. JavaScript code then automatically downloads a zipped installer for MAC Defender. If the "Open 'safe' files after downloading" option is turned on in Safari, the installer will be unzipped and run. Since the installer requires a user password, it won't install without user interaction. However, inexperienced users may be fooled into thinking the software is legitimate.

Once installed, the program apparently pretends to detect viruses and opens Web browser windows with pornographic sites, to help sell the charade that the computer is infected. It also configures itself to launch at startup and is difficult to quit as it only appears as a menu bar icon and not in OS X's Dock. If users try to clean the "viruses", they first have to register MAC Defender; clicking on the link to do so via the program's About screen takes them to an unsecure Website that offers a 1-year, 2-year, or lifetime license to the program for $60, $70, or $80 respectively. Registering halts the virus warnings, thus "confirming" that the program is working.

As with the rare Mac malware threats that have arisen in the past, the best defense against a Trojan horse like MAC Defender is education and common sense. There's no need to panic, as long as you're taking the usual proper precautions while browsing the Web. You should uncheck Safari's 'Open "safe" files after downloading' option in the General pane of its Preferences. This will prevent files like ZIP archives from automatically being opened. And, of course, you should always be wary of installing any application from an unknown source.

Action to take: In Safari, go to the Safari menu and choose Preferences. In the first tab General, ensure that the option to 'open safe files after downloading' is not enabled.

Arstechnica.com comments:
While MAC Defender wouldn't likely fool an experienced user, Intego notes that its appearance in the wild is yet another opportunity to detail some useful security precautions. Don't let your browser automatically open downloads. If your browser asks if you want to run an installer even though you didn't try to download one, click "cancel." And never give your password to run installers you aren't 100 percent sure about."

Also see Macworld.com New Mac Trojan Horse masquerades as virus scanner


UPDATE 10th May:
If you have been caught out by this 'scareware', simple removal instructions can be found here:
http://www.fixkb.com/2011/05/uninstall-mac-defender.html




1 comment:

  1. It also appears under the names of MacSecurity and MacProtector.

    Remove MacSecurity: http://www.fixkb.com/2011/05/remove-mac-security.html

    Remove MacProtector: http://www.fixkb.com/2011/05/remove-mac-protector.html

    ReplyDelete