SecureMac, Inc.

MAC Defender (aka Mac Security, Mac Protector, Mac Guard, Mac Shield) Rogue Anti-Virus Analysis and Removal

June 3, 2011

Trojan Horse Alert: SecureMac has identified a new version of the previously identified MAC Defender malware. The new variant, just like the previously identified “Mac Security,” “Mac Protector,” and “Mac Guard” versions, is an updated version of the original malware, rebranded as “Mac Shield.”

MAC Defender (aka Mac Security, Mac Protector, Mac Guard, Mac Shield) Rogue Anti-Virus Analysis and Removal

SecureMac Security Bulletin

Due to the easy removal of the currently identified variant of this malware, SecureMac rates this threat as low. This Security Bulletin will be updated if the threat changes.

Updated: June 3rd, 2011
Updated: May 26th, 2011
Updated: May 9th, 2011
Updated: May 4th, 2011
Posted: May 2nd, 2011

Security Risk: Low

UPDATE, May 26th, 2011:

SecureMac has identified a new version of the previously identified MAC Defender malware. The new variant, just like the previously identified “Mac Security,” “Mac Protector,” and “Mac Guard” versions, is an updated version of the original malware, rebranded as “Mac Shield.”

UPDATE, May 26th, 2011:

SecureMac has discovered a new version of the previously identified MAC Defender malware. The new variant, just like the previous identified “Mac Security” version, is an updated version of the original malware, rebranded as “Mac Protector.”

UPDATE, May 9th, 2011:

SecureMac has discovered a new version of the previously identified MAC Defender malware. The new variant, just like the previous identified “Mac Security” version, is an updated version of the original malware, rebranded as “Mac Protector.”

UPDATE, May 4th, 2011:

SecureMac has discovered a new version of the previously identified MAC Defender malware. The new variant is an updated version of the original malware, rebranded as “Mac Security.”

RELATED: MAC Defender Technical Analysis

A new privacy and security threat is targeting computers running Apple’s Mac OS X disguised as an anti-virus program called MAC Defender. The fake anti-virus program will “detect” nonexistent threats as being present on the user’s system in an effort to persuade them to hand over their credit card information and purchase a “subscription” to the program. If that doesn’t do enough to convince the user to buy the fake anti-virus program, it will start popping up pornographic websites to create an actual problem on the system.

The malware, first reported on various discussion boards last week, initially appears in the web browser as a fake anti-virus scan (with graphics from Microsoft Windows) when the user clicks a web link.

macdefender_webscan

At the time of our initial analysis, the fake scan sites were appearing after the user clicked an infected link in Google image searches. Initial user reports indicate that a wide variety of keywords will show search results containing infected links. If the user clicks on various links or buttons on the fake scan webpage rather than closing it immediately, the actual malware will be downloaded to the user’s system. The fake scan site checks the web browser settings to determine if the user is running Mac OS X or Microsoft Windows, and then downloads the appropriate installer for the user’s operating system.

If the user has their web browser to automatically open ‘safe’ files such as zip archives, the installer for the malware will appear without further user interaction.

macdefender_installer2

Once the user runs the installer (and enters their admin password when prompted), the malware is installed to the Applications folder, sets itself as a login item, and starts to run.

macdefender_controlcenter

The malware appears as a menu bar item in OS X, but without a Dock icon or any way to exit the program. The program immediately starts to “scan” the infected system, alerts the user they are infected with various malware, and prompts them to purchase the program in order to remove the threats.

macdefender_virusfound

If the user decides not to purchase a subscription, the malware will start displaying pornographic websites at random on the infected system.

MAC Defender uses Javascript to display the fake scan webpage and download the installer file, unlike the Boonana malware detected by SecureMac in October 2010, which uses Java as the technology behind infections. While disabling Java in the web browser was an easy solution to avoid Boonana infections, Javascript is used on a large number of websites, and disabling Javascript will result in a significantly degraded web browsing experience. Instead, SecureMac offers the following simple tips to avoid infection by MAC Defender:

Safe Browsing Tips

1) Watch where you surf. By sticking with safe, well-known websites, you will be less likely to visit a site that will attempt to infect you with this malware. When clicking on results from a search engine, be extra vigilant for websites that seem fishy.

2) Watch what you download. Download files only from trusted sources and safe sites. If a file automatically downloads or an installer randomly appears, be sure to determine if it is legitimate instead of blindly installing it. If you are unsure, err on the side of caution and don’t install the program without further research.

3) Use the security features in OS X. Disable web browsers from automatically opening “safe” files. In Safari, you can disable this feature by clicking the “Safari” menu, then clicking “Preferences,” then uncheck the “Open “safe” files after downloading” checkbox. Turn on the built-in Firewall, and consider legitimate security software, especially when a computer is shared by multiple users.

If you find yourself infected with this new malware, there are a number of alternatives for removal:

Removal Instructions

MacScan users can identify the new malware by running a spyware scan with the latest spyware definitions update, which was release May 2nd, 2011. A 30-day demo of MacScan can be downloaded from SecureMac at http://macscan.securemac.com. To update spyware definitions from within the program, click the “MacScan” menu and then click “Check for updates.” Once the malware has been detected and isolated, users should drag the “MacScan Isolated Spyware” folder from their Desktop to the Trash in order to remove MAC Defender from their system.

For manual removal users should follow either of these two methods:

Method One

1) Open Activity Monitor from the Utilities folder. Make sure the drop-down menu is set to “all processes.”
2) Use the search field in Activity Monitor to search for MacDefender.

activitymonitor_macdefender

3) Click on the MacDefender process. Click the “Quit Process” button. Click “Force Quit.”

forcequit_macdefender

4) Drag the MacDefender program (installed in the Applications folder by default) to the Trash. Empty the Trash.

applications_macdefender

5) Remove MacDefender from the Login Items for your Account in the OS X System Preferences (if it exists).

Method Two (Advanced)

1) Open the Terminal application from the Utilities folder.
2) Type the following command in the terminal (without quotes) and hit the return key: ‘ps -ax | grep -i MacDefender’
3) Note the process ID associated with the MacDefender program (the first digits listed in the result).
4) Type the following command in the terminal (without quotes, and substituting the process ID noted above for XXXX) and hit the return key: ‘kill XXXX’

At this time the MAC Defender program will no longer be running. Continue with steps 4 and 5 from Method One for removal.

UPDATE – MAY 4TH, 2011

SecureMac has discovered a new version of the previously identified MAC Defender malware. The new variant is an updated version of the original malware, rebranded as “Mac Security.”

MACSECURITY_INSTALLER2

The new version did not change the main functionality of the code, but rather cleaned up the existing code and added small updates including the capability to send information about the infected system back to the authors of the malware, along with an updated user interface to reflect the name change.

MACSECURITY_ABOUT

This new version of MAC Defender exhibits the same behavior as the original variant detected by SecureMac, and should be removed as soon as possible.
This new version is detected by MacScan with the spyware definitions update from May 4th, 2011.

The new version is detected as MAC Defender 2.0.

Removal Instructions

MacScan users can identify the new malware by running a spyware scan with the latest spyware definitions update, which was released on May 4th, 2011. A 30-day demo of MacScan can be downloaded from SecureMac at http://macscan.securemac.com. To update spyware definitions from within the program, click the “MacScan” menu and then click “Check for updates.” Once the malware has been detected and isolated, users should drag the “MacScan Isolated Spyware” folder from their Desktop to the Trash in order to remove MacSecurity variant of the MAC Defender malware from their system.

For manual removal users should follow either of these two methods:

Method One

1) Open Activity Monitor from the Utilities folder. Make sure the drop-down menu is set to “all processes.”
2) Use the search field in Activity Monitor to search for MacSecurity.
3) Click on the MacSecurity process. Click the “Quit Process” button. Click “Force Quit.”
4) Drag the MacSecurity program (installed in the Applications folder by default) to the Trash. Empty the Trash.
5) Remove MacSecurity from the Login Items for your Account in the OS X System Preferences (if it exists).

Method Two (Advanced)

1) Open the Terminal application from the Utilities folder.
2) Type the following command in the terminal (without quotes) and hit the return key: ‘ps -ax | grep -i MacSecurity’
3) Note the process ID associated with the MacSecurity program (the first digits listed in the result).
4) Type the following command in the terminal (without quotes, and substituting the process ID noted above for XXXX) and hit the return key: ‘kill XXXX’

At this time the MacSecurity program will no longer be running. Continue with steps 4 and 5 from Method One for removal.

UPDATE – MAY 9TH, 2011

SecureMac has discovered a new version of the previously identified MAC Defender malware. The new variant, just like the previous identified “Mac Security” version, is an updated version of the original malware, rebranded as “Mac Protector.”

MACPROTECTOR_WEBSCAN

MACPROTECTOR_CONTROLCENTER

This new version of MAC Defender exhibits the same behavior as the earlier variants detected by SecureMac, and should be removed as soon as possible.
This new version is detected by MacScan with the spyware definitions update from May 9th, 2011. The new version is detected as MAC Defender 3.0.

Removal Instructions

MacScan users can identify the new malware by running a spyware scan with the latest spyware definitions update, which was released on May 9th, 2011. A 30-day demo of MacScan can be downloaded from SecureMac at http://macscan.securemac.com. To update spyware definitions from within the program, click the “MacScan” menu and then click “Check for updates.” Once the malware has been detected and isolated, users should drag the “MacScan Isolated Spyware” folder from their Desktop to the Trash in order to remove MacSecurity variant of the MAC Defender malware from their system.

For manual removal users should follow either of these two methods:

Method One

1) Open Activity Monitor from the Utilities folder. Make sure the drop-down menu is set to “all processes.”
2) Use the search field in Activity Monitor to search for MacProtector.
3) Click on the MacProtector process. Click the “Quit Process” button. Click “Force Quit.”
4) Drag the MacProtector program (installed in the Applications folder by default) to the Trash. Empty the Trash.
5) Remove MacProtector from the Login Items for your Account in the OS X System Preferences (if it exists).

Method Two (Advanced)

1) Open the Terminal application from the Utilities folder.
2) Type the following command in the terminal (without quotes) and hit the return key: ‘ps -ax | grep -i MacProtector’
3) Note the process ID associated with the MacProtector program (the first digits listed in the result).
4) Type the following command in the terminal (without quotes, and substituting the process ID noted above for XXXX) and hit the return key: ‘kill XXXX’

At this time the MacProtector program will no longer be running. Continue with steps 4 and 5 from Method One for removal.

UPDATE MAY 26TH, 2011

SecureMac has identified a new version of the previously identified MAC Defender malware. The new variant, just like the previously identified “Mac Security” and “Mac Protector” versions, is an updated version of the original malware, rebranded as “Mac Guard.”

MACGUARD_INSTALL-2

This new version of MAC Defender should not be confused with the “MacGuard” fake antivirus program that was circulating in 2008, which was also known as “MacSweeper” and “iMunizator.”

The initial installer for Mac Guard comes disguised as “avSetup.pkg,” which installs a program called “avRunner.” This installer does not prompt the user for an administrator password, which is different from previous versions of the malware.

INSTALLER_NOAUTH

Once avRunner is installed, it starts running and downloads the actual Mac Guard payload.

AVRUNNER_DOWNLOADING

Once downloaded, Mac Guard starts running, and removes the avRunner program and installer.

MACGUARD_LOADING-1

Once installed and running, this new version of MAC Defender exhibits the same behavior as the earlier variants detected by SecureMac, and should be removed as soon as possible.

MACGUARD_MAIN

This new version is detected by MacScan with the spyware definitions update from May 25th, 2011. The new version is detected as MAC Defender 4.0.

Removal Instructions

MacScan users can identify the new malware by running a spyware scan with the latest spyware definitions update, which was released on May 25th, 2011. A 30-day demo of MacScan can be downloaded from SecureMac at http://macscan.securemac.com. To update spyware definitions from within the program, click the “MacScan” menu and then click “Check for updates.” Once the malware has been detected and isolated, users should drag the “MacScan Isolated Spyware” folder from their Desktop to the Trash in order to remove MacGuard variant of the MAC Defender malware from their system.

For manual removal users should follow either of these two methods:

Method One

1) Open Activity Monitor from the Utilities folder. Make sure the drop-down menu is set to “all processes.”
2) Use the search field in Activity Monitor to search for MacGuard.

ACTIVITYMONITOR_MACGUARD

3) Click on the MacGuard process. Click the “Quit Process” button. Click “Quit.”

QUIT_MACGUARD

4) Drag the MacGuard program (installed in the Applications folder by default) to the Trash. Empty the Trash.
5) Remove MacGuard from the Login Items for your Account in the OS X System Preferences (if it exists).

Method Two (Advanced)

1) Open the Terminal application from the Utilities folder.
2)Type the following command in the terminal (without quotes) and hit the return key: ‘ps -ax | grep -i MacGuard’
3) Note the process ID associated with the MacGuard program (the first digits listed in the result).
4) Type the following command in the terminal (without quotes, and substituting the process ID noted above for XXXX) and hit the return key: ‘kill XXXX’

At this time the MacGuard program will no longer be running. Continue with steps 4 and 5 from Method One for removal.

UPDATE June 3rd, 2011

SecureMac has identified a new version of the previously identified MAC Defender malware. The new variant, just like the previously identified “Mac Security,” “Mac Protector,” and “Mac Guard” versions, is an updated version of the original malware, rebranded as “Mac Shield.”

The initial installer for Mac Shield comes disguised as “mshSetup.pkg,” which installs a program called “mdDownloader.” This installer does not prompt the user for an administrator password, which is different from previous versions of the malware.

Once mdDownloader is installed, it starts running and downloads the actual Mac Shield payload. Once downloaded, Mac Shield starts running, and removes the mdDownloader program and installer.

Once installed and running, this new version of MAC Defender exhibits the same behavior as the earlier variants detected by SecureMac, and should be removed as soon as possible. This new version is detected by MacScan with the spyware definitions update from June 2nd, 2011. The new version is detected as MAC Defender 5.0.

Removal Instructions

MacScan users can identify the new malware by running a spyware scan with the latest spyware definitions update, which was released on June 2nd, 2011. A 30-day demo of MacScan can be downloaded from SecureMac at http://macscan.securemac.com. To update spyware definitions from within the program, click the “MacScan” menu and then click “Check for updates.” Once the malware has been detected and isolated, users should drag the “MacScan Isolated Spyware” folder from their Desktop to the Trash in order to remove Mac Shield variant of the MAC Defender malware from their system.

For manual removal users should follow either of these two methods:

Method One

1) Open Activity Monitor from the Utilities folder. Make sure the drop-down menu is set to “all processes.”
2) Use the search field in Activity Monitor to search for MacShield.
3) Click on the MacShield process. Click the “Quit Process” button. Click “Quit.”
4) Drag the MacShield program (installed in the Applications folder by default) to the Trash. Empty the Trash.
5) Remove MacShield from the Login Items for your Account in the OS X System Preferences (if it exists).

Method Two (Advanced)

1) Open the Terminal application from the Utilities folder.
2) Type the following command in the terminal (without quotes) and hit the return key: ‘ps -ax | grep -i MacShield’
3) Note the process ID associated with the MacShield program (the first digits listed in the result).
4) Type the following command in the terminal (without quotes, and substituting the process ID noted above for XXXX) and hit the return key: ‘kill XXXX’

At this time the MacShield program will no longer be running. Continue with steps 4 and 5 from Method One for removal.

If you are infected with MacDefender, MacSecurity, MacProtector, Mac Shield or MacGuard and MacScan is not detecting the threats during a scan, make sure you are running the latest spyware definitions update. If MacScan is running with the latest spyware definitions update and the malware is still not detected, please e-mail us at macsec@securemac.com for further support.

About MacScan

MacScan quickly detects, isolates and removes malware from Macintosh computers using both real-time spyware definition updating and unique detection methods. The software also manages internet-related clutter on your computer. It is designed for Mac OS X version 10.2.4 and later.

Since 1999, SecureMac has been at the forefront of Macintosh system security. The site not only features complete Macintosh Anti-Spyware and Antivirus solutions, but also operates as a clearinghouse for news, reviews and discussion of Apple computer security issues. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience trouble free.

Get the latest security news and deals