Most Mac malware of recent years has been more smoke than fire, with security firms issuing dire warnings about some new malware only to have it fall off the radar within weeks. The recent appearance of the scareware MacDefender, also seen as MacProtector and MacSecurity, is breaking that mold, with the number of infections increasing rapidly (for details on MacDefender’s discovery, see “Beware Fake MacDefender Antivirus Software,” 2 May 2011). After talking with an AppleCare support rep, Ed Bott at ZDNet has done some back-of-envelope calculations to estimate that as many as 60,000 to 125,000 customers could be affected, with the number growing.
Bott’s conversation also elicited the interesting fact that Apple had told AppleCare reps not to help customers with removing MacDefender, instead pointing people at antivirus software. That was odd, since MacDefender doesn’t worm its way into a system particularly far, and is easily removed by hand.
Although we don’t know if AppleCare reps are now being allowed to help callers remove MacDefender, Apple is clearly taking the malware more seriously. The company has now posted a support document that outlines how to identify and remove MacDefender. Even more interesting is the fact that Apple last week released Security Update 2011-003 that specifically deals with this malware (see “Security Update 2011-003 Addresses MacDefender Malware,” 31 May 2011).
What’s fascinating about this move is that Apple almost never acknowledges specific pieces of malware. It’s not uncommon for Apple to add general protective features to Mac OS X and Safari, but Apple seldom adds code to Mac OS X to deal with a particular threat.
On the one hand, doing so makes good sense, since MacDefender’s deception is clearly sufficient to fool lots of users into entering an admin password, and a relatively small percentage of Mac users run antivirus software that would protect them. On the other hand, we’re left wondering if this is something Apple plans to do whenever a sufficiently serious threat appears, or if it’s a one-off. And we’re certain that antivirus firms like Intego, Symantec, and McAfee are wondering the same thing, since if Apple were to take on malware protection more seriously, it could make it all the harder to sell antivirus solutions to Mac users.
Beware MacGuard -- Increasing the level of concern is the fact that Intego has identified a new MacDefender variant called MacGuard. MacGuard works generally along the same lines as MacDefender, but uses a different installation technique that doesn’t require an admin password.
MacGuard accomplishes this trick by relying on a poisoned Web page that automatically downloads not an application, but an installer package called avSetup.pkg. If Safari’s “Open ‘safe’ files after downloading” option (or the equivalent in Firefox or Google Chrome; see the previous article for details) is checked, Apple’s installer automatically opens avSetup.pkg, which then installs an application called avRunner in the Applications folder and deletes itself to cover its tracks. Installing into the Applications folder doesn’t require a password if you’re logged in as an administrator. avRunner then launches automatically and downloads the MacGuard application from the Internet, hiding it within the avRunner package, and launching it as well.
Of course, if you have disabled the “Open ‘safe’ files after downloading” option, you’ll still have a Zip file containing avSetup.pkg in your Downloads folder, and you’ll have to avoid opening that manually. Just trash it.
Avoiding MacDefender -- It’s worth noting that MacDefender is just scareware, with the main threat of capturing your credit card number if you’re fooled into “buying” the software. As far as anyone has found so far, all MacDefender does is open Web pages to porn sites (which could be embarrassing, of course) and present spurious warnings about how your Mac is infected, all aimed at getting you to “buy” the software to eliminate the warnings. It’s essentially a protection racket, but MacDefender does not replicate itself or cause any other harm as far as anyone currently knows.
So, should you find yourself or someone you know attacked by MacDefender, you have a number of chances to thwart its evil plans. In order:
Avoid visiting poisoned Web sites. Unfortunately, there’s no way to know whether or not a site has been poisoned ahead of time, and the key to MacDefender’s success has been its capability to use search engine optimization techniques to push rogue sites up in search engine rankings, making the rogue site seem worth visiting. SophosLabs has a white paper that explains SEO poisoning (PDF).
Turn off options like Safari’s “Open ‘safe’ files after downloading” that open downloaded files immediately. That’s important because these rogue sites can, as soon as they’re visited, cause your Web browser to download a file. If it’s downloaded, but not opened, you have a chance to delete it from your Downloads folder before it does any harm.
If prompted for an administrator password when you haven’t intentionally downloaded an application you know and trust, do not enter the password. I know we’re prompted for our admin passwords all the time, but really, take a moment and make sure you’re entering it only when appropriate. If you don’t enter the password when prompted, the software can’t be installed.
Should you accidentally get this far — or have MacGuard worm its way onto your Mac — such that you’re faced with an application running that you didn’t intentionally download, immediately do a Web search on the name of the application, so you can learn more about it (at which point you’d discover that it’s not legitimate). If you’re flustered, shut your Mac off and contact someone who knows more about this sort of stuff before proceeding.
Lastly, if such an application ever pushes you to enter credit card information, just don’t do it. At the moment, this is the only damage MacDefender can do, but having your credit card number stolen is not fun and can require a non-trivial amount of work in terms of changing automatic payments, stored payment information, and so on.
I think many of us in the press rather pooh-poohed MacDefender, since it seemed like there were too many places to short-circuit its nefarious plans. But we may have overestimated the security sophistication of many Mac users; as Apple’s star has risen, so too has the number of Mac users who have minimal security awareness. It’s a bit like a lot of country folks moving to the city, where they become easy prey for all sorts of scams and criminal activities that city dwellers know to avoid from having grown up throwing deadbolts, setting car alarms, and holding onto their purses.
A friend’s 11-year-old son was infected by MacDefender (in its MacSecurity variant). It’s unclear what site downloaded the malware, but when it prompted for the admin password that he didn’t know, he asked his mother for help. She wasn’t paying much attention, since she hadn’t started the download, so she absentmindedly entered the admin password, and the deed was done. Luckily, my friend, who’s an IT director, learned of the situation before anyone got to the point of trying to “buy” the program, and we were able to delete all traces of the malware, but this shows just how clever MacDefender’s technique is.
So does this change our advice that Mac users shouldn’t run antivirus software (see “Should Mac Users Run Antivirus Software?,” 18 March 2008)? For TidBITS readers, I still say no, since I think anyone who reads TidBITS regularly probably has a sense of when something is unusual or wrong, and knows enough to shut it down. That said, I may be rethinking our recommendation for the sort of users who stand no chance of identifying unusual behavior. It may be just like offering advice to a graduating college student who’s moving from a small town to a large city — such a person probably needs a lot more coaching and help than a similar student who grew up with constant parental warnings about what to do and what not to do.