Heads Up/Warning Mac Defender

Thank you for your help, Joseph! It's good to know this wasn't a virus, exactly. I have a couple more questions. ClamXav recommends before running it that one backs up one's files. If I run a time machine back up, then any pieces of MacDefender which may remain will be backed up. If I don't back up, I could lose hundreds of photos and maybe other things. If spotlight and other searches do not show anything for MacDefender, is it completely gone and now safe to run a back up of all files? What is the risk to my files if I don't back up before using ClamXav?

Thankfully I thought to google this MacDefender, as I too followed the trail but didn't purchase it. Glad to see this discussion. It's helping a lot already. However, one thing I haven't seen in the posts is that randomly my internet is launching awful **** site home pages, I've had four pop up in the last hour. I just downloaded the ClamXav, hoping to follow rabbit trail in these posts to make sure I do the right thing to Uninstall the Mac Defender. Couldn't find it to Force Quit; system isn't allowing me to trash the app, even when I hold down Option key.

Just to chime in here, I too was surfing around Google Images earlier when I was redirected to the following page when in Chrome:

http://dl.dropbox.com/u/1882511/fake_antivirus.png

You will notice the URL is the same URL from this post:

Joseph,

My wife was also just attacked by the MacDefender virus. She was on Safari and was downloading a picture from http://bethelipa.com/hello/animal-mask-templates-for-kids. The down load was interrupted with a popup from http://awasthi-antivirus.cz.cc. that was from Windows Security 2011.

Unfortunately, I downloaded the program but became concerned when it required the program to be registered.

I then went to FireFox and googled MacDefender and found your comments. MacDefender is set up to automatically start on startup and I could not delete the program because it was in use.

I was able to trash the MacDefender program but only after I went to setup in MacDefender and changed the settings. I did not find any other files connected to the program, but what a pain!

Should I still check my MacBook Pro with ClamXav? I currently do not have this software.

.

However, the page was clearly rendered for a Windows user. Could this have been because I was using Chrome and not Safari, and the website was not sophisticated enough to identify user agent strings for the OS X version of Chrome? Everyone here with issues has been using Safari it seems.

Also, something is clearly amiss with Google Images, which appears to be the vector of this malware.

not sure if this helps any, but my mother got it while on Google News (news.google.com) and she clicked on a link to an article about the royal wedding. She was also using Firefox 3.6.

Hi Carol,

This is a SCAM - Cancel that credit card Immediately!!! You will not get any refund. Here is a link to the real MacDefneder

The reason they have someone answering the phone is so that you think it is a legitmate product and you don't cancel your credit card.

This way they can get a lot more $$ for your good credit card!!!

You're right. This is definitely malware/scareware. Not a real virus as you still have to run the installer and supply your password but also not a working product. If you paid for it try to get the money back as fast as possible. Call the anti fraud hotline of your bank or cc company. Please check this page for further information (I can recommend the Intego AV solution too):

http://blog.intego.com/2011/05/02/intego-security-memo-macdefender-fake-antiviru s/

As the owner of macdefender.org I just hope that this malware will go away. Someone even registered the nickname MacDefender here (and at Yahoo) as I can't use this nick (hence the mac_defender) :-(

If this will go one I'm sure that I have to change my nickname/webpage as every person will thing 'go away' if MacDefender is in the name 😢 This is really sad as I used this name for over 10 years now 😟

arkling wrote:

not sure if this helps any, but my mother got it while on Google News (news.google.com) and she clicked on a link to an article about the royal wedding. She was also using Firefox 3.6.

Well Firefox got a update long ago to 4.0, and likely Flash and other plug-ins haven't been updated.

Run this checker, you'll see RED. Fix everything.

I suspect this is a old Flash exploit catching Windows and Mac users who haven't updated their browsers or plug-ins.

https://www.mozilla.com/en-US/plugincheck/

Last week I was using the latest Safari, searching Google Images for "Child Labor." Safari popped up a dialog window, saying it had "discovered" three Trojans. It offered to "scan" my drive for more. I DIDN'T want to hit either the YES or the NO button - not knowing what commands they actually would send. I wanted to close the dialog window with the small red button in the upper left corner red-yellow-green trio, and then close the offending page. However, the dialog window close button was disabled.

Safari doesn't "scan" and Safari doesn't look for trojans, so this dialog window was bogus. The prudent thing would have been to "Force Quit" the entire Safari application. I wasn't ready to force quit Safari just then because I had something like 20 tabs in 3 windows open. I just wanted to dump the offending page and get on with my work. I am adventurous, I have time machine backups, and I am not giving up my administrator password. So I clicked "NO" I don't want to scan my drive.

Just as I had anticipated Safari (actually the web page) disregarded my "choice" and started "scanning my drive" and in the space of 2 seconds had discovered 17 more trojans and viruses on both my "C" and my "D" drive.

Well, I have a mid range late 2008 MacBook Pro and run 10.6.7. It's a sturdy machine and quick enough for what I use it for - but in no way can it even begin to scan the 250 gig hard drive in a couple of seconds. And, uh, I ain't got no stinkin "C" or "D" drive (and my drive isn't named "Macintosh HD" either.). It was a "movie" that was being played to scare me into purchasing some software. (I say "movie" for lack of a better term - it was probably Java since I don't allow Flash to run on its own without adult supervision.)

The "Movie" was captivating. Lots of flashing words and red text, and I wasn't able to close the page. If it had a soundtrack to accompany it I would have been a goner and seized up in a little ball. I decided I had enough of this and forced quit Safari.

Playing fast and loose I decided to relaunch Safari immediately, and it behaved properly on my home page. I then went into history and told it to "reopen all windows from last session." It started loading all 20+ windows and I navigated over to the offending window and killed it before it could download enough code to re-hijack Safari again. I then went about my work.

Lesson: 1. Observe what is being thrown up in front of you; is it logical ? Would Safari be scanning for viruses? Are windows behaving like they should ? 2. Is it obeying your commands to quit or close windows ? 3. Are its "results" making sense? Why does it say I have "C" drive? How can it scan in 2 seconds ? and 4. If it has flashing lights and lots of red words and lots of movement and lots of offers to "help" you with this terrible problem then it is BOGUS ! Force Quit and shut down your machine and don't give up any passwords until you log in from a cold start. ( anything beyond the Force Quit is probably not necessary - but it's better being safe than sorry, especially if you just got vertigo from the previous lightshow.)

My big takeaway complaint from all of this is why isn't Safari written to ALWAYS allow you to close dialog windows ?

MacJoseph wrote:

Alias

My understanding is Chrome for Mac is built from the same webkit as Safari. I can hopefully find the thread that states that, when I do I will post it here. And it seems people were searching for images when this malicious attack hit.

Joseph

Says it right here

WebKit is a layout engine designed to allow web browsers to render web pages. WebKit powers Google Chrome and Safari, which in January 2011 had around 14% and 6% of browser market share respectively.^[2] It is also used as the basis for the experimental browser included with the Amazon Kindle ebook reader. The WebKit engine provides a set of classes to display web content in windows, and implements browser features such as following links when clicked by the user, managing a back-forward list, and managing a history of pages recently visited.

https://secure.wikimedia.org/wikipedia/en/wiki/WebKit

Again, since Firefox 3.6 is involved, I think it's a Flash based exploit, not a webkit exploit.

Firefox doesn't use the webkit foundation that got hacked at the last Pwn2Own in 5 seconds. 😟

Not that Firefox 3.6 is secure which it isn't since Firefox 4 is now out.

Check your plug-ins here:

https://www.mozilla.com/en-US/plugincheck/

I do not believe it is a Flash based exploit. I have Flash disabled by default in Chrome, and I have to manually activate any Flash plugins that try to load.

From reading around it appears to be a JavaScript exploit. More details here: http://www.macrumors.com/2011/05/02/new-macdefender-malware-threat-for-mac-os-x/

Skip P wrote:

My big takeaway complaint from all of this is why isn't Safari written to ALWAYS allow you to close dialog windows ?

Because the window isn't a Safari or OS X window, it's likely a Flash base clickable image that looks like a window, why clicking the "close box" installs the malware.

Remember, NoScript for Firefox or Click2Flash for Safari stops Flash elements from running automatically.