Users of Macintosh over the world are being targeted with malware that causes problem for them. Initially: the malware is mostly harmless because isn’t new, but this it is the first time to target the much smaller Mac market (trying to rip off your credit card number, not hurt your Mac).



What is the malware?, How does it work?, and more after break.


Facts about MacDefender malware:

  • The MacDefender malware is known as Mac Security and Mac Protector
  • It is a fake antivirus program designed only for one aim, just scare people into thinking that their computers are infected with malware, so they have to pay with a credit card for cleaning the machine up.
  • MacDefender attacks your Mac from any site on which a hacker has installed a custom JavaScript. Visiting a web page that you believe is benign runs a JavaScript that redirects you to a malicious website. These sites are changing from day to day, so it’s virtually impossible to block them.

What to do?1- Once your browser has been directed to the malevolent site, you’ll see a page very similar to the next, which mean your Mac is infected with viruses. 

Just visiting the bad website downloads a file to your hard drive. That file is generally named something like BestMacAntivirus2011.mpkg.zip or anti-malware.zip, but the name may be different. 


It has an extension of .mpkg and a name of MacDefender, MacSecurity, or MacProtector. If you see this file in your downloads folder:

  1. – Put it into the Trash
  2. – Empty the Trash

2- If your Mac is set up to automatically open “safe” files, in this case, the file is unzipped and the installer package (a file with an .mpkg extension) launches.
– You’re going to see a standard installer window that looks something like this (note: this is the MacSecurity variant pictured):



– Do not click the Continue button
– Quit the installer
– Throw away the .mpkg file in your Downloads folder.


3- If you click the Continue button. At this point
– You’ll be asked to provide your administrative password to install the application, at which time the app is added to your Applications folder, launched, and adds files to your login items so that the malware launches every time you log into your Mac. Icon looks like:


4- If the malware is running on your Mac:
– It displays a scan window that says your Mac is infected with viruses.
– The following photo (courtesy of BleepingComputer.com) is typical of what you’ll see:



It looks pretty official? Of course, here’s where things get really dicey. If you want to remove the nonexistent “viruses,” you have to register MacDefender. To do that, you’re asked for your credit card number.
– DO NOT REGISTER THIS PROGRAM!


5 – If you have already done so:
– Call your credit card company immediately
– Cancel the card.
– When you’ve taken care of the credit card issues.


Removing MacDefender
6- If MacDefender is running on your Mac, it displays the scan window shown just above:
– If you try to drag the app to the Trash, you are notified that the app is in use. That means that you need to kill any running processes on your Mac that are related to the malware before you can start deleting the files.
– Close the Scan window, which is designed to float above all other windows for maximum annoyance.{Remember, your Mac is not infected with viruses — these guys are just trying to get your credit card number}
– Launch Activity Monitor. (find in the Utilities folder that is located in your Applications folder) (/Applications/Utilities).
– Look for a process with the name of MacDefender, MacSecurity, MacProtector, or whatever other variant shows up.
– Click on it to highlight it.
– Click the Quit Process button as seen.

– After clicking the Quit Process button, another dialog appears:



– Click Quit to stop the process from running
Now, you can now remove the malware from your Mac:
– Get rid of the application itself.
– Look in your Applications folder for the MacDefender icon shown previously or look for a file with a name of one of the malware variants.
– Drag that icon to the Trash.
– Empty Trash.


7- Note: The application is gone, but it will try to launch itself at login and probably display an error message on your Mac screen as a result.


To fix that:
–  Open System Preferences (under the Apple menu or in your Dock)
– Click the Accounts icon. You’ll see something similar to this photo:



8- The item that MacDefender is set to automatically open when you log into your Mac. To remove the malware from the Login Items list:
– Click on the malware in the list to highlight it
– Click the minus button (“-“) that’s below the text in this window.


At this point, you’ve moved towards a safer Mac — the malware is gone and so is the login item. You can go further than this if you’d like by doing a search for MacDefender (or whatever the malware was called on your Mac) in Spotlight, and then removing any files that have the malware name in them.


Moving ahead in the age of Mac malware
MacDefender is the first major malware attack in many years to specifically target Macs, and it’s probably not going to be the last. In addition to our recommendation on changing Safari preferences to not open downloaded “safe” files immediately, there are some common-sense things you can do to protect yourself from future malware attacks:


1 – Never install any apps unless you are absolutely sure of where they’re coming from and what they are.


2 – If an installer appears on your screen and you’re not sure how it got there, don’t let it install the software.


3 – Consider installing free anti-virus / anti-malware software. Both Sophos Anti-Virus for Mac Home Edition and ClamXav 2 are free and relatively unobtrusive.


4 – Never give your credit card number to anyone through an app. Most reputable software vendors provide other ways to purchase their products (Mac App Store or payment by PayPal) that do not compromise your credit card.


5 – Be cautious when entering admin credentials for strange applications (thanks to @jtjdt for the tip). The only time you should ever be prompted for your administrative password is when you are deliberately installing an application or plug-in.


6 – If your primary account on your Mac has administrative rights, consider changing that so that you have a separate admin account and your day-to-day account is a ‘standard’ account. This can protect against some privilege escalation approaches, and helps guard against issues in one account affecting the entire Mac.


To protect yours:
Don’t visit untrusted Web sites
The malware targets Safari, so follow these steps to protect your Mac:
1 – Launch Safari.


2 – Select Preferences > General from the Safari menu.


3 – Uncheck the “Open ‘safe’ files after downloading” box found in the area I’ve outlined in red below:


The steps above keep MacDefender malware from automatically launching.
If it’s downloaded to your Mac and if you find the downloaded app in your Applications folder:
1 – drag it to the Trash
2 – Empty Trash to remove it.
Thanks: tuaw and Elinor Mills

Tags:

CONTACT US

We're not around right now. But you can send us an email and we'll get back to you, asap.

Sending

Log in with your credentials

Forgot your details?