May 29, 2011 - 11:04 pm
We still seem to be having troubles with the so-called “Mac Defender” malware. We aren’t sure how it’s being delivered — I think, but am not certain, it’s being delivered through a trojan-horse advertisement — but the effect is that it redirects your browser to a site hosted by various machines in the Former Soviet Union, so instead of PJ Media content you get a page like the one below.
Like almost all examples of the rare Mac malware, this requires at least a little cooperation from your end before it will do anything dastardly to your machine. Apple will have a security update out for this soon, they promise. In the mean time, here’s what to do, drawn from the Apple article I linked:
Right now, if you use Safari as your browser, then open Preferences (Cmd-, or Safari/Preferences) and make sure that Open “safe” files after downloading is not checked, as shown below.
That will prevent the malicious page from actually installing anything on your machine.
If you get the malicious page:
- don’t click the okay button. No, your Mac doesn’t have a virus (yet) and it’s not scanning anything. Instead, close the window and quit the browser with Cmd-Q. If it won’t let you, then force-quit the browser by
- clicking the Apple in the top left corner of the screen to get the System menu, and pick “Force Quit” — or type Option-Cmd-Escape if you’d rather.
- find the browser in the Force Quit window and click Safari (or whichever browser you are using.) It will be highlighted like the next picture:
- Click “Force quit” and that will kill the Safari session.
The good news is that mostly the malicious page will only try this rarely, and apparently only once on a machine.
Now, what to do if you didn’t do this? If you were to click “Okay”, then the web site will download a file called “anti-malware.zip”, and if you had the Open “safe” files box checked, then it tries to go ahead and run an installer.
Don’t do it. Go to your Downloads folder, find the file and drop it in the Trash, them empty the trash.
If you did let it install, don’t for God’s sake give it your credit card information.
Here’s what Apple recommends if you have somehow installed this malware:
How to remove this malware
If the malware has been installed, we recommend the following actions:
- Do not provide your credit card information under any circumstances.
- Use the Removal Steps below.
- Move or close the Scan Window
- Go to the Utilities folder in the Applications folder and launch Activity Monitor
- Choose All Processes from the pop up menu in the upper right corner of the window
- Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector
- Click the Quit Process button in the upper left corner of the window and select Quit
- Quit Activity Monitor application
- Open the Applications folder
- Locate the app ex. MacDefender, MacSecurity, MacProtector or other name
- Drag to Trash, and empty Trash
Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.
- Open System Preferences, select Accounts, then Login Items
- Select the name of the app you removed in the steps above ex. MacDefender, MacSecurity, MacProtector
- Click the minus button