Apple Releases MacDefender Removal & Prevention Tools

Although it took longer than most Mac users would like, Apple finally released a security update designed to remove (and thwart installation of) MacDefender and its similarly named brethren.

Getting the update is a cinch, even if you're unfamiliar with OSX. Here's how:

  1. Click the Apple logo and choose "Software Update"

    You'll then see a window pop-up identical to this one:

  2. Click "Show Details" (alternately, you can skip ahead and just choose "Install" as shown here)

  3. If you choose "Show Details", you'll want to look for "Security Update 2011-003" as shown here:

    After which you'll want to click "Install [number] item(s)"
    Once you have, you'll see:

    Followed by a confirmation that the update was installed...

    Followed by one last check to ensure there aren't any more updates...
    And finally, you'll get a confirmation that your software is up-to-date.

Now what?

OK, so you've installed the MacDefender Removal & Prevention tool.

How do you know if you've got the malware? And, how do you know if it was removed?

Here are some more screenshots to help you see what OSX is supposed to do now that the MacDefender Removal/Prevention tool is installed.

First of all, let's talk about what you'll see if your Mac has been infected with MacDefender.

Let's be honest, if you see that error message appear, there shouldn't be any confusion, right?

You'll notice the only option here is to hit "OK." There's no other option to get tricked into clicking, and you'll also note that the OS detected and removed the malware on its own.

In other words, there was nothing to buy and nothing to run. It just worked. Great.

MacDefender Prevention

The next thing to be on the lookout for whether or not you've been infected is what to look for so that you don't get hit with this thing.

If you do accidentally download the file, you should expect to see this warning:

Interestingly, Apple choose to leave "Open" as one of the possible options. This is great for those of us in the antivirus field, and as crazy as it may seem, some people will click "Open" instead of "Move to Trash."

Sometimes it's accidental. Sometimes it's intimidation about doing the wrong thing. Sometimes it's just clicking away at things hoping to make boxes like this go away. And, sometimes it's outright stupidity.

It happens. We're only human.

So, the last tidbit of insight I can shed on things here is this: Make sure your "Automatically update safe downloads list" is checked as shown here.

You can find it under "Apple > System Preferences > Security > General."

[Editor's Note: Alternately, you can also get the update to remove MacDefender to install it manually, too.]


Mac Defender 2.0... Malware Creator Responds to Apple Update

Apple may've taken a lot longer than anyone would have liked to respond to the Mac Defender fake antivirus malware, but he/she/they haven't.

In fact, on the heels of Apple's announcement, the Mac Defender creator has already fired another salvo back across Apple's bow.

The latest?

According to Intego, a Mac-centric antivirus firm, the latest version, dubbed "Mac Guard," that has upped the ante and made stopping it all the harder.

For starters Intego says in their blog post on Mac Defender,

Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts.

"The first part is a downloader, a tool that, after installation, downloads a payload from a web server.

"As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.


Yikes. Auto-download? That sounds a lot like Windows malware to me.

And, here's where it gets really ugly.

Apple, in their infinite wisdom, has Safari, the default browser on the Mac, in its default configuration, automatically open so-called "safe" files after downloading.

Translation, it downloads on its open and even opens itself for you... all on its own! Yay! Before you know it, and without your asking for it, the standard, friendly looking Mac installer is in front of you. All on its own.

What next? All you have to do is click 'Continue' and so on as you normally would, and poof! your machine is infected.

The thing is, a lot of people won't know any different. All they see is the friendly-looking installer (that can't be harmful, right??), and a 'Continue' button.

What do they do? Click 'Continue,' of course!

What's more, according to Intego, is Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. [Editor's note: emphasis theirs.]

This whole Mac Defender/Protector/Security/Guard trojan malware is causing more than a little buzz, including a piece on Mac Guard on ZDNet.

In the article, author Ed Bott's [Editor's Note: Botts... an apropos name for someone in Internet security], says,

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots.

"Peter James, an Intego spokeperson, told me his company’s analysts were 'impressed by the quality of the original version.'

"The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.


That about sums up our take on things here, too. Seriously, Apple, these were a couple of real missteps on your part. First the long delay.

Then the craptastic response. C'mon. How 'bout disabling the inane Automatically open "Safe" files. That's not really a default, is it?

That's the best the company that makes innovative products like the iMacs, iPhones, iTunes, iPods, and iPads can do?

Maybe this is going to be a long road after all.

[N.B. The original Apple announcement on Removing Mac Defender, which we discussed in an earlier blog about Mac Defender, mentioned two steps Apple was taking to combat Mac Defender. They were going to be:

  1. releasing a Mac Defender remover as part of their next update and
  2. having OSX do some sort of realtime intervention if you tried to install the malware.]


Mac Malware Removal: No Help from Apple Support

Even though our focus (at least for now) is on Windows antivirus software and malware removal, we've had a few people contact us asking about the malware known as Mac Defender1 (previously discussed in our blog on Mac antivirus software).

Here's the short version: it does not automatically install itself onto your Mac. It does require you to manually install it to be infected. And, the main way it's getting installed is when people are tricked into installing it.

How do you get rid of it?

Well, apparently, even though it's not that hard, you can't turn to Apple Support for help, as according to ZDNet there's No Help from Apple Support Reps Removing Mac Defender, although there is now an official Apple help article on Removing Mac Defender.

Although we've not tested the removal steps ourselves, given that the removal instructions come from Apple itself, you can be sure they work and are legit.

And, yes, all the top Mac antivirus software is already detecting and removing the malware.

MacDefender is known alternately as MacSecurity or MacProtector


What about Mac Antivirus Software?

Oooh, the debate there is around this topic.

I'm of the opinion that the time has come for those of us who run Macs--or those of us that run both Mac and Windows--to pull our collective head out of the sand and start looking at Mac antivirus software.

In case you've not heard about it, the latest Mac  malware (this one is a trojan) is known already by three different names:

  1. Mac Defender
  2. Mac Protector
  3. Mac Security 

No matter its moniker, it's 100% bull.

Adrian Kingsley-Hughes, writing for ZDNet talks about both the Mac Defender trojan and the state  of denial that most Mac users are in about Apple antivirus software, viruses and malware in his great piece at ZDNet.

Sure, there's the problem of actual viruses that sneak their way uninvited onto your system. This has long been one of the problems Windows users have suffered and those in the Mac camp have been largely unaffected by.

He hits it out of the park in describing exactly what the other problem is. (And this is why Mac antivirus software is a good idea.)

The threats posed by the bad guys are also different. Very different.

"Rather than rely on viruses which spread by using system vulnerabilities, the bad guys have turned to the Trojan.

"This is malware disguised as something desirable - a game, a software utility, a porn video - and it relies on the user choosing to install it onto their system.

"It’s hard to protect against this kind of stuff because the user chooses to override the operating system’s desire to be cautious when it comes to installing stuff.

"Getting people to install their own malware has been a popular trick used against Windows users for some time now, and there’s no reason to think that the same trick wouldn’t work against the modern Mac users, especially given how many of them were Windows users not long ago.

What it boils down to is social engineering more than software engineering. Why bother to try to trick the computer into doing something it shouldn't when it's much easier to trick the person into doing something he or she shouldn't?

Think no on is that naive? How come so many folks fall for the Nigeria 419 scams and wire their hard earned money of to Nigeria and other lands far and wide?

What are we doing about it? We've begun taking our expertise in testing antivirus software for Windows and putting it to work on the Mac.

So, if you're a Mac owner (or have family members, friends, etc who are), keep an eye on our blog, follow us on Twitter (@pcantivirus), or Like us on Facebook. We've got a lot in store right around the corner.