MacMost Now 555: Mac Defender Trojan

Learn about the Mac Defender/Mac Protector trojan horse malware attack. See how it works. Find out how to protect yourself from it. Watch step-by-step how to remove it. This piece of malware tricks you into download and installing it with frightening, but completely fake, virus warnings. What it really wants is your credit card number. Fortunately it is easy to avoid and easy to remove.

Video Transcript
Hi, this is Gary with MacMost Now. Today's episode, let me tell you about the Mac Defender Trojan and how to protect yourself against it. Now Mac Defender, also known as Mac Protector, is a piece of malware, malicious software, known as a trojan horse. You download this to your computer by being tricked and then, once installed, it does something bad, in this case trying to get your credit card number. Let me show you exactly how it works and how to protect yourself. So it all starts when you're browsing the web. Maybe you're looking at some search results. Maybe you're looking at a news story in the comments at the bottom and somehow on that page, its got a piece of malicious code that redirects you to another page, like this one, and this is what will happen. You can see it brings up all this stuff and it looks like a Finder window. If you look on the left here, you see a bunch of stuff here and you look at files here; it even looks like a Mac dialog box here. But if you take a closer look, you can see you're actually in Safari. Look at the top there and that's actually the Safari window and this is stuff in it. This is actually a fake page. Completely fake. So, the proper thing to do of course is to close this window or tab. Now, when you try to do that, you get a little pop-up there. It will ask you if you want to leave this page. But the trick is of course you click Cancel to stay on the page or OK to leave but if you actually click OK, it will leave the page and everything is fine. Now remember this is all fake so here you see this cancel button and you think that would be the safe thing to press. That's not a real cancel button, that's not a real Remove All button; this entire thing is just all faked here. So when you actually hit cancel you are basically hitting a yes please download this button. And you can see what happens here is it downloads "", throws it in my Downloads folder, you can see it right there. But I still haven't done anything wrong because all I did was put the zip file in the Downloads folder. What I've got going on now is if I look in Safari at Preferences, I've done the right thing and I have Open "safe" files after downloading turned off. So, a zip file is considered a safe file and it would normally be opened and the installer would start running if I had selected that. Let's do it and see what happens. Ok, so now I hit Cancel, and it's going to download and then when it's done downloading it's going to automatically open the file because I've checked that box again. And I get to an installer. Now, I'm still safe; it still hasn't done anything because it has to ask my permission to install. So, let's say I do that and I go continue. I say sure, let's do it. And at this point, it's going to ask for my password; so I have to go all the way this far to give it permission by actually entering my password. And now it's going to install this, and in this case it's called the Mac Protector program, on the machine. And now you can see it starts running right away. Now it loads this thing up and it brings up this screen and it brings up all these scary things here and it's doing all sorts of scary stuff. It's all fake. Looking through this, it's not looking through anything. It's just an animation. All this stuff is completely fake. Oh, it's detected a virus and its showing it up there. All completely fake. Now, if I click over here on the clean up button, it asks me to register. I hit register and it's going to take me to this fake looking site; this page here in Safari. And it's going to ask me for my credit card information and that's what it's really looking for. It wants to steal your credit card information. So, now I want to get rid of this; how do I clean it off? Well, I'm going to have to first quit it. Now notice it's not even running in the Dock; you can't see it. Up here at the top it's running but there's no way to quit it. So, I'm going to run Activity Monitor and you'll be able to see it here. Ah, MacProtector. And now that I've got it there in Activity Monitor, notice I'm showing All Processes so it will show up, I control click on it and quit it. Force quit. Now, I want to go into Applications and I want to find this thing and get rid of it. There it is, MacProtector and I'm going to delete it and empty the trash. Now, I'm also going to go look in System Preferences here and go into Accounts, go into Login Items. I can see it actually added itself to Login Items. I'm going to get rid of it too out of there. So, now I've thrown away the application, I've thrown away the login item. I'm going to go into my Downloads folder here and I'm going to get rid of the installer. And i'm further going to protect myself by going into Safari and turning off Open safe files after downloading. That's all I had to do, is quit the application using Activity Monitor, throw away the application, throw away the installer, take it away from Login Items, empty trash and I'm done. All cleaned up. And since I didn't fall for the scam of giving out my credit card number, I don't have to worry about a thing. It's all gone. So I hope this helps you out, in case you run into Mac Defender or Mac Protector. I've also created a new section at the MacMost website where I can put information about any Mac malware threats. So until next time, this is Gary with MacMost Now.

Be sure to check out MacMost’s Virus and Malware Information Center for up-to-date information about threats to your Mac.

Comments: 33 Responses to “MacMost Now 555: Mac Defender Trojan”

    Michelle McLeod
    5/17/11 @ 7:16 pm

    My 11-year-old son was downloading a game last week that he had permission to get. While doing so and not paying attention, he clicked on this virus. Luckily, I had already warned him of it and he immediately got me and we followed the directions for removal and have had no more trouble. As I was removing it, however, I was bombarded with links to gay porn sites and requests to “update” my “anti-virus” software.

      5/17/11 @ 7:19 pm

      I got lucky that the porn sites didn’t pop up when I was doing this. I couldn’t have used that footage if it happened, obviously. Perhaps that only happens after a few minutes?

    Marcia Braden
    5/18/11 @ 4:56 am

    I got it too!!! How annoying. Thank goodness realized it and didn’t give my credit card number.

      Bethany pedersen
      5/19/11 @ 6:46 pm

      I have this trojan,and followed what Gary said to do, but it will not go from the forced quit in my activity process. what shall i do now?

        5/19/11 @ 6:49 pm

        Try force quitting again. What happens when you do so? Exactly.

    5/18/11 @ 9:22 am

    Please, hide the redirection address…

    James McEwan
    5/18/11 @ 5:45 pm

    Good podcast Gary. I’ve Tweeted the link:

    5/18/11 @ 7:28 pm

    I just saw it: making an image search for “octavarium”, the first image in the google search leads you to it.

    5/19/11 @ 1:56 am

    Gary I had this pop up as well a couple of days ago. Not knowing what it was and being very suspicious of it since OS X currently has no known viruses, instead of clicking on anything on the page, I just quit Safari. Do you see anything wrong with that?

    5/19/11 @ 10:08 am

    What if I am using Firefox? Is Firefox a good browsers to use?

      5/19/11 @ 10:48 am

      Doesn’t really make a difference which browser you are using.

    Kelly Small
    5/19/11 @ 10:16 am

    With all the attention this MalWare is getting, has anyone been able to trace the fake website back to whomever is gathering this credit card information? Is that even possible?

      5/19/11 @ 10:49 am

      Probably not. This same type of scam has been around in the Windows PC world for a long time. It is only getting attention now because there is a Mac version.

    G Tyler
    5/19/11 @ 1:33 pm

    This can be seen as a good sign for Apple – the Mac has finally reached a point where these malware creators believe that it’s finally worth their time and effort to create such an elaborate hoax. As Gary points out, you still have to enter your password during the install process so you should not install it by accident. This can be good PR for the App Store too where everything is pre-screened.

    5/19/11 @ 4:31 pm

    Yikes – I didn’t realize I shouldn’t have the “Open ‘safe’ files after downloading” box checked in Safari Preferences (General). When do you WANT to have it checked – only when you know you want to download something?

      5/19/11 @ 6:07 pm

      Now that this thing exists, you NEVER want it checked. You can open the files yourself after downloading. It is just an extra step.

    5/20/11 @ 1:07 pm

    Thank you Gary! I thought it looked valid when I was working in Firefox but it wasn’t until I had entered my password that I realized I had been tricked.

    5/23/11 @ 8:54 pm

    hi gary, greetings from Littleton. Im a new Mac switchee after 26 years on PCs of all flavors, and other than the little things so far so good. MD reminds me of Windows Security Suite, ransomware that looks official, but once on the PC it sets up a false IE proxy that locks out the user out from running anything except the scam. I fell for it lock stock and barrel. anyway good videos, very informational. JB

    5/25/11 @ 6:56 pm

    mac defender is this the only name I can be traped in?
    I have an non ordered anti virus from Avira. This must be the horse?

      5/25/11 @ 7:11 pm

      It goes by the names Mac Defender, Mac Protector, Mac Security and Mac Protector.

    David Helms
    5/26/11 @ 2:34 pm

    About the same time this hit us, a similar problem hit Windows users. It disguised itself as a Windows malware scanner and requested you buy it to use it and was stealing credit card info. It even had the Microsoft Authentic Software logo.
    Told my sister to buy a Mac before she bought her Sony Vaio.

    5/28/11 @ 2:00 am

    HELP! Gary. Please advise! This (Mac Defender) just popped up as I was in my Yahoo email account via Firefox. It happened so fast that I couldn’t see where it came from. I recognized it from your video & article (previously seen). I did not click on anything, and just tried to quit Firefox, but couldn’t. I turned off my MacBook, and then rebooted, and went to Safari, which seems fine. How can I clear it from Firefox? What is safe and effective to do at this point? (By the way, when I go to the Yahoo email via Safari, it seems okay. I don’t see that image.) Please let me know. Can you send me an email? Thanks.

      5/28/11 @ 8:01 am

      No need to turn off your MacBook. Just force-quit Firefox using either Command+Option+Esc or the Activity Monitor.
      It isn’t “in” Firefox. It is just that on some web page you are viewing there is malicious code that just redirects you to a fake web page. It is just a fake animation you are seeing. Nothing to worry about as long as you don’t agree to install anything on your Mac.

        5/28/11 @ 4:54 pm

        Thanks for your reply. In fact, soon after posting, I did manage to force-quit Firefox. At first, I couldn’t. The next time I opened it, there was an obviously fake page asking if I wanted to “go back to a tab”. After closing that, it all seemed to be gone. I wonder where the thing came I think I was opening genuine emails (that I know), not a web page. Could it have infiltrated someone’s email?
        (I appreciate MacMost, all info, and the interactive opportunity.)

          5/28/11 @ 4:55 pm

          Could have come from any piece of content on that page. A message. An ad. A list of things. I know those Yahoo email pages are filled with content, so it is hard to say.

    Steve Lynch
    5/30/11 @ 6:41 am

    Good Job on this video Gary… I’ve been on an iMac for a couple of years now and this is the first time I’ve seen the Activity Monitor. Very Helpful vid.

    6/2/11 @ 11:43 am

    Is MacKeeper legitimate or malware?

      6/2/11 @ 1:15 pm

      MacKeeper is not malware. It is legitimate software. As to whether it is useful or worth the price, that’s another story.

    6/10/11 @ 1:14 am

    I don’t understand how noone’s traced the site to it’s owners? Of course it’s traceable. That’s very fishy. First of all, being all alarming about this ridiculous trojan perpetuates it. Second, it seems very difficult to even get this virus. You really have to be stupid.

    Diana Mckinu
    9/26/11 @ 10:33 am

    I use OS X Lion. And would my computer be safer from threats if I were to use the Standard user account vs the Administrator one on a regular basis?

      9/26/11 @ 11:27 am

      Use an administrator account if it is your Mac and that’s account that you use. Non-admin accounts are fine for other users (kids, friends, etc). Using a standard account won’t really make things any safer, but it will be an inconvenience at times.

Comments Closed.