Mac Defender Trojan

Update, August 1, 2011: Apple released a security update (2011-003) on June 1 that catches and removes this trojan for Snow Leopard users. New variants appeared, but Apple updated to counter those versions as well. Lion is not threatened by this malware. So this trojan is only a threat if you have a non-updated version of Snow Leopard or Leopard. However, it seems to have disappeared as a threat.
Check out MacMost Now, episode 555: Mac Defender Trojan for a video tutorial on this problem, how to avoid it, and how to clean your Mac if you have it.
The Mac Defender trojan, also know as the Mac Protector, Mac Security or Mac Guard trojan, is a clever deception that works like this:

  • The user searches for something on the web and clicks on a link. Sometimes the bad link is part of a comment left at a news site.
  • The page pops up various screens and graphics to make it appear as if the web page has detected a virus on your Mac. It is all fake.
  • If you click on anything on that page, including the cancel button, a you will download the malicious “Mac Defender” installer.
  • If you have “Open Safe Files After Downloading” then the installer will launch and run.
  • At this point the installer asks for the admin password, to get permission to install. The Mac Guard variant doesn’t ask for a password, but still asks for permission to install.
  • If the user gives the password, it installs and infects the Mac.
  • Fake virus scanning screens appear and declare that the Mac is infected with a virus, a credit card number is requested so that the Mac can be cleaned.

The malware can be easily thwarted at almost any step along the way. Here are ways to protect yourself.

  • If you come across a page on the web that says, in any way, that you are infected with a virus, just force-quit Safari. Control+option+click on Safari in the Dock and select “Force Quit,” then confirm the force quit. Do not click any buttons on the page, even if the buttons are labeled “cancel.” A web page cannot analyze your Mac for viruses and those graphics are simply fakes.
  • Make sure you set Safari to NOT “Open Safe Files After Downloading.” In Safari, go to Safari, Preferences, General and uncheck it there.
  • If you have downloaded the file, don’t run it. Delete it from your Downloads folder.
  • If the installer has been automatically launched, don’t give it permission to install by entering your admin password. Cancel the install and delete it from your Downloads folder.
  • If you have installed it, then you must remove it. Doing so involves a few simple steps:
    • Quit the application. Do this by running Activity Monitor. Show all processes in Activity Monitor and look for Mac Defender or Mac Protector. Select and force quit any you find.
    • Go to your Applications folder and find the program there. Drag it to the trash and empty trash.
    • Check in your System Preferences, Accounts, Login Items for your current account. See if there is any Mac Defender or Mac Protector process listed. If so, remove it.

Notes

  • The initial fake screen that comes up looks like a Finder window with other Mac-like graphics and elements. They are all fake. Like the coyote painting a tunnel entrance on the side of rock so the road runner will smash into it.
  • The sites that spread the trojan are not real sites, but ones that have found their way into Google search results, usually image searches. Many have been around for some time housing the Windows version of this same trojan.
  • Google has a system for removing these types of malicious sites from its results, and many of the pages that spread this trojan already appear to be gone from search results.
  • There are reports that once installed you will not only be pestered for your credit card information, but web site windows may appear at random to demonstrate that you have a virus in hope that you will be more likely to give your credit card number.
  • There are no reports of this trojan causing harm to the computer or data. It only seems to seek your credit card information.
  • There is a legitimate piece of software called MacDefender that was created by a German software company. This trojan has no relation to that.
  • Back to the Mac Virus and Malware Information Center.

    Comments: 5 Responses to “Mac Defender Trojan”

      Michael A.
      13 years ago

      Is there a list of exactly which files need to be removed? Obviously a new strain of this virus could appear at any time, but it'd be nice to know exactly what is installed by the current version. Other places I would suggest checking are /Library/LaunchAgents and /Library/LaunchDaemons (also /System/Library/… and ~/Library/…).

        13 years ago

        Nope, reports are that it doesn't put anything in there. Just the Application. So quit it, get rid of the Application, the installer in your Downloads folder, and the Login Item (if any) and you are set.

      Dawn H
      13 years ago

      Had 2 clients this week in sleepy little Hilo town on the big island. Applecare told one she had a SERIOUS threat and needed anti-virus software to deal with it?! Thanks for having such clear reporting and solution for this. It was simple to remove.

      jac mills
      13 years ago

      how do i check to see if i have it already and it is sitting waiting....?

        13 years ago

        Look for it in your Applications folder. If it isn't there, you don't have it. If you have it, you pretty much can't do anything else as it takes over everything with warnings and alerts, etc. It doesn't try to hide.

    Comments Closed.