New “MacDefender” Malware Targets Mac Users: How to Locate and Remove

Home 2011 May 3 New “MacDefender” Malware Targets Mac Users: How to Locate and Remove
, , , Redsn0w.us, , , , 1
According to several discussion threads posted on Apple Support Communities, a new malware called MacDefender.app is quickly spreading among Mac users using the Safari browser to visit certain websites, especially Google Images.


The application, disguised as a virus scanning tool and completely unrelated with the official MacDefender software, gets installed automatically without a user’s consent upon opening a webpage, although it’s not clear what kind of websites allow this kind of installation, and whether MacDefender “phones home” once running on a Mac to download additional pieces of code (like most malwares on Windows do). 


Some users are reporting they found the app installed on their Macs after visiting webpages linked on Google Images, some say it’s only happening with the Safari desktop browser, others claim the app can’t be removed with a simple drag & drop to the system’s Trash as, once installed, the process will beging running automatically on OS X. Again, it’s not clear what kind of malware MacDefender.app is and the proportion of this “spreading” across Mac OS X machines, but the number of threads on Apple Support Communities seems to suggest at least hundreds of people have experienced the issue in these past few days.


A few reports from ASC:

Mac Defender has appeared in my iMac (OS X 10.6.7). I tried to remove it by dragging the program to the trash from the applications folder, but I cant because the program is open. The program is pretending to be an antivirus program send $$, obviously a scam. I re-started but I cat stop it from loading.

There is very little info on this program out there (MacDefender.app). Any ideas?
Same thing happened to my wife’s Macbook this morning. Definitely a scam; website to ‘register’ the software purports to be ‘secure’ but url is simple ip address without https.

A scam to steal credit card info. Will follow directions to clean up as posted here.
Hi. I’m a brand new Mac user and got caught with this today when I tried to download a pdf file from google images. Since I’m so new to Mac I barely understand how to do anything. I’ve tried to follow all the treads but they are pretty complicated for a novice.

I went into “Finder” and tried to trash the application, but can’t because it’s running.

Security company Intego reports the malware installation happens through SEO poisoning:

Intego has discovered a rogue anti-malware program called MACDefender, which attacks Macs via SEO poisoning attacks. When a user clicks on a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file.

In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open “safe” files after downloading in Safari, for example), will open.

The Next Web offers some good tips to remove the fake MacDefender application from a Mac: fire up Activity Monitor and force quite the process, then delete the app from your /Applications folder. You’d also want to clean up your login items in the System Preferences > Account tab, and take a look inside /Library/StartupItems to remove related LaunchAgents and LaunchDaemons that might trigger MacDefender on login. Of course, applications like AppZapper and Hazel might be a good idea to find and delete all associated files when manually moving MacDefender to the trash. To prevent Safari from automatically opening “safe files” from the download queue in the future, make sure to uncheck the option in the browser’s settings.


Did you accidentally install MacDefender.app on your system or found it already installed? Let us know in the comments, or drop a line in one of Apple Support Communities’ threads.

How to remove malware for Mac OS X MacDefender:

If you open the downloaded files directly using browsers that permit as Safari , we recommend that you throw a look at your Applications folder and you see if any application called MacDefender. If so, you must follow the following steps to remove effectively:
  • Open Activity Monitor (in / Applications / Utilities), which will show a list of processes running
  • Locate MacDefender process and force him out . Maybe in this step we ask the administrator password.
  • Once the process has stopped, remove the applicationMacDefender our application folder. We can also do an even more securely using programs such as Trashman , eliminating the application and all your directories and files.
  • In System Preferences, you access the Accounts pane and then click the Startup tab user ourselves. In the list of applications that we see,we remove the element MacDefender .
  • Access the folder Macintosh HD / Library / StartupItems and remove all files that we can do with the name MacDefender. Careful with this step, be sure to not delete anything that is part of another application.
Keep in mind that this malware is not related in any way with MacDefender company , which develops software for Mac OS X completely secure. Make no mistake if you have any of your installed applications.
Finally, as always recommend never allow the installation of applications that appear by surpriseand without cause. Disable automatic opening of downloaded files also helps prevent malicious code execution, and above all, check the web addresses of pages that ask for our credit card number, but we seem to trust.

Thanks: applesfera, MacStories and AppleInsider
Imp0rtant P0sts Fr0m Redsn0w.us
Tags:

CONTACT US

We're not around right now. But you can send us an email and we'll get back to you, asap.

Sending

Log in with your credentials

Forgot your details?