13 Replies Latest reply: Jun 8, 2013 3:10 AM by thomas_r.
thomas_r. Level 7 Level 7 (30,545 points)

For anyone who has been affected by MacDefender, MacSecurity or MacProtector, I've got a full run-down on how to remove it, complete with screenshots, on my blog:

 

Identifying and removing MacDefender trojans

 

* Disclaimer: links to my pages may give me compensation.

  • Kurt Lang Level 8 Level 8 (35,715 points)

    As usual, very thorough and helpful information, Thomas. Thanks!

  • WZZZ Level 6 Level 6 (12,775 points)

    Thomas, have you seen something about the latest incarnations phoning home along with doing a scan of some kind -- but appears to be fake -- of the drive? That sounds potentially very troubling if the "scanning" may now really be looking for, or able to scan for, data to steal.

  • thomas_r. Level 7 Level 7 (30,545 points)

    I have not heard of anything like that.  It might be interesting for someone to use LittleSnitch to check and see what is being sent back.  I may or may not have time to test that in the next few days...  I think my wife might get a little annoyed if I'm jacked in to the computer too much tomorrow, it being Mother's Day and all!    To this point, I've only run these trojans long enough to see what they look like and get screenshots, and then I've deleted the entire account I ran them on.  (And I haven't actually run the installer...)

     

    Perhaps if I have some time next week I might create a SL system on an external drive and do some detailed testing.  If anyone wants to beat me to it, feel free. 

  • WZZZ Level 6 Level 6 (12,775 points)

    I know your opinion of MacScan, but don't see why they'd be making this stuff up. This was where I found that bit about phoning home. No information on what, exactly, it may be sending back

     

    From UPDATE - MAY 4TH, 2011

     

    The new version did not change the main functionality of the code, but rather cleaned up the existing code and added small updates including the capability to send information about the infected system back to the authors of the malware

    http://www.securemac.com/MAC-Defender-Rouge(sic)-Anti-Virus-Analysis-Removal.php

     

    Also, latest is people getting infected from hotmail (scummail)

     

    https://discussions.apple.com/thread/3042885?start=15&tstart=0

  • thomas_r. Level 7 Level 7 (30,545 points)

    I know your opinion of MacScan, but don't see why they'd be making this stuff up.

     

    Yes, I agree that it's unlikely they'd just make stuff up.  It would be too easy for someone to prove them wrong. However, before I jump at that possibility, I'll want to find out what's actually going on.  After all, people freaked out about iPhone location data that turned out not to even be exactly what everyone assumed it was.

  • buddyjewell Level 1 Level 1 (0 points)

    THANK YOU SO SO MUCH!  What a relief!  You saved me.

    Joyce

  • babowa Level 7 Level 7 (27,960 points)

    Thomas,

     

    could you please take a look at this:

     

    https://discussions.apple.com/thread/3056874?tstart=0

     

    Not sure if this is a new wrinkle, but it may be?

     

    Thanks.

  • thomas_r. Level 7 Level 7 (30,545 points)

    That is not related.  Sounds to me like some guy has been illegally distributing software he purchased through the App Store and other folks are downloading it, with our without the realization they are engaging in software piracy, and don't understand why it won't work for them without logging on to the account it was purchased on.  It takes a real dope to distribute App Store software, since it's linked to your Apple ID. 

  • WZZZ Level 6 Level 6 (12,775 points)

    People should stop using hotmail or Windows hotmail.

     

    Screen shot 2011-05-14 at 11.39.56 PM.png

  • ds store Level 7 Level 7 (30,320 points)

    In addition to Thomas's excellent advice in removing the current incarnation of the MacDefender Trojan, one should also take into careful consideration that malware evolves and is altered and delivered by other parties.

     

    What steps you are taking following Thomas's may work and appear to be enough, but it's impossible to be 100% sure as you can't compare his version of the malware with the version you have.

     

    My advice is to take Thomas's advice as a first step, then take a additional measures to backup your files and resintall the operating system from the (hold c bootable) OS X installer disks after using Disk Utility to Zero erase (under the menu) your boot drive (all data will be destroyed, format HFS+ Journaled) and then reinstall OS X. Re-install programs from fresh sources.

     

    Yes, it's a lot of work unfortunatly, if you don't know how to do this, take it to a computer professional who can.

     

    If you didn't give this Trojan (or any malware) your administrative password (or it didn't gain root access some other way), then my steps above are not necessary.

     

     

    To prevent this MacDefender Trojan from happening again:

     

    It preys upon a JavaScript vulnerability on web pages among other things.

     

    Since turning Safari's JavaScript Preference on/off constantly is a chore.

     

    I advise using the Firefox web browser and the Add-On: NoScript  which in Firefox Toolbar customization you drag a Noscript button to the toolbar or easy on/off of all scripts and plug-ins.

     

    NoScript also offers other "web cop" features, it takes some getting used too as your surfing the web without anything running, then turning it on per site basis once you trust the site.

     

    Firefox also has a download opt out window before it downloads, giving you a chance to stop this thing in it's tracks.

  • Awasthi Sachin Level 1 Level 1 (0 points)

    Exactly Same here !!

     

    Its a bug !!

  • thomas_r. Level 7 Level 7 (30,545 points)

    Exactly Same here !!

     

    Its a bug !!

     

    Can you be a little clearer? This topic is more than 2 years old, and is a discussion of the MacDefender malware, not a bug.