anne e

Q: Mac Defender

Mac Defender has appeared in my iMac (OS X 10.6.7)

I tried to remove it by dragging the program to the trash from the applications folder, but I cant because the program is open.

The program is pretending to be an antivirus program send $$, obviously a scam.

I re-started but I cat stop it from loading.

 

There is very little info on this program out there (MacDefender.app)

 

Any ideas?

iMac, Mac OS X (10.6.7)

Posted on Apr 30, 2011 8:41 AM

Close

Q: Mac Defender

  • All replies
  • Helpful answers

first Previous Page 5 of 12 last Next
  • by WZZZ,

    WZZZ WZZZ May 2, 2011 9:18 PM in response to R C-R
    Level 6 (13,112 points)
    Mac OS X
    May 2, 2011 9:18 PM in response to R C-R

    RC-R wrote: Safari's 'open safe files after downloading' option will indeed unzip archives; however, it will not automatically install an installer package contained in the archive. It may open Installer.app, which in turn will offer to install it, but only if the user clicks the install button.

     

     

     

    etresoft wrote: I just created my own MyTrojan.pkg.zip package. With the default Safari settings, just downloading this file will unzip it and start the installer. I could fill the installer with animated GIFs showing virus scans if I wanted. I could add the application to my Login Items (no authentication needed for that). I could add pre and post install scripts to do just about anything I want. It is quite easy. No password needed. No quarantine. It just works

     

    https://discussions.apple.com/thread/3032201?start=0&tstart=0

  • by R C-R,

    R C-R R C-R May 2, 2011 11:00 PM in response to WZZZ
    Level 6 (17,700 points)
    May 2, 2011 11:00 PM in response to WZZZ

    WZZZ wrote:

    etresoft wrote: I just created my own MyTrojan.pkg.zip package. With the default Safari settings, just downloading this file will unzip it and start the installer.

    Yes, the installer (Apple's Installer.app in the case of the MacDefender malware) will start (launch). But it will not install anything until & unless the user initiates that action by pressing the "Install" button.

     

    I'm not sure it is actually possible to "fill the installer with animated GIFs" -- Installer.app generates the user interface & just reads content from the .pkg or .mkpkg files that launch it -- but even if it did, this is no different from what the rogue website did to simulate a scan. The install process is still controlled by Installer.app & nothing will be installed unless the user presses the "Install" button.

     

    Sure, someone could attempt to use a preinstall script to do something malicious before anything is actually installed but, as explained in the "Component Package Scripts pane" section of this developer doc, that triggers a user warning before it will do so. The user has to dismiss & ignore that for anything to happen.

     

    This malware is a social engineering exploit, not some new vector of attack that bypasses the security features built into OS X.

     

    BTW, you might want to check out this Sophos article, which explains the attack in detail, including the fact that its free 'home edition' AV software for Macs already detects multiple versions of this 'fakeAV' exploit.

  • by RadiomomDW,

    RadiomomDW RadiomomDW May 3, 2011 6:02 AM in response to anne e
    Level 1 (0 points)
    May 3, 2011 6:02 AM in response to anne e

    I got hit with this this morning...I also installed it (have spent the last month planning a trip to Europe and a couple days ago I had a problem opening a .doc contract from a rental company). I thought perhaps there may have been a reason for that...or that that particular .doc may have been infected and my Microsoft Word app was somehow invaded.  Yes, I should have known better but the MacDefender script makes it appear there really are "infected" files, etc.  It all "happened" too quickly. As soon as I did it, I logged on here to check out my suspicions.   I deleted the program using "Clean My Mac" and following the instructions in this thread, it appears to have cleaned out all the junk that came with the nasty little program. 

     

    Now I want my morning coffee.

  • by meganfromlincoln,

    meganfromlincoln meganfromlincoln May 3, 2011 4:10 PM in response to tylerfrompeterborough
    Level 1 (0 points)
    May 3, 2011 4:10 PM in response to tylerfrompeterborough

    Thank you so much!  I did this and it took care of it.  I just got off the phone with Apple Care because I wanted to double check that I got all of it, and they said these steps were just what they recommended.  Thanks again!

  • by dxironman,

    dxironman dxironman May 3, 2011 6:02 PM in response to meganfromlincoln
    Level 1 (55 points)
    May 3, 2011 6:02 PM in response to meganfromlincoln

    just like the people using Windows 7, most users will just click on anything. "it's asking for my password....ok"

  • by EmmeLynn10,

    EmmeLynn10 EmmeLynn10 May 4, 2011 2:41 AM in response to MacJoseph
    Level 1 (0 points)
    May 4, 2011 2:41 AM in response to MacJoseph

    I was one of the people who got caught up in all this! It was horrible- the pop ups. It happened when I was looking for pictures through Google for a project! Thanks!!

  • by jonfromoslo,

    jonfromoslo jonfromoslo May 5, 2011 3:33 AM in response to anne e
    Level 1 (0 points)
    May 5, 2011 3:33 AM in response to anne e

    I had the same problem. The solution was to safe boot: 1)Shut down computer 2) Press start and when the startup tone begins press the SMALL shift button (sound must be on). Do no release it until you see the apple logo. You can now scan for the fill from the Finder and delete it.

  • by R C-R,

    R C-R R C-R May 5, 2011 4:18 AM in response to jonfromoslo
    Level 6 (17,700 points)
    May 5, 2011 4:18 AM in response to jonfromoslo

    jonfromoslo wrote:

    I had the same problem. The solution was to safe boot: 1)Shut down computer 2) Press start and when the startup tone begins press the SMALL shift button (sound must be on).

    I'm not exactly what you mean by "the SMALL shift button" but Apple's instructions for starting up in Safe Mode can be found in this KnowledgeBase article.

  • by Silly rabbit,

    Silly rabbit Silly rabbit May 5, 2011 5:51 AM in response to RadiomomDW
    Level 4 (2,980 points)
    May 5, 2011 5:51 AM in response to RadiomomDW

    Gees! When will people learn that Macs are not infected by viruses and installing any antivirus software is the same as installing malware and/or spyware on your Mac? Just be careful what you download. I've used Macs for over a decade, both for business and pleasure and never run any anti-virus junk software nor have I ever had any issues. All this virus malarky is just left over paranoia from Windoze users. If your machine or browser is running bad it is because of a corrupt cache and/or preference file. That is all it can be.

  • by MacJoseph,

    MacJoseph MacJoseph May 5, 2011 6:35 AM in response to Silly rabbit
    Level 3 (595 points)
    May 5, 2011 6:35 AM in response to Silly rabbit

    SR

     

    How is installing ClamXav or Sophos the same as installing malware, or spyware? Can you explain how that is?

     

    Joseph

  • by R C-R,

    R C-R R C-R May 5, 2011 6:40 AM in response to Silly rabbit
    Level 6 (17,700 points)
    May 5, 2011 6:40 AM in response to Silly rabbit

    Silly rabbit wrote:

    Gees! When will people learn that Macs are not infected by viruses and installing any antivirus software is the same as installing malware and/or spyware on your Mac?

    That is a very simple view of a very complex topic. All AV software is not alike, & like every other kind of software -- including malware -- it evolves over time.

     

    And just being careful is not necessarily enough: Apple takes trojans seriously enough that it has quietly added a modest amount of AV software into Snow Leopard itself, & although it works much like commercial AV software, it is currently limited to three specific types of trojans & is rarely updated.

     

    The people easiest to fool are those that believe they can't be fooled. Whatever you decide to do about malware threats, don't think that just because you use a Mac you are immune. You may not always be able to tell a rogue web site from a legitimate one, or what looks like an Apple interface item from a bogus one. Pay careful attention not just to what you download or where it comes from, but also what happens after you download it.

     

    If you are not an expert Mac OS user or for any other reason are not confident about your ability to tell trojans from legitimate software, you might want to consider AV software. Some users may need to configure their Macs for more security than the default, & Apple makes available guides for this as well.

     

    It isn't all just malarky or paranoia. There are devious & clever people out there trying their best to compromise your Mac, & their attacks are getting increasingly more sophisticated & polished.

  • by MacJoseph,

    MacJoseph MacJoseph May 5, 2011 6:42 AM in response to R C-R
    Level 3 (595 points)
    May 5, 2011 6:42 AM in response to R C-R

    Kudos RC. +1

  • by dxironman,

    dxironman dxironman May 5, 2011 7:10 AM in response to Silly rabbit
    Level 1 (55 points)
    May 5, 2011 7:10 AM in response to Silly rabbit

    "Gees! When will people learn that Macs are not infected by viruses and installing any antivirus software is the same as installing malware and/or spyware on your Mac? Just be careful what you download. I've used Macs for over a decade, both for business and pleasure and never run any anti-virus junk software nor have I ever had any issues. All this virus malarky is just left over paranoia from Windoze users. If your machine or browser is running bad it is because of a corrupt cache and/or preference file. That is all it can be."

     

    i've had the same load of Windows XP on a machine for 9 years and never had an infection and have never run A/V software. and i ran several P2P file-sharing apps over that time. like i said before, it comes down to the user. you can pack your Windows system with all kinds of "defenses" but if you're not smart you WILL get infected.

    as Mac becomes more popular you'll see malware written specifically for Mac OS. where there's a will there's a way. obviously Mac users need to smarten-up as well when i see all these threads about Mac Defender.

  • by iGary,

    iGary iGary May 6, 2011 8:25 AM in response to anne e
    Level 4 (1,577 points)
    Servers Enterprise
    May 6, 2011 8:25 AM in response to anne e

    I did some testing of this on a crash test dummy Mac I have. I wanted to see how the installer behaved in a Standard User account.

     

    So I did a Google Images search using a keyword that I had heard would find the trojan for me. It took like 20 seconds to find.

     

    So under a Standard User account and Safari's Open "safe" files option checked on, the download unzipped and presented an installer.

     

    However, the installer failed after entering the admin credentials.

  • by Linc Davis,

    Linc Davis Linc Davis May 6, 2011 8:56 AM in response to iGary
    Level 10 (208,037 points)
    Applications
    May 6, 2011 8:56 AM in response to iGary

    However, the installer failed after entering the admin credentials.

     

    Did you enter the credentials of the standard user account, or of an admin account on that Mac? If the latter, how did it fail?

first Previous Page 5 of 12 last Next