This article was published on May 2, 2011

Bogus MacDefender malware campaign targets Mac users using Google Images


Bogus MacDefender malware campaign targets Mac users using Google Images

Apple computer owners are being subjected to a number of specialised malware attacks that insists Mac users download a malware version of the popular MacDefender antivirus application, infecting their computers as a result.

News of the malware campaign surfaced as scores of Mac computer owners flooded the Apple Discussion Forums, asking members for advice on how to delete the MacDefender application from their systems.

One member writes:

Hi I am new to this, but something called Mac Defender has downloaded itself and now I cannot get it off my computer. Can someone shed some light on this bizarre program that I did not ask for?

Early reports show that users have been targeted as they search Google Images, one user stating that the bogus MacDefender application was automatically downloaded as he browsed images of Piranhas. Further searching through the Apple Discussion boards suggests that the malware campaign is targeting users of Apple’s Safari browser, displaying warnings that the user’s computer has been infected with viruses that only the unofficial MacDefender application can remove.

Safari users can set their browser to automatically open software they trust, it is thought that many have been infected without their knowledge by this route of attack. Upon downloading, the app asks users to pay for protection, possibly giving attackers credit card details as a result.

To reassure users of the official MacDefender software, it’s creator has taken to the official website to warn users of the malware campaign:

IMPORTANT NOTE: As it seams someone wrote a virus/malware application named mac defender (MacDefender.app) for OS X. If you see an application named like this DO NOT DOWNLOAD/INSTALL it. I would never release an application named like this.

It is not thought that the malware application is able to infect Mac computers with a virus, instead it is posing as scareware, which preys on disrupting the confidence of Mac users but also getting them to hand over their credit card details.

Luckily, disabling and removing the bogus MacDefender application is easy. If you have been infected and want to make sure it no longer resides on your system, follow the steps below:

  1. To ensure you do not automatically download the app, uncheck the following: Safari > Preferences > General > uncheck “Open “safe” files after downloading”.
  2. Searching for the application and deleting it directly may fail, saying the app is in use. To stop it running, check Activity Monitor (in Applications > Utilities) and disable anything that relates to MacDefender.
  3. Look in /Library/StartupItems and, same place, LaunchAgents and LaunchDaemons for references to the malware app.
  4. Once quit, head to the Applications folder and drag the MacDefender app to the trash, then delete trash.
  5. To ensure all references to the app are cleared, run a search using Spotlight and delete all MacDefender references you find.

The removal of the app is somewhat easier than on Windows, mainly thanks to the security of the Mac OS X operating system. The malware looks to proliferating off the back of attacks on websites that are serving images on Google Images – it is recommended that you browse safely, utilising other image searches for the time being.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with