thomas_r.

Q: Removing MacDefender variants

For anyone who has been affected by MacDefender, MacSecurity or MacProtector, I've got a full run-down on how to remove it, complete with screenshots, on my blog:

 

Identifying and removing MacDefender trojans

 

* Disclaimer: links to my pages may give me compensation.

Posted on May 7, 2011 11:48 AM

Close

Q: Removing MacDefender variants

  • All replies
  • Helpful answers

  • by Kurt Lang,

    Kurt Lang Kurt Lang May 7, 2011 12:01 PM in response to thomas_r.
    Level 8 (37,958 points)
    Mac OS X
    May 7, 2011 12:01 PM in response to thomas_r.

    As usual, very thorough and helpful information, Thomas. Thanks!

  • by WZZZ,

    WZZZ WZZZ May 7, 2011 12:16 PM in response to thomas_r.
    Level 6 (13,112 points)
    Mac OS X
    May 7, 2011 12:16 PM in response to thomas_r.

    Thomas, have you seen something about the latest incarnations phoning home along with doing a scan of some kind -- but appears to be fake -- of the drive? That sounds potentially very troubling if the "scanning" may now really be looking for, or able to scan for, data to steal.

  • by thomas_r.,

    thomas_r. thomas_r. May 7, 2011 12:13 PM in response to WZZZ
    Level 7 (30,929 points)
    Mac OS X
    May 7, 2011 12:13 PM in response to WZZZ

    I have not heard of anything like that.  It might be interesting for someone to use LittleSnitch to check and see what is being sent back.  I may or may not have time to test that in the next few days...  I think my wife might get a little annoyed if I'm jacked in to the computer too much tomorrow, it being Mother's Day and all!    To this point, I've only run these trojans long enough to see what they look like and get screenshots, and then I've deleted the entire account I ran them on.  (And I haven't actually run the installer...)

     

    Perhaps if I have some time next week I might create a SL system on an external drive and do some detailed testing.  If anyone wants to beat me to it, feel free. 

  • by WZZZ,

    WZZZ WZZZ May 7, 2011 1:44 PM in response to thomas_r.
    Level 6 (13,112 points)
    Mac OS X
    May 7, 2011 1:44 PM in response to thomas_r.

    I know your opinion of MacScan, but don't see why they'd be making this stuff up. This was where I found that bit about phoning home. No information on what, exactly, it may be sending back

     

    From UPDATE - MAY 4TH, 2011

     

    The new version did not change the main functionality of the code, but rather cleaned up the existing code and added small updates including the capability to send information about the infected system back to the authors of the malware

    http://www.securemac.com/MAC-Defender-Rouge(sic)-Anti-Virus-Analysis-Removal.php

     

    Also, latest is people getting infected from hotmail (scummail)

     

    https://discussions.apple.com/thread/3042885?start=15&tstart=0

  • by thomas_r.,

    thomas_r. thomas_r. May 7, 2011 3:36 PM in response to WZZZ
    Level 7 (30,929 points)
    Mac OS X
    May 7, 2011 3:36 PM in response to WZZZ

    I know your opinion of MacScan, but don't see why they'd be making this stuff up.

     

    Yes, I agree that it's unlikely they'd just make stuff up.  It would be too easy for someone to prove them wrong. However, before I jump at that possibility, I'll want to find out what's actually going on.  After all, people freaked out about iPhone location data that turned out not to even be exactly what everyone assumed it was.

  • by buddyjewell,

    buddyjewell buddyjewell May 14, 2011 1:43 PM in response to thomas_r.
    Level 1 (0 points)
    May 14, 2011 1:43 PM in response to thomas_r.

    THANK YOU SO SO MUCH!  What a relief!  You saved me.

    Joyce

  • by babowa,

    babowa babowa May 14, 2011 7:33 PM in response to thomas_r.
    Level 7 (32,175 points)
    iPad
    May 14, 2011 7:33 PM in response to thomas_r.

    Thomas,

     

    could you please take a look at this:

     

    https://discussions.apple.com/thread/3056874?tstart=0

     

    Not sure if this is a new wrinkle, but it may be?

     

    Thanks.

  • by thomas_r.,

    thomas_r. thomas_r. May 15, 2011 5:35 AM in response to babowa
    Level 7 (30,929 points)
    Mac OS X
    May 15, 2011 5:35 AM in response to babowa

    That is not related.  Sounds to me like some guy has been illegally distributing software he purchased through the App Store and other folks are downloading it, with our without the realization they are engaging in software piracy, and don't understand why it won't work for them without logging on to the account it was purchased on.  It takes a real dope to distribute App Store software, since it's linked to your Apple ID. 

  • by WZZZ,

    WZZZ WZZZ May 15, 2011 7:23 AM in response to thomas_r.
    Level 6 (13,112 points)
    Mac OS X
    May 15, 2011 7:23 AM in response to thomas_r.

    People should stop using hotmail or Windows hotmail.

     

    Screen shot 2011-05-14 at 11.39.56 PM.png

  • by ds store,

    ds store ds store May 15, 2011 8:19 AM in response to thomas_r.
    Level 7 (30,400 points)
    May 15, 2011 8:19 AM in response to thomas_r.

    In addition to Thomas's excellent advice in removing the current incarnation of the MacDefender Trojan, one should also take into careful consideration that malware evolves and is altered and delivered by other parties.

     

    What steps you are taking following Thomas's may work and appear to be enough, but it's impossible to be 100% sure as you can't compare his version of the malware with the version you have.

     

    My advice is to take Thomas's advice as a first step, then take a additional measures to backup your files and resintall the operating system from the (hold c bootable) OS X installer disks after using Disk Utility to Zero erase (under the menu) your boot drive (all data will be destroyed, format HFS+ Journaled) and then reinstall OS X. Re-install programs from fresh sources.

     

    Yes, it's a lot of work unfortunatly, if you don't know how to do this, take it to a computer professional who can.

     

    If you didn't give this Trojan (or any malware) your administrative password (or it didn't gain root access some other way), then my steps above are not necessary.

     

     

    To prevent this MacDefender Trojan from happening again:

     

    It preys upon a JavaScript vulnerability on web pages among other things.

     

    Since turning Safari's JavaScript Preference on/off constantly is a chore.

     

    I advise using the Firefox web browser and the Add-On: NoScript  which in Firefox Toolbar customization you drag a Noscript button to the toolbar or easy on/off of all scripts and plug-ins.

     

    NoScript also offers other "web cop" features, it takes some getting used too as your surfing the web without anything running, then turning it on per site basis once you trust the site.

     

    Firefox also has a download opt out window before it downloads, giving you a chance to stop this thing in it's tracks.

  • by puva,

    puva puva May 24, 2011 7:08 PM in response to thomas_r.
    Level 1 (0 points)
    May 24, 2011 7:08 PM in response to thomas_r.
  • by Awasthi Sachin,

    Awasthi Sachin Awasthi Sachin Jun 8, 2013 2:47 AM in response to thomas_r.
    Level 1 (0 points)
    Jun 8, 2013 2:47 AM in response to thomas_r.

    Exactly Same here !!

     

    Its a bug !!

  • by thomas_r.,

    thomas_r. thomas_r. Jun 8, 2013 3:10 AM in response to Awasthi Sachin
    Level 7 (30,929 points)
    Mac OS X
    Jun 8, 2013 3:10 AM in response to Awasthi Sachin

    Exactly Same here !!

     

    Its a bug !!

     

    Can you be a little clearer? This topic is more than 2 years old, and is a discussion of the MacDefender malware, not a bug.