We still seem to be having troubles with the so-called “Mac Defender” malware. We aren’t sure how it’s being delivered — I think, but am not certain, it’s being delivered through a trojan-horse advertisement — but the effect is that it redirects your browser to a site hosted by various machines in the Former Soviet Union, so instead of PJ Media content you get a page like the one below.
Like almost all examples of the rare Mac malware, this requires at least a little cooperation from your end before it will do anything dastardly to your machine. Apple will have a security update out for this soon, they promise. In the mean time, here’s what to do, drawn from the Apple article I linked:
Right now, if you use Safari as your browser, then open Preferences (Cmd-, or Safari/Preferences) and make sure that Open “safe” files after downloading is not checked, as shown below.
That will prevent the malicious page from actually installing anything on your machine.
If you get the malicious page:
- don’t click the okay button. No, your Mac doesn’t have a virus (yet) and it’s not scanning anything. Instead, close the window and quit the browser with Cmd-Q. If it won’t let you, then force-quit the browser by
- clicking the Apple in the top left corner of the screen to get the System menu, and pick “Force Quit” — or type Option-Cmd-Escape if you’d rather.
- find the browser in the Force Quit window and click Safari (or whichever browser you are using.) It will be highlighted like the next picture:
-
- Click “Force quit” and that will kill the Safari session.
The good news is that mostly the malicious page will only try this rarely, and apparently only once on a machine.
Now, what to do if you didn’t do this? If you were to click “Okay”, then the web site will download a file called “anti-malware.zip”, and if you had the Open “safe” files box checked, then it tries to go ahead and run an installer.
Don’t do it. Go to your Downloads folder, find the file and drop it in the Trash, them empty the trash.
If you did let it install, don’t for God’s sake give it your credit card information.
Here’s what Apple recommends if you have somehow installed this malware:
How to remove this malware
If the malware has been installed, we recommend the following actions:
- Do not provide your credit card information under any circumstances.
- Use the Removal Steps below.
Removal steps
- Move or close the Scan Window
- Go to the Utilities folder in the Applications folder and launch Activity Monitor
- Choose All Processes from the pop up menu in the upper right corner of the window
- Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector
- Click the Quit Process button in the upper left corner of the window and select Quit
- Quit Activity Monitor application
- Open the Applications folder
- Locate the app ex. MacDefender, MacSecurity, MacProtector or other name
- Drag to Trash, and empty Trash
Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.
- Open System Preferences, select Accounts, then Login Items
- Select the name of the app you removed in the steps above ex. MacDefender, MacSecurity, MacProtector
- Click the minus button
I found it, on the main page, when I clicked the PJ Store link. Did not click ok, when it told me I had a virus and it wanted to scan my computer-forced quit safari.
tried again, on the same link, but it worked normally.
Yeah. As I say, i’ve actually dug a good bit into the code. Something — and I’m pretty certain it’s not on PJ servers, so it has to be delivered through an ad or widget content — is redirecting the page to one of these servers (I’ve seen Byelorussia, Ukraine, and Moldava). It then downloads a page with a mildly encrypted page content and a javascript goodie that translates it into the page you see, One of the aspects of that is it deposits a cookie on your system to it apparently doesn’t try more than once — unless, of course, you get routed to a different server, or yu purposefully remove the cookie as I’ve been doing.
But it’s also random — it doesn’t show up every time you hit the page, even with a clean browser session.
Thank you for posting the information on how to look for the installer, Charlie.
I’ve been hit twice. The first time was before I’d heard of the virus and it was a close call. I think the popup gives you an option to close or cancel it, but when I clicked that (dumb, I know) it seemed to initiate a download. I force quit Safari right away. I looked for the installer file that you mentioned and didn’t see it, so I think I’m safe.
I was hit a second time just a few minutes ago and force quit right away. Persistent little bugger, isn’t it?
It did give me an opportunity to clean up all the crap in my downloads file, though!
I keep a LOTTA windows open (using FireFox), including PajamasMedia, and, among others, The Drudge Report. When I first saw this pop-up, I knew exactly what it was. I force quit FireFox, then restarted it. Before I restored the session, I individually deactivated the link (in the drop-down menu) for this pop-up page.
This happened a couple different times, and the pages deleted (the ones I had to re-open afterward) were this one and Drudge. Coincidence, or something directed at particular news media sites? =0[.]o=
Me too. I thought it was either Drudge or Pajamas. I am glad Charlie M. has looked into this for us.
I’ve seen popups of this kind for maybe a year or more, “this kind” being defined as one that won’t let me close the window, but have to force quit the browser to get rid of it. Because I’m a Mac user, I don’t like the Windows paradigm wherein you let things load that you didn’t ask for, so I’ve always been wary and I’m not about to let anyone control my machine even for a minute. I’ve even gone so far as to power off the my internet for a bit so that whatever was scanning for me would lose interest. I don’t know if it helps, as they seem to try, try again.
Call me stupid. I downloaded the app; but did not enter any info (DUH). I tried to trash it but couldn’t until I followed your directions with regard to the activity monitor. (It did affect whatever browser I used: Safari or Firefox). Now its out of my toolbar and hopefully out of my life. Thanks for the help.
You’re not stupid, these things are intended to fool you.
Charlie Martin, this is an excellent post and is fairly comprehensive and accurate.
For those of you on Macs, be aware that this kind of thing will only increase in the future, the days of relying on “security through obscurity” are over.
If you haven’t heard yet, there is a very good virus scanning freeware tool available from the company Sophos. I’d provide the link here but really, you shouldn’t be so trusting as to click on any old link in a blog post, now should you?
So, if interested, Google the company name and find their website. The freeware tool is called “Sophos Anti-Virus for Mac Home Edition”, and is not featured on the front page. To find it, click on Free Tools at the bottom of the page. The tool is easy to set up and use, and it works.
One more security tip—a prudent user would also use Google to make sure my advice isn’t a scam before downloading anything.
Happy computing everyone!
I downloaded the Sophos anti-virus program from Kim Komando’s web site. I do trust Kim. Ya about gotta trust SOMEONE, SOMETIME.
I’ve also gotten a lot of help from a guy who does videos to help his mom with her Mac. His site is called machelpformom.com. He helped me force the quit to get out of the MacProtector mess and sent me info on how to clean it from all parts of my Mac. He’s great!!! And working with his mom, he figures out how to explain things so that even a semi-computer-illiterate like me can understand it.
Wouldn’t you know it, soon after I buy my first Mac, the malware people attack Macs. I suppose I and thousands (millions?) of others like me are responsible for the death of the security-through-obscurity virus-protection rule.
Apple is preparing to release a 10.6.8 update to their operating system, which includes a feature to automatically remove all known versions of MacDefender.
http://www.macrumors.com/2011/05/29/mac-os-x-10-6-8-to-remove-macdefender-get-mac-app-store-ready-for-lion/
Yesterday, I received several Norton warnings about blocking a “Blackhole Rootkit” while I was on PajamasMedia. I had InstaPundit and PajamasMedia open at the time.
Drudge greeted me with MacDefender this morning.
It’s actually easiest to download the package and then send it to the trash. Otherwise – if you have several open tabs – you’ll force quit yourself out of all of them. As long as you don’t open the package and install it – which will give you the majordomo password request – you’re ok. I have all downloads go to my desktop for just this reason.
Had this happen Sunday when I was on the site — the page that popped up attempted to block you from closing the window directly, and instead tried to get you to click on a “cancel” box inside the browser window (which no doubt would have started the download just as if you clicked “OK”). The bottom of the page was marked as “Apple Security Center,” but other than the obvious concerns, the mistake they made was that while telling you your computer was infected, they wanted you to click on the button to repair your PC.
So it seems like this is part of a copycat effort to infect Mac computers, with some of the scammers simply taking their Windows scams and making a few tweaks to try and get Apple users to fall for the same thing. It will be interesting to see if they keep trying after Apple releases its latest update, since the Mac Defender folks went to a lot of trouble to place a lot of seemingly legitimate ads targeting people using Apple’s operating system. I would guess that there have been a few calls/emails between Mr. Jobs’ people and the folks at Google over what kind of oversight the “Do No Evil” company has for accepting ads from malware peddlers (though if Apple’s only going to put in a fix for Snow Leopard and above, that is going to pretty much leave a lot of Mac uses with non-Intel chip computers to fend for themselves or junk their old Motorola-chip computers for new ones).
John, I’m not happy with Google myself, they’re shutting down my beloved Translate API, but this one isn’t their fault — right now it doesn’t even look like it’s their ads that are serving up the initial malicious Javascript vector. Right now it looks like it’s tied to ChronoPay, which is sort of the bearded-Spock Russian version of PayPal.
Thanks for the clarification. any idea on how they’re getting those ads into the rotation on so many websites as easily has they have? I would think if you were a legitimate advertiser, but not a well-known name, you’d have your own concerns that large-scale phishing via fraudulent ads would make victims less likely to click on ads in the future, unless they’re from a company they’re already familiar with.
(The ads also seem to be platform specific — I can open a PJM page or some other website on a Windows computer and see nothing, while until the past couple of days doing the same thing in Safari or Firefox on a Mac would pop up multiple Mac Defender ads, either in the sidebar locations or in the spots interspersed with the blog content. So the malware seems to not just target Mac users, but IDs what platform the browser is operating on, and then places the fraudulent ads only where the target users are located.)
I’m pretty sure there’s a difference between MacDefender and MacProtector, which are malware- specifically, a Mac version of the ‘scareware’ scams that have been fairly common on Windows for some time- and MacKeeper, which I’m pretty sure is legit software.
John, there are several ways it can be done. The easiest is just set up a cut-out web site and buy the ads. What the boards are saying is this is a search engine optimization hack, which I don’t understand the details of yet. It is indeed platform specific, and needs to be — the code tries to run a Mac installer. But finding that out is trivial — here’s a bit of code that will do it and put the results into a web page.
On my machine, the “Platform:” line is filled in with “Platform: MacIntel”
Thanks for tracking down these goombahs from Russia.
By protecting us innocent bystanders, your days in Area 51 have finally paid off.
Thanks for the update. I figured it was a scam due to the lack of options, and ditched Safari right away. It did not save or store the application.
BTW, Apple has a security update out that removes this thing- Security Update 2011-003
Apple Menu -> Software Update -> Check Now
http://support.apple.com/kb/HT4657
THANK you so much for this info…. I was tearing my hair out, being new to Apple. So glad I knew enough to ForceQuit but am relieved to know where it came from and how to remove the offender.
Whoever took the screen shot, next time you might want to consider closing your tabs to boulder escort services and “Brandy” from Perfect Sensations!
Research.