Learn about the Mac Defender/Mac Protector trojan horse malware attack. See how it works. Find out how to protect yourself from it. Watch step-by-step how to remove it. This piece of malware tricks you into download and installing it with frightening, but completely fake, virus warnings. What it really wants is your credit card number. Fortunately it is easy to avoid and easy to remove.
Hi, this is Gary with MacMost Now. Today's episode, let me tell you about the Mac Defender Trojan and how to protect yourself against it. Now Mac Defender, also known as Mac Protector, is a piece of malware, malicious software, known as a trojan horse. You download this to your computer by being tricked and then, once installed, it does something bad, in this case trying to get your credit card number. Let me show you exactly how it works and how to protect yourself. So it all starts when you're browsing the web. Maybe you're looking at some search results. Maybe you're looking at a news story in the comments at the bottom and somehow on that page, its got a piece of malicious code that redirects you to another page, like this one, and this is what will happen. You can see it brings up all this stuff and it looks like a Finder window. If you look on the left here, you see a bunch of stuff here and you look at files here; it even looks like a Mac dialog box here. But if you take a closer look, you can see you're actually in Safari. Look at the top there and that's actually the Safari window and this is stuff in it. This is actually a fake page. Completely fake. So, the proper thing to do of course is to close this window or tab. Now, when you try to do that, you get a little pop-up there. It will ask you if you want to leave this page. But the trick is of course you click Cancel to stay on the page or OK to leave but if you actually click OK, it will leave the page and everything is fine. Now remember this is all fake so here you see this cancel button and you think that would be the safe thing to press. That's not a real cancel button, that's not a real Remove All button; this entire thing is just all faked here. So when you actually hit cancel you are basically hitting a yes please download this button. And you can see what happens here is it downloads "anti-malware.zip", throws it in my Downloads folder, you can see it right there. But I still haven't done anything wrong because all I did was put the zip file in the Downloads folder. What I've got going on now is if I look in Safari at Preferences, I've done the right thing and I have Open "safe" files after downloading turned off. So, a zip file is considered a safe file and it would normally be opened and the installer would start running if I had selected that. Let's do it and see what happens. Ok, so now I hit Cancel, and it's going to download and then when it's done downloading it's going to automatically open the file because I've checked that box again. And I get to an installer. Now, I'm still safe; it still hasn't done anything because it has to ask my permission to install. So, let's say I do that and I go continue. I say sure, let's do it. And at this point, it's going to ask for my password; so I have to go all the way this far to give it permission by actually entering my password. And now it's going to install this, and in this case it's called the Mac Protector program, on the machine. And now you can see it starts running right away. Now it loads this thing up and it brings up this screen and it brings up all these scary things here and it's doing all sorts of scary stuff. It's all fake. Looking through this, it's not looking through anything. It's just an animation. All this stuff is completely fake. Oh, it's detected a virus and its showing it up there. All completely fake. Now, if I click over here on the clean up button, it asks me to register. I hit register and it's going to take me to this fake looking site; this page here in Safari. And it's going to ask me for my credit card information and that's what it's really looking for. It wants to steal your credit card information. So, now I want to get rid of this; how do I clean it off? Well, I'm going to have to first quit it. Now notice it's not even running in the Dock; you can't see it. Up here at the top it's running but there's no way to quit it. So, I'm going to run Activity Monitor and you'll be able to see it here. Ah, MacProtector. And now that I've got it there in Activity Monitor, notice I'm showing All Processes so it will show up, I control click on it and quit it. Force quit. Now, I want to go into Applications and I want to find this thing and get rid of it. There it is, MacProtector and I'm going to delete it and empty the trash. Now, I'm also going to go look in System Preferences here and go into Accounts, go into Login Items. I can see it actually added itself to Login Items. I'm going to get rid of it too out of there. So, now I've thrown away the application, I've thrown away the login item. I'm going to go into my Downloads folder here and I'm going to get rid of the installer. And i'm further going to protect myself by going into Safari and turning off Open safe files after downloading. That's all I had to do, is quit the application using Activity Monitor, throw away the application, throw away the installer, take it away from Login Items, empty trash and I'm done. All cleaned up. And since I didn't fall for the scam of giving out my credit card number, I don't have to worry about a thing. It's all gone. So I hope this helps you out, in case you run into Mac Defender or Mac Protector. I've also created a new section at the MacMost website where I can put information about any Mac malware threats. So until next time, this is Gary with MacMost Now.
Be sure to check out MacMost’s Virus and Malware Information Center for up-to-date information about threats to your Mac.