MacDefender malware protection and removal guide
Screenshot thanks to @jaythenerd
The MacDefender malware has been causing trouble for Mac users all over the world; people are calling Apple Support in a panic, spending time visiting their local Apple Store Genius, and getting all stressed out about it. What's worse: the malware is mostly harmless to your computer. It's a scam trying to rip off your credit card number, not hurt your Mac (not that the theft of your credit info is a good thing).
The attack, which displays a message stating that your machine has been infected with viruses that only a "MacDefender" app can remove, has been spreading rapidly -- most of the folks encountering it are coming across it via Google image searches, where results have been 'poisoned' with the malware download. MacDefender doesn't infect Macs with a virus, nor does it run a keylogger as a background process on your machine. It's simply trying to scare users into providing credit card information by registering an unneeded piece of software. MacSecurity and MacProtector are the same scam software, differing in name only.
It's been reported by ZDNet's Ed Bott that Apple is telling support reps not to assist with removing this malware. You're on your own, but TUAW is here to help you. Read more to find out how to protect yourself from MacDefender, what a MacDefender attack looks like, and how to remove the app if it is installed on your Mac.
Protecting yourself from MacDefender
You can limit your exposure to these kinds of scams and malware. The malware targets Safari, so follow these steps to protect your Mac:
1 - Launch Safari.
2 - Select Preferences > General from the Safari menu.
3 - Uncheck the "Open 'safe' files after downloading" box found in the area I've outlined in red below:
This action keeps MacDefender malware from automatically launching, even if it's downloaded to your Mac. If you happen to find the downloaded app in your Applications folder, you can simply drag it to the Trash and then Empty Trash to remove it. A clean Downloads folder can help you identify new files that may have been downloaded without your approval.
How do you know when MacDefender or any of its variants are attacking your Mac? Read the next section for details.
What a MacDefender attack looks like
MacDefender attacks your Mac from any site on which a hacker has installed a custom JavaScript. Visiting a web page that you believe is benign runs a JavaScript that redirects you to a malicious website. These sites are changing from day to day, so it's virtually impossible to block them.
Once your browser has been directed to the malevolent site, you'll see a page very similar to the one seen at the top of this post. It's telling you that your Mac is infected with viruses. As mentioned earlier, hackers are already changing the look of the malicious websites, so don't expect the page to look exactly like this.
Usually, just visiting the bad website downloads a file to your hard drive. That file is generally named something like BestMacAntivirus2011.mpkg.zip or anti-malware.zip, but the name may be different. Keep an eye on your downloads folder and keep it clean so that any new downloads that cause the folder to "bounce" will catch your attention, and you may catch that the malware file has been downloaded. It has an extension of .mpkg and a name of MacDefender, MacSecurity, or MacProtector. If you see this file in your downloads folder, put it into the Trash, empty the Trash, and you've just saved your Mac from the malware.
If your Mac is set up to automatically open "safe" files, you still have a chance to keep MacDefender off your machine. In this case, the file is unzipped and the installer package (a file with an .mpkg extension) launches. You're going to see a standard installer window that looks something like this (note: this is the MacSecurity variant pictured):
Sure, this looks pretty official, but do not click the Continue button. You have a chance to save yourself from MacDefender at this point by just quitting the installer, and then throwing away the .mpkg file in your Downloads folder.
Let's say that you decide to click the Continue button. At this point, you've just opened the door to MacDefender and its variants. You'll be asked to provide your administrative password to install the application, at which time the app is added to your Applications folder, launched, and adds files to your login items so that the malware launches every time you log into your Mac.
Wondering what the malware icon looks like? Here's the icon that's used for all current variants:
The name may be different, but the icon is the same for each variant of MacDefender -- so far.
If you've gone this far and the malware is running on your Mac, it now displays a scan window that says your Mac is infected with viruses. The following screenshot (courtesy of BleepingComputer.com) is typical of what you'll see:
Looks pretty official, doesn't it? Of course, here's where things get really dicey. If you want to remove the nonexistent "viruses," you have to register MacDefender. To do that, you're asked for your credit card number.
-- DO NOT REGISTER THIS PROGRAM! --
If you have already done so, call your credit card company immediately and cancel the card. Once you've taken care of the credit card issues, come back to TUAW and read the following section so that you can remove the offending malware from your Mac.
Removing MacDefender
Once MacDefender is running on your Mac, it displays the scan window shown just above. If you try to drag the app to the Trash, you are notified that the app is in use. That means that you need to kill any running processes on your Mac that are related to the malware before you can start deleting the files.
To start, close the Scan window, which is designed to float above all other windows for maximum annoyance. Remember, your Mac is not infected with viruses -- these guys are just trying to get your credit card number.
Now launch Activity Monitor. You can find this in the Utilities folder that is located in your Applications folder (/Applications/Utilities). Look for a process with the name of MacDefender, MacSecurity, MacProtector, or whatever other variant shows up. When you've found that process, click on it to highlight it, and then click the Quit Process button as seen in the screenshot below (from Reed Corner Design):
After clicking the Quit Process button, another dialog appears:
Click Quit to stop the process from running. You can now remove the malware from your Mac. First, get rid of the application itself. Look in your Applications folder for the MacDefender icon shown previously or look for a file with a name of one of the malware variants. Drag that icon to the Trash, and then Empty Trash.
The application is gone, but it will try to launch itself at login and probably display an error message on your Mac screen as a result. Let's fix that -- open System Preferences (under the Apple menu or in your Dock) and click the Accounts icon. You'll see something similar to this mockup:
See the item that says MacDefender? It's set to automatically open when you log into your Mac. To remove the malware from the Login Items list, click on the malware in the list to highlight it, and then click the minus button ("-") that's below the text in this window.
At this point, you've moved towards a safer Mac -- the malware is gone and so is the login item. You can go further than this if you'd like by doing a search for MacDefender (or whatever the malware was called on your Mac) in Spotlight, and then removing any files that have the malware name in them.
Moving ahead in the age of Mac malware
MacDefender is the first major malware attack in many years to specifically target Macs, and it's probably not going to be the last. In addition to our recommendation on changing Safari preferences to not open downloaded "safe" files immediately, there are some common-sense things you can do to protect yourself from future malware attacks:
1 - Never install any apps unless you are absolutely sure of where they're coming from and what they are.
2 - If an installer appears on your screen and you're not sure how it got there, don't let it install the software.
3 - Consider installing free anti-virus / anti-malware software. Both Sophos Anti-Virus for Mac Home Edition and ClamXav 2 are free and relatively unobtrusive.
4 - Never give your credit card number to anyone through an app. Most reputable software vendors provide other ways to purchase their products (Mac App Store or payment by PayPal) that do not compromise your credit card.
5 - Be cautious when entering admin credentials for strange applications (thanks to @jtjdt for the tip). The only time you should ever be prompted for your administrative password is when you are deliberately installing an application or plug-in.
6 - If your primary account on your Mac has administrative rights, consider changing that so that you have a separate admin account and your day-to-day account is a 'standard' account. This can protect against some privilege escalation approaches, and helps guard against issues in one account affecting the entire Mac.
TUAW doesn't believe in scaring its readers. MacDefender is a warning to those of us who use Macs that hackers are now starting to pay attention to our previously malware-free world. A little bit of paranoia goes a long way in a world that can be, sadly, malicious rather than embracing, but a few simple precautions and a bit of situational awareness can go a long way towards keeping us all safe on our Macs.
Share
Screenshot thanks to @jaythenerd The MacDefender malware has been causing trouble for Mac users all over the world; people are...
Add a Comment
Actually, you cannot 'drag the file from your APPLICATIONS folder to the Trash. I t doe snot permit you to remove it that way. You must use the procedure outlined above to get rid of it.
And Sophos is a royal pain in the butt - it dramatically increases your timeouts and hangs a lot of video playback if it is installed - and you cannot shut it off. It runs in the background and slows overall performance considerably. I use it once a month and then UNINSTALL it when not in use.
I'm still back at, why would someone run an installation that was put onto their machine without their explicit permission? And I don't see myself moving past that point anytime soon.
May 24 2011 at 7:08 PM Report abuse Permalink rate up rate down ReplyA few more things to get rid of that NOBODY seems to have noticed exist yet (for whatever reason).
~/Library/Preferences/com.aple.sv.plist
~/Library/Caches/com.aple.sv/
~/dmem.txt
~/hwuuid.txt
~/proc.txt
Login items is just one place where Mac defender or Mac protector is found.
You also want to remove it from your applications folder.
And your preferences folder at user/library/preferences/aple.com preference file.
Downloads folder there could be up to six copies of the installer there remove them all to the trash and don't forget to empty your trash.
Another non-abtrusive anti-virus program is ianti-virus at iantivirus.com.
Just what kind of websites are you finding this MacDefender on? I had unchecked the "open safe files" a long time ago so I'm good so far. I also have the ClamAV installed because I have to deal with friends/family that have PCs.
Is it on normal sites, porn, what? If it's a recurring theme then that is easily solved, but random sites is a bit harder to deal with.
This post and the need for it just make me sad - end of an era?
May 20 2011 at 11:34 AM Report abuse Permalink rate up rate down ReplyI read this article this morning. In the afternoon, my coworker came across MacDefender, while doing a Google Image search.
The image that she was looking for was linked to the MacDefender site. The UI looked just like a mac app, but she was confused as why it was showing up in English, as there are no English-only apps installed on her mac.
It only took me a few seconds to understand the situation (thx to the article), and explain whatever was going on the screen.
If I skipped this article, I might've had to write up a security report, and why my coworker came across this site while she had Norton Antivirus installed. Thanks TUAW!
Glad we could help!
May 20 2011 at 11:34 AM Report abuse Permalink rate up rate down Reply"If an installer appears on your screen and you're not sure how it got there, don't let it install the software." - that says it all!
May 19 2011 at 5:54 PM Report abuse Permalink rate up rate down ReplyOooh. Mac malware. Is this finally the day that everyone learns OSX isn't nearly as solid as Apple claims? Not really. It does proves the old adage that a computer is only as secure as the person using it, though.
Right now, almost every bit of Windows malware you get is similar to this whole Mac Defender BS you're seeing here. Viruses and worms? Since the introduction of the UAC, and all the other very 'nix like bits and pieces MS has added to Vista/7, they're practically nonexistent these days. What you're getting instead are a bunch of moms and dads downloading Windows Defender because it popped up on the internet and said they're infected with 50 kajillion viruses.
Doesn't matter that the UAC popped up and warned them that it was gonna make changes to their computer. Doesn't matter that opening the download tells them that it's an unverified program from the internet. They want it on their computer.. They initiated it. If you transplant these people to a Mac, they're gonna type in their admin password so it can make changes there, too.
There is no defense against this. You can have the most bulletproof OS in the world, and it still won't be able to protect itself against the person using it.
Right now, this Mac Defender thing isn't that big of a deal. OSX is still a relatively small percentage of the OS market, and most of the people who use it are savvy enough not to be tricked by it. But Apple's marketshare is growing, and those same moms and dads who downloaded Speed Up My PC are gonna move over to a Mac, because they hear it's a better place to be. Guess what they're gonna do there? Yup.
And there's nothing anyone can do about it. The Mac App store will mitigate this somewhat. But as long as OSX still allows you to download and install applications outside of it, then social engineered malware will always be potential problem, no matter what you're using.
"If you transplant these people to a Mac, they're gonna type in their admin password so it can make changes there, too."
Unfortunately, that is still blaming the User.
Mac's are supposed to be user friendly. It's up to Apple to dream up a Security system that isn't intrusive (like UAC is in Vista), but effective.
They have to do this before AntiVirus 'Vendors' flood the market with Third-Party Bloatware, just like Symantec, Norton and McAfee do to Windows.
"Right now, almost every bit of Windows malware you get is similar to this whole Mac Defender BS you're seeing here. Viruses and worms? Since the introduction of the UAC, and all the other very 'nix like bits and pieces MS has added to Vista/7, they're practically nonexistent these days. What you're getting instead are a bunch of moms and dads downloading Windows Defender because it popped up on the internet and said they're infected with 50 kajillion viruses."
That's fundamentally untrue for the most popular OS in the world: Microsoft Windows XP. Yes, Win7 has a much better security story, but there are bazillions of XP boxes out there that remain vulnerable to the old sort of malware.
wow. so glad TUAW is here! i just went through this yesterday, and am still dealing with the aftermath of it today. i ended up calling "v tech squad" yesterday, and they told me if all 4 computers in my house share the same wireless system, they would all be infected with this "virus" and it needs to be taken care of asap or my computer could crash, and it costs $299.99 fore *each* computer to be de-virused. turns out my ancient desk-top was uninfected, and my skeptical husband never even checked his laptop, so he never called v-tech-squad to have them "take care of it". but still, today, a pending charge of $1199.99 shows up on my debit card. so now i'm waiting to hear back from v-tech squad, the legitimacy of whom i am questioning. anybody know anything about them? am i getting ripped off?
signed,
a most UN-computer-savvy
LittleCookieCat
I Am Not A Lawyer, but it sounds like V-Tech-Squad are defrauding you with incorrect information. I would contact their complaints department and threaten legal action if the charge is not reversed. If they refused, I would call my Credit Card Company and explain that the service was not provided.
Once again, IANAL, so seek qualified advice in your area before you do it.
These Scum are worse than the original creators of the MalWare.
Deals of the Day
more deals- Targus Truss Case for iPad and iPad 2 for $15 + free shipping
- Apple iPhone 4 8GB for Verizon, AT&T, or Sprint for $50 + pickup at Best Buy
- Unlocked iPhone 4S 16GB for GSM (AT&T, T-Mobile) for $619 + free shipping
- Apple iMac Core i7 Quad 3.4GHz 27" w/ 24GB RAM, 2TB HDD for $2,677 + $29 s&h
- Used Apple Magic Mouse for $36 + $4 s&h
- 9-Piece iPhone Bundle, includes 1,900mAh battery for $8 + free shipping
Software Updates
more updatesFeatured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
40 Comments