Update, August 1, 2011: Apple released a security update (2011-003) on June 1 that catches and removes this trojan for Snow Leopard users. New variants appeared, but Apple updated to counter those versions as well. Lion is not threatened by this malware. So this trojan is only a threat if you have a non-updated version of Snow Leopard or Leopard. However, it seems to have disappeared as a threat.
Check out MacMost Now, episode 555: Mac Defender Trojan for a video tutorial on this problem, how to avoid it, and how to clean your Mac if you have it.
The Mac Defender trojan, also know as the Mac Protector, Mac Security or Mac Guard trojan, is a clever deception that works like this:
- The user searches for something on the web and clicks on a link. Sometimes the bad link is part of a comment left at a news site.
- The page pops up various screens and graphics to make it appear as if the web page has detected a virus on your Mac. It is all fake.
- If you click on anything on that page, including the cancel button, a you will download the malicious “Mac Defender” installer.
- If you have “Open Safe Files After Downloading” then the installer will launch and run.
- At this point the installer asks for the admin password, to get permission to install. The Mac Guard variant doesn’t ask for a password, but still asks for permission to install.
- If the user gives the password, it installs and infects the Mac.
- Fake virus scanning screens appear and declare that the Mac is infected with a virus, a credit card number is requested so that the Mac can be cleaned.
The malware can be easily thwarted at almost any step along the way. Here are ways to protect yourself.
- If you come across a page on the web that says, in any way, that you are infected with a virus, just force-quit Safari. Control+option+click on Safari in the Dock and select “Force Quit,” then confirm the force quit. Do not click any buttons on the page, even if the buttons are labeled “cancel.” A web page cannot analyze your Mac for viruses and those graphics are simply fakes.
- Make sure you set Safari to NOT “Open Safe Files After Downloading.” In Safari, go to Safari, Preferences, General and uncheck it there.
- If you have downloaded the file, don’t run it. Delete it from your Downloads folder.
- If the installer has been automatically launched, don’t give it permission to install by entering your admin password. Cancel the install and delete it from your Downloads folder.
- If you have installed it, then you must remove it. Doing so involves a few simple steps:
- Quit the application. Do this by running Activity Monitor. Show all processes in Activity Monitor and look for Mac Defender or Mac Protector. Select and force quit any you find.
- Go to your Applications folder and find the program there. Drag it to the trash and empty trash.
- Check in your System Preferences, Accounts, Login Items for your current account. See if there is any Mac Defender or Mac Protector process listed. If so, remove it.
Back to the Mac Virus and Malware Information Center.
Is there a list of exactly which files need to be removed? Obviously a new strain of this virus could appear at any time, but it'd be nice to know exactly what is installed by the current version. Other places I would suggest checking are /Library/LaunchAgents and /Library/LaunchDaemons (also /System/Library/… and ~/Library/…).