Mac Defender

If she didn't install it, then, yes, she should just delete the download.

The malware "MacDefender" is a "driveby download" utilizing Javascript.

It's rather simple to defeat this from occuring:

1: Download Firefox 4.0

2: Install the NoScript Add-on

3: Install the Public Fox Add-on.

4: Hit the Toolbar Customize and drag the "Temp Allow All This page" NoScript button to the Toolbar

5: Setup Public Fox to require a password before a download occurs.

As you surf the web with NoScript, all "scripts" including JavaScript, will be turned off by default.

If you trust the site and need scripts to run, click the Temp Allow button.

If your Public Fox pops up with asking for your password, you know you got a driveby download, cancel it and notify the website owner.

"Public Fox" is searchable at Mozilla as "Public Fox"

I hope no one takes this personally but I am curious WHY you would purposely run the installer when YOU didn't purposely download it. The daemon can't run unless the installer installs it. HOW DOES ANYONE LET THIS HAPPEN? I realize that we don't have to be AS cautious about malware as the PC world but come on folks, what happened to common sense? Unless you purposely download something from a trusted site, i.e. apple, adobe or other site YOU'VE visited and REQUESTED a download from a link, why wouldn't you be suspicious of your machine installing software you didn't request? I'm just really confused how ANYONE could get this malware installed. I can understand people not knowing how to kill processes as it's not a common occurrence to have to do this, but not how they get the rogue processes installed in the first place. Does anyone have a reasonable explanation for this behavior?

Here is my suggestion

1. Use Activity monitor in your > Applications > Utilities folder.

2. Locate and Kill the offending process.

3. Locate application, use App Delete or similar program and nuke it.

Alternate method.

1. Use Activity Monitor in > Applications > Utilities folder

2. Kill offending process

3. Locate program file and nuke it

4. Open /Library/Startup Items as well as /Users/Library/Application Support

and /Users/Library/Preferences and nuke anything relating to the program there.

This should kill it.

Hope this helps someone who doesn't want to spend money on extra programs like App Delete.

Intego claims that it is a Trojan.

http://www.macworld.com/article/159595/2011/05/macdefender_trojan_horse.html

Trojan, malware, virus, is a matter of semantics, they are all a pain. However, from your link

"As nefarious as MAC Defender might be, the level of concern over infection remains low: Users must be TRICKED into downloading and installing the program, as well as entering their administrator password."

I'm not fond of Intego for their fear mongering techniques of selling their software in any case. So far a little common sense and a vigilant eye on ones computer is enough to keep most out of trouble. I have read many forums where the people were rightly suspicious and DIDN'T let this hit them. They get kudos!

Users are of course reminded that day-to-day system usage with standard accounts rather than administrator ones, as well as unchecking the Safari option for automatically opening "safe" files, are two of the simplest ways users can enhance their online security, adding extra layers of confirmation and passwords in the way of anything being installed on their systems.

:-)

Does anyone have a reasonable explanation for this behavior?

Yes. The Installer screen looks just like the one the user sees when installing a system update. An unsophisticated user wouldn't know the difference.

Open /Library/Startup Items as well as /Users/Library/Application Support and /Users/Library/Preferences and nuke anything relating to the program there.

This should kill it.

The users who would install the trojan wouldn't even know those folders exist, much less would they be able to tell which items there are related to it. And that list is far from complete. I don't think it helps to be complacent about how easy it is to uninstall something when you don't actually have any idea of what it installs. That's why I started this topic. I want to know what files the trojan installs so I can give people some competent advice about how to get rid of it.

I disagree, it DOES NOT LOOK LIKE A SOFTWARE UPDATE SCREEN even to an "unsophisticated" user.

Notice the "Welcome to the MacDefender Setup Screen".

The related items should be tagged with macdefender in the filename. Or can be sorted by date to determine when they got there, if they have some wonkie name.

I gave the "unsophisticated user a list of folders to check in hopes it would help them locate the offending files.

:-)

George - I'll tell you why I installed the MacDefender;

I'm a recent convert from PC to Mac with one reason being I heard Mac's aren't susceptible viruses.

I'm not exactly an "unsofisticated user" but I'm far from being an expert user.

When I tried to download a pdf from google images, warnings started flashing everywhere; it said my computer was infected and a scan started running - I'm used to scans from my PC.

Then it said I had to install MacDefender in order to clean up the computer; I never saw it as an update but because of the name "MAC"and because I did not think I could be infected (virus, Malware, Spyware...have no idea what the differences are) I did allow the program to download, including typing in my password required to install programs.

It was only when I tried to do the "CLEANUP" and was told I had to "activate" the program - and pay with a credit card - that I became suspicious.

Actually at first I thought it was pretty crappy of Apple to insist I purchase software to clean up a problem I never thought I'd have, but then it occurred to me that maybe it wasn't Apple at all, which is when I came to the support forum to find out more.

As far as I'm concerned it was a very cleverly planted way to get money from anyone other than expert users.

That's what is called "social engineering." It's what Trojans and con artists do all the time.

Thank you so much! This worked perfectly for me too!

I too contracted this **** mac defender about and hour ago and with all your help ( and the other bloggers) I have managed to remove it!!! Fingers crossed!!! and thanks sooo much. 🙂

WZZZ wrote:

https://discussions.apple.com/thread/3032201?tstart=0

Safari's 'open safe files after downloading' option will indeed unzip archives; however, it will not automatically install an installer package contained in the archive. It may open Installer.app, which in turn will offer to install it, but only if the user clicks the install button.

And either at that point or the first time the newly installed app runs, the quarantine manager should display a warning that the app was downloaded from the Internet & ask if the user is sure they want to install or run it. The only downloaded items that bypass the arantine manager warning are those downloaded from sites with certificate authority (CA) the OS recognizes as valid.

It is highly unlikely that the rogue sites users are directed to (because of a SEO poisoning attack on Google or other search sites) that host the MacDefender malware could manage to get CA.

IOW, this is a social engineering exploit that relies on tricking the user into installing the malware before it can do anything malicious. It is an insidious form of attack, but it is nothing new, nor does the OS not warn users that a trick may be involved.

LT, please take this as intended ... I'm not trying to single you out or make you look foolish, but you do make some points that need addressing.

First, the concept that just because something has the term "MAC" in it people would think it is something from Apple or OS X. People need to use their head. If you are running Windows, does that mean you trust anything that tries to download or install on your computer just because it has the term "WIN" in it ? If a stranger outside a bank walked up to you and said " Hi, I work at the bank. Give me your money and I'll make your deposit" would you do so just because that person had a pin on their shirt with the name of the bank on it ? How could any bank ever protect you from someone doing that ? That's why you need to be careful.

Second, there is a huge difference between being "infected" by malware and allowing it to install on your system by entering your admin password when asked ? If someone called you on the phone and asked you for your SSN would you give it to him ? Would that not raise a red flag ? Again, let's be careful out there.

Dolphbucs,

Very well put, THANK YOU!

RC-R wrote: Safari's 'open safe files after downloading' option will indeed unzip archives; however, it will not automatically install an installer package contained in the archive. It may open Installer.app, which in turn will offer to install it, but only if the user clicks the install button.

etresoft wrote: I just created my own MyTrojan.pkg.zip package. With the default Safari settings, just downloading this file will unzip it and start the installer. I could fill the installer with animated GIFs showing virus scans if I wanted. I could add the application to my Login Items (no authentication needed for that). I could add pre and post install scripts to do just about anything I want. It is quite easy. No password needed. No quarantine. It just works

https://discussions.apple.com/thread/3032201?start=0&tstart=0