Malware authors now targeting OS X: what you need to know to stay safe from MacDefender
By Tim Hanlon
June 2, 2011
Until recently, the massive market share of Microsoft's Windows operating system meant that authors of viruses, malware and other nefarious software all but ignored the small kid, Apple's OS X operating system.
This allowed the myth that Macs were completely immune to viruses to widely propagate amongst the technologically unsavvy. Of course, Apple is far from innocent here - their own OS X security page reads "Mac OS X doesn't get PC viruses", which means "Mac OS X doesn't get viruses that are written for operating systems that aren't OS X" carefully reworded to not sound ridiculous.
A short history and description of MacDefender
In early May, the first variant of MacDefender appeared online. It follows a pattern that many Windows users will have seen, or fallen victim to.
The malware authors created webpages that pretend to be an anti-virus program alerting users to viruses found on their machine, and used black-hat SEO techniques to make these pages appear on the front page of Google Image Search.
If the user clicks OK, rather than quitting their browser, the malware installer will be downloaded. Safari's 'Open "safe" files after downloading' feature, which is enabled by default, takes care of launching the installer. The original variant of MacDefender, the user had to enter their administrator password to complete the installation. By May 25th, anti-virus vendor Intego announced its discovery of a new variant that did not require the user to enter their password.
Once installed, the malware prompts the user to hand over their credit card details to register the software. (You didn't think they were doing all this for fun, did you?)
Typically, Apple did not rush its response. It wasn't until the 24th of May that this MacDefender article hit its support knowledge base, promising a software update to deal with the issue. On the 31st of May, Security Update 2011-003 was rolled out via Software Update, which removes known variants of MacDefender, and updates its list of known variants daily. According to Ed Bott at CNET, it took the MacDefender authors less than eight hours to cook up a new variant that bypassed the security update.
The only thing that is sure is that this cat-and-mouse game will continue for a long time, if not forever. As the famous quote goes, there's a sucker born every minute. The good news is that it's quite simple to stay safe from this and other similar threats.
How to avoid MacDefender
To start off, let's take a look at what the most current variant of MacDefender looks like when it takes over your Safari window.
If you see this, don't worry, you're still safe - all you need to do is quit or force quit your browser.
Hopefully, the first thing you will notice is the fact that you weren't attempting to install any software. You should never install any software that you haven't manually asked to install.
The dialog box displays Safari's compass icon and an IP address (http://220.127.116.11) which tells you the dialog was launched by a webpage running in a web browser (which is inherently untrustworthy), not OS X.
A foolproof way to check this is to look at the name of the program that is running, which is displayed to the right of the Apple icon in the top left corner of your screen - if this reads Safari, Firefox, Chrome or Opera (or the name of another web browser you use) you should not accept any offer to scan for viruses or install software.
Here's a comparison between the OS X Software Update window (which any official Apple anti-virus or malware removal tools will be installed with) and MacDefender's initial installation prompt:
Never install any Apple update that doesn't come via the Software Update feature found in the Apple menu, the Mac App Store, or Apple's Downloads page.
Have you been stung by MacDefender? Let us know in the comments.