MacMost Now 555: Mac Defender Trojan

Learn about the Mac Defender/Mac Protector trojan horse malware attack. See how it works. Find out how to protect yourself from it. Watch step-by-step how to remove it. This piece of malware tricks you into download and installing it with frightening, but completely fake, virus warnings. What it really wants is your credit card number. Fortunately it is easy to avoid and easy to remove.



Be sure to check out MacMost’s Virus and Malware Information Center for up-to-date information about threats to your Mac.

Comments: 33 Responses to “MacMost Now 555: Mac Defender Trojan”

    Michelle McLeod
    8 years ago

    My 11-year-old son was downloading a game last week that he had permission to get. While doing so and not paying attention, he clicked on this virus. Luckily, I had already warned him of it and he immediately got me and we followed the directions for removal and have had no more trouble. As I was removing it, however, I was bombarded with links to gay porn sites and requests to “update” my “anti-virus” software.

      8 years ago

      I got lucky that the porn sites didn’t pop up when I was doing this. I couldn’t have used that footage if it happened, obviously. Perhaps that only happens after a few minutes?

    Marcia Braden
    8 years ago

    I got it too!!! How annoying. Thank goodness realized it and didn’t give my credit card number.

      Bethany pedersen
      8 years ago

      I have this trojan,and followed what Gary said to do, but it will not go from the forced quit in my activity process. what shall i do now?

        8 years ago

        Try force quitting again. What happens when you do so? Exactly.

    Tchoua
    8 years ago

    Please, hide the redirection address…

    James McEwan
    8 years ago

    Good podcast Gary. I’ve Tweeted the link: http://bit.ly/iU0NXD

    pYranha
    8 years ago

    I just saw it: making an image search for “octavarium”, the first image in the google search leads you to it.

    Franco
    8 years ago

    Gary I had this pop up as well a couple of days ago. Not knowing what it was and being very suspicious of it since OS X currently has no known viruses, instead of clicking on anything on the page, I just quit Safari. Do you see anything wrong with that?

    Baba
    8 years ago

    What if I am using Firefox? Is Firefox a good browsers to use?

      8 years ago

      Doesn’t really make a difference which browser you are using.

    Kelly Small
    8 years ago

    With all the attention this MalWare is getting, has anyone been able to trace the fake website back to whomever is gathering this credit card information? Is that even possible?

      8 years ago

      Probably not. This same type of scam has been around in the Windows PC world for a long time. It is only getting attention now because there is a Mac version.

    G Tyler
    8 years ago

    This can be seen as a good sign for Apple – the Mac has finally reached a point where these malware creators believe that it’s finally worth their time and effort to create such an elaborate hoax. As Gary points out, you still have to enter your password during the install process so you should not install it by accident. This can be good PR for the App Store too where everything is pre-screened.

    Sharon
    8 years ago

    Yikes – I didn’t realize I shouldn’t have the “Open ‘safe’ files after downloading” box checked in Safari Preferences (General). When do you WANT to have it checked – only when you know you want to download something?

      8 years ago

      Now that this thing exists, you NEVER want it checked. You can open the files yourself after downloading. It is just an extra step.

    Corianne
    8 years ago

    Thank you Gary! I thought it looked valid when I was working in Firefox but it wasn’t until I had entered my password that I realized I had been tricked.

    Jimbo
    8 years ago

    hi gary, greetings from Littleton. Im a new Mac switchee after 26 years on PCs of all flavors, and other than the little things so far so good. MD reminds me of Windows Security Suite, ransomware that looks official, but once on the PC it sets up a false IE proxy that locks out the user out from running anything except the scam. I fell for it lock stock and barrel. anyway good videos, very informational. JB

    lucie
    8 years ago

    mac defender is this the only name I can be traped in?
    I have an non ordered anti virus from Avira. This must be the horse?

      8 years ago

      It goes by the names Mac Defender, Mac Protector, Mac Security and Mac Protector.

    David Helms
    8 years ago

    About the same time this hit us, a similar problem hit Windows users. It disguised itself as a Windows malware scanner and requested you buy it to use it and was stealing credit card info. It even had the Microsoft Authentic Software logo.
    Told my sister to buy a Mac before she bought her Sony Vaio.

    Barbara
    8 years ago

    HELP! Gary. Please advise! This (Mac Defender) just popped up as I was in my Yahoo email account via Firefox. It happened so fast that I couldn’t see where it came from. I recognized it from your video & article (previously seen). I did not click on anything, and just tried to quit Firefox, but couldn’t. I turned off my MacBook, and then rebooted, and went to Safari, which seems fine. How can I clear it from Firefox? What is safe and effective to do at this point? (By the way, when I go to the Yahoo email via Safari, it seems okay. I don’t see that image.) Please let me know. Can you send me an email? Thanks.

      8 years ago

      No need to turn off your MacBook. Just force-quit Firefox using either Command+Option+Esc or the Activity Monitor.
      It isn’t “in” Firefox. It is just that on some web page you are viewing there is malicious code that just redirects you to a fake web page. It is just a fake animation you are seeing. Nothing to worry about as long as you don’t agree to install anything on your Mac.

        Barbara
        8 years ago

        Thanks for your reply. In fact, soon after posting, I did manage to force-quit Firefox. At first, I couldn’t. The next time I opened it, there was an obviously fake page asking if I wanted to “go back to a tab”. After closing that, it all seemed to be gone. I wonder where the thing came from..as I think I was opening genuine emails (that I know), not a web page. Could it have infiltrated someone’s email?
        (I appreciate MacMost, all info, and the interactive opportunity.)

          8 years ago

          Could have come from any piece of content on that page. A message. An ad. A list of things. I know those Yahoo email pages are filled with content, so it is hard to say.

    Steve Lynch
    8 years ago

    Good Job on this video Gary… I’ve been on an iMac for a couple of years now and this is the first time I’ve seen the Activity Monitor. Very Helpful vid.

    Carole
    8 years ago

    Is MacKeeper legitimate or malware?

      8 years ago

      MacKeeper is not malware. It is legitimate software. As to whether it is useful or worth the price, that’s another story.

    George
    8 years ago

    I don’t understand how noone’s traced the site to it’s owners? Of course it’s traceable. That’s very fishy. First of all, being all alarming about this ridiculous trojan perpetuates it. Second, it seems very difficult to even get this virus. You really have to be stupid.

    Diana Mckinu
    8 years ago

    I use OS X Lion. And would my computer be safer from threats if I were to use the Standard user account vs the Administrator one on a regular basis?

      8 years ago

      Use an administrator account if it is your Mac and that’s account that you use. Non-admin accounts are fine for other users (kids, friends, etc). Using a standard account won’t really make things any safer, but it will be an inconvenience at times.

Comments Closed.