While the news of the Weyland-Yutani crimekit (see “Macs Targeted by New “Crimekit”,” 2 May 2011) is more concerning for the Mac platform as a whole, security software firm Intego has identified a new piece of malware that masquerades as an antivirus program called MACDefender. (This MACDefender isn’t in any way associated with a German company that runs the MacDefender.org Web site and writes geocaching and other GPS-related software.)
A rather specific combination of actions needs to occur for MACDefender to be downloaded and installed, including visiting a poisoned Web site, allowing the Web browser to open files after the file downloads itself, and then entering an admin password in the installer. But if all that happens, MACDefender adds itself to the login items, displays a menu bar icon, and looks like a real antivirus program. See the Intego security memo for screenshots of what it looks like.
MACDefender’s goal appears to be to scam users into paying for the program, and to that end, it claims to find viruses and also opens porn sites in the user’s browser every few minutes in an attempt to make the user think they’re infected. After paying, the warnings disappear. Of course, it’s entirely likely that the purchase process is designed as much to steal credit card numbers as to make money from purchases, given that the charges can be reversed if the user discovers the scam.
MACDefender is an example of “scareware,” an increasingly popular type of malware that attempts to trick users into thinking they are infected with viruses in order to extort money (and credit card numbers).
Intego’s VirusBarrier X5 and X6 with updated malware definitions do protect against MACDefender, but MACDefender isn’t sufficiently subtle for us to recommend that you run antivirus software (see “Should Mac Users Run Antivirus Software?,” 18 March 2008). Just avoid iffy Web sites, and for goodness sake, if you’re ever asked for your administrator password by a software installer that you didn’t explicitly download and run, don’t enter that password!
It’s also a good idea to uncheck Safari’s “Open ‘safe’ files after downloading” checkbox in its General preferences. I believe Google Chrome and Firefox always ask for permission when you first encounter a new type of download, and you can clear previously granted auto-opening permissions in Chrome’s Under the Hood preferences (choose Chrome > Preferences > Under the Hood > Downloads) and in Firefox’s Applications preferences (set the desired file type, such as Zip, to Always Ask).