MacDefender malware targeting Mac users, instructions for removal
Mac owners usually have little to worry about in terms of computer viruses and spyware, but a new malware attack seems to be causing issues for some users.
According to a report on The Next Web, a specialized malware attack targeting Mac users is making the rounds. Users seem to be targeted as they are browsing Google Images, with one victim reporting that he suddenly received a message stating that his machine had been infected with viruses that only a "MacDefender" application could remove. There is a MacDefender website that highlights a few shareware apps that a dedicated geocacher has written, and the site's owner is warning people to not download the malware app.
The malware appears to be targeting Safari. The browser can be configured so that it will automatically open trusted software, and that appears to be the route of attack that's being used. While the MacDefender malware isn't infecting Macs with a virus or running a keylogger in the background, the author seems to be trying to scare users into providing credit card information by buying the software.
The Next Web provided some useful hints on how to protect yourself from the malware and to remove the pesky app if it is downloaded onto your Mac. If you aren't seeing MacDefender in your Applications folder, you can protect yourself from possible infiltration by unchecking the "Open 'safe' files after downloading" box at the bottom of Safari > Preferences > General (see the area outlined in red in the image above).
If MacDefender is already on your Mac, check out the next page for tips on how to remove it.
If you find the application in your Applications folder, deleting it by dragging it to the trash may fail as you'll be told that the app is in use. The app can be killed by launching Activity Monitor (found in Applications > Utilities) and quitting any processes that include the name MacDefender. The Next Web also recommends looking in /Library/StartupItems, /Library/LaunchAgents, and /Library/LaunchDaemons (all on your boot drive) for files that may reference MacDefender.
Once the malware app has been stopped, you should be able to drag the MacDefender file to the trash. Empty trash, and follow up with a Spotlight search for MacDefender. Any other MacDefender files should be deleted as well.
This particular bit of Mac malware isn't that complicated to remove, but that's mostly because the developers didn't build it to be particularly sophisticated in its approach -- in theory, future iterations could be much trickier to get rid of. For those of you who haven't been hit by the MacDefender app, take care while downloading images for the next few weeks.
If you do feel the need to take extra precautions, both the open-source ClamXAV and the commercial-grade Sophos AntiVirus for Mac Home Edition packages are completely free of charge.
Share
Mac owners usually have little to worry about in terms of computer viruses and spyware, but a new malware attack seems to be causing...
Add a Comment
I have this virus and dont know how to get ride of it :( I have not downloaded any pictures or anything from the web but I so use safari :( Please help me
May 12 2011 at 6:39 PM Report abuse Permalink rate up rate down ReplyWell said ^^^^
May 02 2011 at 8:19 PM Report abuse Permalink rate up rate down ReplyLike the rest of the EXTREMELY few Mac OS X, Unix, or Linux viruses, they have to be installed in some way and it requires your admin password to take effect. Aka, you have to be completely unaware or be (a lack of better terms) stupid to get infected by a virus on a Mac. Rule of thumb is: Only install software you KNEW you downloaded and software you know and trust and if a random installer comes up like that, DON'T continue...
May 02 2011 at 4:36 PM Report abuse Permalink rate up rate down Reply@DA623 - It is NOT true that all UNIX, Linux and Mac Malware require Admin privileges (by asking for your Admin password) before they can be installed as run with admin privileges.
Due to Security Flaws in UNIX, Linux and Mac, some malware can be installed and run with administrative privileges WITHOUT asking for your admin password. These security flaws are typically called "root escalation exploits". And yes the Mac OS X and iOS has had MANY of them over the years. (These exploits are often used to jailbreak iPhones). Apple tries to quickly patch them when they are discovered.
To protect yourself, it is best to follow these rules:
1) Promptly Install all mac OS X Updates from Apple;
2) Promptly install all updates to browser plugins (like Flash);
3) Never install software from sources you do not trust;
4) Never click on links in EMAILS;
5) Surf the internet in a NON-ADMIN user account (but this is NOT fool- proof as mentioned above); and,
6) Do NOT use Safari. Use Firefox or Chrome. Safari has had the WORST record for security flaws lately. And is often used in the Pwn to own contests.
And it may make sense these days to regularly run AV scans with apps like ClamXav etc.
I get various pop-ups for MacKeeper which renders Safari useless. Only options are to click on it an install it (which I do not do) or Force Quit Safari and relaunch it.
May 02 2011 at 4:30 PM Report abuse Permalink rate up rate down ReplyWhy do I need to waste clock cycles on software like this?
And people still use Safari? Why?
I use Nod32 AV for the Mac and Firefox, but there will be more threats, this is just the tip of the iceberg.
May 02 2011 at 2:27 PM Report abuse Permalink rate up rate down ReplyHa, if the iceberg is just made of annoying apps that don't really do anything, I'm fine with that.
May 02 2011 at 6:49 PM Report abuse Permalink rate up rate down ReplySimple solution (for now)... don't use Google.
Or... you could take this opportunity to tone down your vicious porn addiction.
May 02 2011 at 2:08 PM Report abuse Permalink rate up rate down ReplyI recommend using Intego's VirusBarrier Plus or Express (on App store), and creating an Automator Workflow that makes VirusBarrier scan your downloads folder each time you download something.
To do so, make a Folder workflow, and add a shell prompt. The command is:
/Applications/VirusBarrier Plus.app/Contents/MacOS/escanner -r ~/Downloads/
for the plus version and
/Applications/VirusBarrier Express.app/Contents/MacOS/escanner -r ~/Downloads/
For the express version.
It's fast, and it ensures that all downloads get scanned.
Deals of the Day
more deals- StarCraft II: Wings of Liberty for PC and Mac for $30 + pickup at Best Buy
- Apple iPhone 4 8GB for Verizon, AT&T, or Sprint for $50 + pickup at Best Buy
- Unlocked iPhone 4S 16GB for GSM (AT&T, T-Mobile) for $619 + free shipping
- Apple iMac Core i7 Quad 3.4GHz 27" w/ 24GB RAM, 2TB HDD for $2,677 + $29 s&h
- Used Apple Magic Mouse for $36 + $4 s&h
- 9-Piece iPhone Bundle, includes 1,900mAh battery for $8 + free shipping
Software Updates
more updatesFeatured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
11 Comments