If you are one of the people that hasn't seen this type of scam before here is some technical information about how it works, what it does, and how to protect against it:
- “How did it find its way onto my machine?” MacDefender used a lot of SEO poisoning attacks to get their links in the top of various search engine's results. When you browse to one of these malicious sites a feature of Safari is used (the default browser on OSX) to automatically download the malware package containing this "MacDefender" software. This is possible, since the default configuration for Safari has "Open "safe" files after downloading" checked (by default) in their browser. This setting is under "Preferences" in Safari and is at the bottom of the "General" tab (the first tab). We recommend you uncheck this:
- "Once it's downloaded" Like other pieces of "OSX malware" in the past, you have to open it (which the above checkbox will perform for you), then install it. This uses a normal looking OSX package installer, during which, you will have to type in your Admin credentials. Once you have done that it will install and initiate a fake antivirus scan of running processes and files on your system. It will then inform you that something is infected and needs to be cleaned up. So the basic scenario looks like this:
- You use a search term in a web search engine (like Google or Bing)
- You get your results, you click on one of the links in those results to read the information you are looking for
- The webpage you landed on, unbeknownst to you, contains a link that downloads some malware and you are presented with the interface for an installer for some strange piece of software that you didn't intend to download, which requires your admin credentials to continue the installation
- Uncheck "Open safe files", see #1 above.
- Open up "Activity Monitor" (this is in your Utilities folder within Applications)
- Find "MacDefender" (or whatever the malware is being called, MacProtector, Mac Security, etc)
- Highlight it then click "Quit Process" which looks like a big red stop sign at the top right of the Activity Monitor screen.
- Next, open System Preferences, and go to "Accounts". When it appears click on the "Login Items" button, select the program, and then click the "minus" button to remove it from Login Items.
- Next, navigate to your Applications folder, find the program, drag it to the trashcan, and then empty the trashcan. Yes. It's really that simple to remove.
Also included in today's release is GID 1, SID 18944, which will generate events for network traffic that displays the characteristic signs of numerous known fake AV variants for both Windows and OSX. Let us know how that one works, we built that particular rule by analyzing more than 1000 samples of fake AV malware in our repository. The rule may generate some false positive events, so make sure to investigate your results carefully and send us the information. Use the form on snort.org here: https://www.snort.org/uploads to do so. (requires you to login with your snort.org account first)
We issued ClamAV signatures for MacDefender several days ago and we will continue to update those as new variants are discovered. They are named:
Update:Apple have now released information on how to remove this malware.
Instructions are available here KB Article HT4650