Heads Up/Warning Mac Defender

Hi

I am having trouble with this program that downloaded from google. mine is not called MacDefender, but MacProtector. I tried downloading ClamXav and it asks for updates which it cant get because they are supposedly being interrupted. Since this program downloaded my other internet server, google chrome is starting on its own and is taking me to web pages which I didnt want to visit. I dont know what to do, I am worried. I hope you can help me

If it's like MacDefender there is nothing to worry about until you give those people your credit card number.

For help with ClamXav come over to the forum and somebody will help you with that. There's a link to it in my reply at the top of this page.

Again, if this program is the same as MacDefender then to disable it reboot with the shift key held down into safe mode. Find MacProtector (probably in your Applications folder), drag it to the trash, empty the trash and reboot in the regular manner.

So yesterday they started using MacSecurity and you are telling me that today it's called MacProtector?! I don't see how we can possibly keep up if they change it every day. At any rate, my guess is that none of the AV software folks will be able to find this new variety of MacDefender, so we need your help to get it to the folks that can take care of that. We need to find the file that initially downloaded to your computer. It's probably in your download folder and may still be called "BestMacAntivirus2011.mpkg.zip" or something similar. I need you to upload it to VirusTotal and check to see if it is identified by "clamav". If it's not then please upload it to clamav and we can get started on updating the database.

That file in your download folder might now be called "Archive3.zip". If you see anything else in your download folder that doesn't sound familiar, upload that, as well. Best to keep your download folder clear of old files so that you will quickly see anything there that shouldn't be.

ds store wrote:

Eric Brian wrote:

Sophos also offers their antivirus for free for Mac home users:

http://www.sophos.com/en-us/products/free-tools.aspx

Always on anti-virus is still unnecessary on a Mac and often conflicts with OS X changes.

Just some common sense is needed and a little more attention by Apple in preventing drive by downloads.

Whether or not always-on AV scanning software is necessary or desirable is something very user should decide for themselves, based on their expertise & familiarity with the OS. There are no known viruses in the wild that affect OS X, but there are many other kinds of malware that can affect OS X users.

This is especially true of trojans like MacDefender (& a new variant called MacProtector) because they trick users into installing their payloads by pretending to be something they are not. Apple can't prevent this, short of building the same kind of definition-based AV detection into the OS that stand-alone AV apps provide.

Apple has in fact done exactly that in recent updates to Snow Leopard; however, because OS updates are released infrequently & so far Apple has included just a few older trojan variant definitions, this offers no protection for emerging ones.

That is the primary benefit of third party AV apps: their catalogs of malware definitions are usually much more extensive & updated far more frequently, for some products within hours of the discovery of a new threat. For example, the Sophos definitions were updated to detect MacProtector less than 24 hours after it appeared. By default, the free Sophos home edition software is set to check for updates every hour, so its users would be exposed to so-called zero day attacks for less than a day.

FWIW, I have been using the free Sophos product since last November. It has not interfered with any OS update in any way.

Also note that common sense alone won't prevent these newer attacks from being downloaded. The MacProtector variant downloads before the web page is rendered. Users still have to be tricked into installing it, but just visiting the bogus site that hosts it will place a copy of its deceptively named zip archive in the downloads folder.

R C-R wrote:

The MacProtector variant downloads before the web page is rendered. Users still have to be tricked into installing it, but just visiting the bogus site that hosts it will place a copy of its deceptively named zip archive in the downloads folder.

In this instance I found this to be true for Safari, but not for FireFox.

As a test yesterday I created a new standard user account and from there tried using plain-vanilla browser environments to access a website I knew was infected with MacSecurity malware. For Safari v5.05 my only change from the initial default preferences was to first uncheck the box for "Open 'safe' files after downloading." For Firefox 3.6.17 I made no changes to the default preferences at all, and I didn't install any extra add-ons.

On visiting the infected website, I got the same phony flashing display with both browsers. Safari proceeded to download the malware Zip file automatically, with no further input from me. FireFox did not download anything and instead asked me if I wanted to save the zip file:

I haven't tested other browsers.

Hi Joseph,

I have tried to put the MacDefender into my Trash but it will not let me as MacDefender is still running. Any ideas how to close it down?

I am a bit of dunce when it comes to IT so an idiots guide would be appreciated.

John

Several posts in this & related topic mention ways to shut down (quit) MacDefender. This post (by MacJoseph on page two of this topic if the link isn't working for you) mentions one way using Activity Monitor.

Definitely got hit by google images too. Ended up downloading the anti-malware.zip. Of course I had the open "safe" files checked in safari prefs and the file was nice enough to open itself and open the installer. I was of course very unhappy at this point as my computer houses a lot of sensitive information. I closed the installer out and then ran my security software on the zip file- which houses MacProtector.mkpg. It immediately picked up on the MacDefender trojan and cleaned it.

Definitely take the steps above posts. Personally, I tried Clam but it was a little too basic and went with VirusBarrier X6 Dual Protection (provides Panda Antivirus if you're running a virtualized Windows machine) from Intego software- wasn't a big fan of Norton either- total bloatware. So far I haven't experienced any slowdowns and it does its job. It may be overkill for some people but I'm happy as it warns me if there's anyone sniffing for open ports etc- and I can schedule full scans so they happen in the middle of the night.

I also went through and ritualistically cleaned out all my cookies. Bleh- and am also scanning the computers on my network. Ugh.

Biggest thing I learned- un-click the "open safe files" check box.

Other lessons for folks:

1. Unless you requested something to download and something downloads- don't trust it. EVER.

2. Mac viruses/trojans are on the rise. Get used to it and forget the "I'm ok cuz I have a Mac."

I've been a mac user since 91 and it's only been in the last year or two that I've taken to buying anti-virus software.

3. Don't open e-mail attachments/links in e-mails- A. from strangers B. from people you know if it seems out of the ordinary. Even then if it's from your friends check and hover (in some e-mail clients) over the link and see if it goes where it says it goes.

4. Use a service like google mail- they're pretty good about weeding out trojan/virus e-mails- but even then some still get through. Default to lesson 3.

5. Don't ever click on e-mail links from your "bank" or the "irs". Go to the website directly by typing it in your browser.

6. You have not won the lottery in the UK or have a rich uncle who passed away in some far off land.

7. Just be careful with your google/yahoo/bing searches.

8. Update your software on a regular basis- OS X, Microsoft, Adobe. (they have updaters included with their software).

Best of luck out there - and don't be scammed.

Hi,

I'm researching the MAC Defender issues and would love to get my hands on it, i need a website where i can download it because two days of googling and visiting some very shady websites.... i still got nothing.

Any help greatly appreciated.

Jay

OBRA3 wrote:

Biggest thing I learned- un-click the "open safe files" check box.

It doesn't matter much if that option is checked in Safari or not. Either way, the malware still ends up in the designated Downloads folder, & until it is installed with an intentional click of Installer.app's "Install" button, it can't do anything more insidious than taking up a tiny amount of HD space.

Personally, I think I might rather have the Installer app launch to let me know right then & there that something I didn't ask for had just been downloaded instead of discovering it later in the Downloads folder & wondering where it came from or maybe confusing it with something I did intentionally download.

Regardless, the most important thing to learn from this is not to install anything that you are not completely sure of. A quick search of the web should give you a good idea about the app's legitimacy -- if it doesn't, or anything looks fishy about what you do find then don't install it.

Yup- that it is true. It won't auto install but it still prevents the installer from opening on its own in the first place.

I always have the downloads open all the time so I did see that something did download.

And agreed- don't install.

Sorry, but all my sources have gone quiet and I haven't seen any reports of new infection today. I'm sure they will show up again soon. Maybe taking the day off (Mother's Day, Sunday, ...)?

It is pretty much the nature of the rogue web pages that pop into existence via SEO (search engine optimization) poisoning attacks to disappear again not long after they are identified as such. The few I've seen don't even have DNS names, just numeric IP addresses -- another indication that they are not a part of a legitimate web site.

R C-R wrote:

OBRA3 wrote:

Biggest thing I learned- un-click the "open safe files" check box.

It doesn't matter much if that option is checked in Safari or not. Either way, the malware still ends up in the designated Downloads folder, & until it is installed with an intentional click of Installer.app's "Install" button, it can't do anything more insidious than taking up a tiny amount of HD space.

Personally, I think I might rather have the Installer app launch to let me know right then & there that something I didn't ask for had just been downloaded instead of discovering it later in the Downloads folder & wondering where it came from or maybe confusing it with something I did intentionally download.

You make a good point as regards this threat, but perhaps the next malware outbreak will involve automatically running something far more harmful under the radar. Today I agree with your approach, but I may well change my mind when I find out what's behind the next door that opens.