Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Apple Responds to Increasingly Serious MacDefender Situation

Most Mac malware of recent years has been more smoke than fire, with security firms issuing dire warnings about some new malware only to have it fall off the radar within weeks. The recent appearance of the scareware MacDefender, also seen as MacProtector and MacSecurity, is breaking that mold, with the number of infections increasing rapidly (for details on MacDefender’s discovery, see “Beware Fake MacDefender Antivirus Software,” 2 May 2011). After talking with an AppleCare support rep, Ed Bott at ZDNet has done some back-of-envelope calculations to estimate that as many as 60,000 to 125,000 customers could be affected, with the number growing.

Bott’s conversation also elicited the interesting fact that Apple had told AppleCare reps not to help customers with removing MacDefender, instead pointing people at antivirus software. That was odd, since MacDefender doesn’t worm its way into a system particularly far, and is easily removed by hand.

Although we don’t know if AppleCare reps are now being allowed to help callers remove MacDefender, Apple is clearly taking the malware more seriously. The company has now posted a support document that outlines how to identify and remove MacDefender. Even more interesting is the fact that Apple last week released Security Update 2011-003 that specifically deals with this malware (see “Security Update 2011-003 Addresses MacDefender Malware,” 31 May 2011).

What’s fascinating about this move is that Apple almost never acknowledges specific pieces of malware. It’s not uncommon for Apple to add general protective features to Mac OS X and Safari, but Apple seldom adds code to Mac OS X to deal with a particular threat.

On the one hand, doing so makes good sense, since MacDefender’s deception is clearly sufficient to fool lots of users into entering an admin password, and a relatively small percentage of Mac users run antivirus software that would protect them. On the other hand, we’re left wondering if this is something Apple plans to do whenever a sufficiently serious threat appears, or if it’s a one-off. And we’re certain that antivirus firms like Intego, Symantec, and McAfee are wondering the same thing, since if Apple were to take on malware protection more seriously, it could make it all the harder to sell antivirus solutions to Mac users.

Beware MacGuard -- Increasing the level of concern is the fact that Intego has identified a new MacDefender variant called MacGuard. MacGuard works generally along the same lines as MacDefender, but uses a different installation technique that doesn’t require an admin password.

MacGuard accomplishes this trick by relying on a poisoned Web page that automatically downloads not an application, but an installer package called avSetup.pkg. If Safari’s “Open ‘safe’ files after downloading” option (or the equivalent in Firefox or Google Chrome; see the previous article for details) is checked, Apple’s installer automatically opens avSetup.pkg, which then installs an application called avRunner in the Applications folder and deletes itself to cover its tracks. Installing into the Applications folder doesn’t require a password if you’re logged in as an administrator. avRunner then launches automatically and downloads the MacGuard application from the Internet, hiding it within the avRunner package, and launching it as well.

Of course, if you have disabled the “Open ‘safe’ files after downloading” option, you’ll still have a Zip file containing avSetup.pkg in your Downloads folder, and you’ll have to avoid opening that manually. Just trash it.

Avoiding MacDefender -- It’s worth noting that MacDefender is just scareware, with the main threat of capturing your credit card number if you’re fooled into “buying” the software. As far as anyone has found so far, all MacDefender does is open Web pages to porn sites (which could be embarrassing, of course) and present spurious warnings about how your Mac is infected, all aimed at getting you to “buy” the software to eliminate the warnings. It’s essentially a protection racket, but MacDefender does not replicate itself or cause any other harm as far as anyone currently knows.

So, should you find yourself or someone you know attacked by MacDefender, you have a number of chances to thwart its evil plans. In order:

  • Avoid visiting poisoned Web sites. Unfortunately, there’s no way to know whether or not a site has been poisoned ahead of time, and the key to MacDefender’s success has been its capability to use search engine optimization techniques to push rogue sites up in search engine rankings, making the rogue site seem worth visiting. SophosLabs has a white paper that explains SEO poisoning (PDF).

  • Turn off options like Safari’s “Open ‘safe’ files after downloading” that open downloaded files immediately. That’s important because these rogue sites can, as soon as they’re visited, cause your Web browser to download a file. If it’s downloaded, but not opened, you have a chance to delete it from your Downloads folder before it does any harm.

  • If prompted for an administrator password when you haven’t intentionally downloaded an application you know and trust, do not enter the password. I know we’re prompted for our admin passwords all the time, but really, take a moment and make sure you’re entering it only when appropriate. If you don’t enter the password when prompted, the software can’t be installed.

  • Should you accidentally get this far — or have MacGuard worm its way onto your Mac — such that you’re faced with an application running that you didn’t intentionally download, immediately do a Web search on the name of the application, so you can learn more about it (at which point you’d discover that it’s not legitimate). If you’re flustered, shut your Mac off and contact someone who knows more about this sort of stuff before proceeding.

  • Lastly, if such an application ever pushes you to enter credit card information, just don’t do it. At the moment, this is the only damage MacDefender can do, but having your credit card number stolen is not fun and can require a non-trivial amount of work in terms of changing automatic payments, stored payment information, and so on.

I think many of us in the press rather pooh-poohed MacDefender, since it seemed like there were too many places to short-circuit its nefarious plans. But we may have overestimated the security sophistication of many Mac users; as Apple’s star has risen, so too has the number of Mac users who have minimal security awareness. It’s a bit like a lot of country folks moving to the city, where they become easy prey for all sorts of scams and criminal activities that city dwellers know to avoid from having grown up throwing deadbolts, setting car alarms, and holding onto their purses.

A friend’s 11-year-old son was infected by MacDefender (in its MacSecurity variant). It’s unclear what site downloaded the malware, but when it prompted for the admin password that he didn’t know, he asked his mother for help. She wasn’t paying much attention, since she hadn’t started the download, so she absentmindedly entered the admin password, and the deed was done. Luckily, my friend, who’s an IT director, learned of the situation before anyone got to the point of trying to “buy” the program, and we were able to delete all traces of the malware, but this shows just how clever MacDefender’s technique is.

So does this change our advice that Mac users shouldn’t run antivirus software (see “Should Mac Users Run Antivirus Software?,” 18 March 2008)? For TidBITS readers, I still say no, since I think anyone who reads TidBITS regularly probably has a sense of when something is unusual or wrong, and knows enough to shut it down. That said, I may be rethinking our recommendation for the sort of users who stand no chance of identifying unusual behavior. It may be just like offering advice to a graduating college student who’s moving from a small town to a large city — such a person probably needs a lot more coaching and help than a similar student who grew up with constant parental warnings about what to do and what not to do.


Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <>

Comments about Apple Responds to Increasingly Serious MacDefender Situation
(Comments are closed.)

uhuznaa  2011-05-25 15:40
I haven't looked at this thing myself, but doesn't the installer package launch the installer which you have to click through by clicking "Next" a few times?

I don't see any bug or security hole in OS X exploited here. It's just scamware, not worse or better than all the webpages that try to trick you into paying money for something you don't want (and don't get even if you pay).
Glenn Fleishman  An apple icon for a TidBITS Staffer 2011-05-25 16:18
It's not an OS X security hole. It's a social-engineering problem with a payload. It's malware in that if you are a naive user (which is a sizable number of Mac users with the expanded newer user base) and you install this, it performs malicious activities. The latest version doesn't require an admin password, and thus has a lower threshold to fool people.

I know, you'd never install this, and neither would I. But you are not [insert family member's name here], who already downloaded and installed it, and is confused why they are having system problems.
It reminds me of the tshirt I occasionally see our system administrators wear on campus -
hmcnally  2011-05-25 16:14
It is interesting that I haven't read any comment by journalist, blogger, or other commenter, that the reason people are so eager to install a "MacDefender" type product is the paranoia that has been instilled by insecure computing on the Windows platform for the past 10 years.

It's insane _not_ to run an antiviral/antimalware package under Windows, and both unsophisticated Mac users (so many of them) and switchers from Windows are eager--even searching--for a solution to a problem that by and large doesn't (yet) exist.

So many people equate any problem on a computer--even a Mac--to "having a virus." It's understandable to want to not have problems. These people are the targets of this crap.

On a related note: all malware makers--that is, criminals--should rot in friggin' hell.
Walt French  2011-05-25 16:48
Where's the UpVote button?
Adam Engst  An apple icon for a TidBITS Staffer 2011-05-26 05:56
In fact, things started to get better in Windows 10 years ago; what we're really paying for is the lack of security in Windows before that and the fact that even after Microsoft started to do a much better job with security, it was difficult or impossible to backpatch all those horribly insecure Windows boxes.

It's easy to criticize Microsoft for this, and we certainly did at the time, but I don't think anyone quite realized where it was all going. Malware in the distant past was essentially digital graffiti or psychos bent on erasing your hard drive. Now it's all about crime, which is much scarier.

Perhaps the real moral of the story is that you need to consider the long-term consequences of platform problems. Or ensure that old platforms go away quickly. :-)

Rich Mogull wrote about some of this in "Apple's Security Past Defines Its Future."
Walt French  2011-05-25 16:52
Q “So does this change our advice that Mac users shouldn’t run antivirus software?”

A Is there a single one that would have protected you, or would it have only further helped instill a false sense of security against phishing? And does that package cost you hours of maintenance and download speedbumps, just to save 5 minutes of uninstalling fraudulent stuff like this?
Adam Engst  An apple icon for a TidBITS Staffer 2011-05-26 06:00
Obviously, I don't run any antivirus software, but Intego claims that VirusBarrier will protect against these pieces of malware with updated virus definitions. So while it is incumbent on users having current software, I think it's safe to say that such antivirus software would prevent many infections.

As I said, I personally don't think any TidBITS reader needs antivirus software, given the constant performance hit, but people who wouldn't think twice about allowing something like MACDefender onto their Macs probably also won't notice the inconvenience of the antivirus software. :-)
John G Fallon  An apple icon for a TidBITS Supporter 2011-05-26 09:31
I'd agree in general. In specific, my Mac Pro locked up for the first time in a year after I installed a trial of the Intego software. Uninstalling it cured things. ClamXav and Sophos caused no problems.
Some people are idiot's. They click on a downlod link and then complain! sheesh! Do they have no brains???
Adam Engst  An apple icon for a TidBITS Staffer 2011-05-28 11:54
You don't have to click on a download link for MACDefender to work - you just have to visit a poisoned page. And when you're talking about kids or others who are inexperienced, the whole thing is pretty easy to see.
Glenn Fleishman  An apple icon for a TidBITS Staffer 2011-05-28 12:25
...with Safari and Safari set to open safe files (the default). And you do have to click to proceed at that point, just without a password. On Firefox, I was just redirected to an infected page and nothing happened (no download, etc).
werkingman  2011-05-27 05:54
Would it be better for a new mac user, after setting up their adminstrative account, create and run their mac under a standard account?
Does using administrator give rights to macdefender varients to install directly into Applications that using a standard account might not?
Adam Engst  An apple icon for a TidBITS Staffer 2011-05-28 11:55
In general, yes, this is safer, but it can also be more annoying when you want admin access for something.

I don't think MacGuard would be able to install without a password if it were running on a standard account.
Johannes  2011-05-31 03:35
No it wouldn't. Mac OS X needs elevated rights for most things even if you run as 'administrator'. This means that you need an administrator password when you need access to the keychain or when you install software.
Gary Gibson  An apple icon for a TidBITS Supporter 2011-06-05 14:29
Perhaps it's time for Apple to change some of those "convenience" defaults, like the aforementioned "Open 'safe' files after downloading" option in Safari. That one does more harm than good, especially in a lab setting.
Roger Adams  An apple icon for a TidBITS Contributor 2011-06-06 19:35
I use Sophos AntiVirus together with Macscan to try to identify any rogue applications that may have inadvertently arrived courtesy of my Windows using friends. However, I am not sure whether this is sufficient to identify any of the MacDefender variations, although I believe that Sophos has included some of these in their black list. In any event, I have now decided to examine my downloads folder much more regularly to see what, if any, apps that have been downloaded without my being aware of it.

Thanks for the update on this problem. Advice such as this makes my subscription to TidBITS well worthwhile.
James Kay  2011-06-07 01:37
(or the equivalent in Firefox or Google Chrome; see the previous article for details) - Which previous article? Would it be possible to include a link to that article in this article (please)?
Adam Engst  An apple icon for a TidBITS Staffer 2011-06-07 06:26
Sorry, I meant the previous article about MacDefender, which I had already linked to above. I've added the link now...