Malware authors now targeting OS X: what you need to know to stay safe from MacDefender


June 2, 2011

MacDefender's initial prompt

MacDefender's initial prompt

Image Gallery (3 images)

Until recently, the massive market share of Microsoft's Windows operating system meant that authors of viruses, malware and other nefarious software all but ignored the small kid, Apple's OS X operating system.

This allowed the myth that Macs were completely immune to viruses to widely propagate amongst the technologically unsavvy. Of course, Apple is far from innocent here - their own OS X security page reads "Mac OS X doesn't get PC viruses", which means "Mac OS X doesn't get viruses that are written for operating systems that aren't OS X" carefully reworded to not sound ridiculous.

A short history and description of MacDefender

In early May, the first variant of MacDefender appeared online. It follows a pattern that many Windows users will have seen, or fallen victim to.

The malware authors created webpages that pretend to be an anti-virus program alerting users to viruses found on their machine, and used black-hat SEO techniques to make these pages appear on the front page of Google Image Search.

A Javascript prompt appears, reading "Caution! Your computer contains a variety of suspicious programs.Your System requires immediate checking! The system will perform a fast and free check your PC for malicious programs." There is no cancel button, only an OK button.

If the user clicks OK, rather than quitting their browser, the malware installer will be downloaded. Safari's 'Open "safe" files after downloading' feature, which is enabled by default, takes care of launching the installer. The original variant of MacDefender, the user had to enter their administrator password to complete the installation. By May 25th, anti-virus vendor Intego announced its discovery of a new variant that did not require the user to enter their password.

Once installed, the malware prompts the user to hand over their credit card details to register the software. (You didn't think they were doing all this for fun, did you?)

Typically, Apple did not rush its response. It wasn't until the 24th of May that this MacDefender article hit its support knowledge base, promising a software update to deal with the issue. On the 31st of May, Security Update 2011-003 was rolled out via Software Update, which removes known variants of MacDefender, and updates its list of known variants daily. According to Ed Bott at CNET, it took the MacDefender authors less than eight hours to cook up a new variant that bypassed the security update.

The only thing that is sure is that this cat-and-mouse game will continue for a long time, if not forever. As the famous quote goes, there's a sucker born every minute. The good news is that it's quite simple to stay safe from this and other similar threats.

How to avoid MacDefender

To start off, let's take a look at what the most current variant of MacDefender looks like when it takes over your Safari window.

If you see this, don't worry, you're still safe - all you need to do is quit or force quit your browser.

Hopefully, the first thing you will notice is the fact that you weren't attempting to install any software. You should never install any software that you haven't manually asked to install.

The dialog box displays Safari's compass icon and an IP address ( which tells you the dialog was launched by a webpage running in a web browser (which is inherently untrustworthy), not OS X.

A foolproof way to check this is to look at the name of the program that is running, which is displayed to the right of the Apple icon in the top left corner of your screen - if this reads Safari, Firefox, Chrome or Opera (or the name of another web browser you use) you should not accept any offer to scan for viruses or install software.

Here's a comparison between the OS X Software Update window (which any official Apple anti-virus or malware removal tools will be installed with) and MacDefender's initial installation prompt:

Never install any Apple update that doesn't come via the Software Update feature found in the Apple menu, the Mac App Store, or Apple's Downloads page.

Have you been stung by MacDefender? Let us know in the comments.

About the Author
Tim Hanlon Tim originally came to Gizmag as a developer, much to the dismay of anyone who had to maintain, build on, or rewrite his code. After wearing every other hat that didn't have a head for it, he became CEO in 2010. Outside Gizmag, he trains Muay Thai and plays too much Destiny. All articles by Tim Hanlon

I\'ve been stung by that crap software, and removed same from an explanation given from someone on a forum over the internet...It\'s really a piece of junk.


Um why on earth would someone waste the time to write software that only applies to 5% of the computers?

Michael Mantion

I was stung by this 5/30 and 5/31. I made no contact with this particular email (my home base) for 8 days prior to someone on my (home) contact list letting me know that I (my email name) had sent out some disturbing links to Canadian drug sites to everyone who was unlucky enough to be trapped on my contact list. I contacted ATT and they suggested that I change my password (done). I haven\'t seen any activity in the last two days other than receiving LOL messages from the folks on the list that I know well. Many contacts were there purely due to the fact that some people neglect omitting forwarded email names. Please... when forwarding emails, delete those that are listed from all the other forwards. I now refuse to open most forwarded email. Only if I really know the sender. If anyone has more info, let me know. Thanks.


Whenever I see the appearance on stage of the latest malware or virus, call it what you will, I immediately conjure up thoughts along the lines of is it:-

1) something an individual produces as purely a form of malfeasance from which he/she enjoys no monetary gain ?


2) something an enterprise would conjure up in order to promote an increase in their sales of software that combats malware or a virus ?

When one considers that, especially in this day and age, such software program companies could not possibly survive if malware and viruses were completely eradicated.

Or could these malware and viruses possibly emanate from the belligerent minds of al Qaida ?

Old Xaverian

Hacking competitions have shown, time and time again, that OS X is not very secure. And although Windows is a much bigger target for viruses and malware, it is more secure \"out of the box\" than OS X. That\'s mainly because Apple has put little emphasis on improving security. To Microsoft\'s credit, they are very quick at responding to and fixing security issues in Windows.

Eric Burr

They do it for only 5% of the computers because it bolsters their egos since anything having to do with attacking a Mac instantly gets worldwide media coverage. This isn\'t a virus, just malware which has to be downloaded. Easy to avoid.


There is no patch for stupidity.


When the Mac was new and different with it\'s post card size screen, it was hit more often in this college town than any of the boring PC\'s on the floor of the store where I worked.

At least once a week some student would come in to look at one, slip a disk in the machine and take it down completely.

But 10% of 95% is almost twice more than 100% of 5% so why bother with the Mac.


TheRogue1000 is correct. This is not a virus and there\'s still no virus for Macs, despite what Tim Hanlon erroneously claims. This is malware, or a Trojan to be precise. Unlike actual biological and computer viruses, this will not replicate and spread itself to other systems. It needs to be downloaded by the user and assuming it gets installed, then needs the user to voluntarily hand over credit card information. There will never be complete protection for Trojans, phishing or other social engineering schemes because you can\'t download anti-malware packages into people\'s minds, where the weak link in the chain will always be. You can\'t protect people from themselves.

Also, despite what MikeFromHC believes from ancient computer history, OS X is a completely different animal from the original Mac OS because of its UNIX (not Linux, not UNIX-like, but actual UNIX) underpinnings. That\'s why there\'s still no OS X virus in the wild. Nevertheless, as noted, no operating system in the world will ever be immune to social engineering, Unix included.


Where I figured the virus authors missed a big opportunity was using a Mac with the PC/DOS disk support installed to spread PC boot sector viruses.

Infect the DOS disk drivers and have them infect all PC format 1.44M floppies inserted in the Mac\'s drive. It could be done completely stealthy, all Macs (even with OS X) will write to any writable media they come in contact with, to provide for desktop data, trash, resource forks etc.

But with non-Mac format media you can see those files and folders when the media is accessed with its native OS.

Hmmm, still an opportunity there to do something like using a Mac as a \"typhoid mary\" to spread Windows rootkits to USB sticks and memory cards, no user confirmation needed because the Mac writes to the media without asking the user\'s permission.

Gregg Eshelman

@Gadgeteer: There has definitely been real (self-replicating) viruses for OS X found in the wild - but you\'re spot on about the fact that no anti-malware software will be able to protect a naive user from every threat.

Tim Hanlon

Wow......!!!.... Now Mac almost definetly same with windows world......


Most of this is ridiculous garbage. The Mac still has ZERO viruses and PC users are using this as an opportunity to make them feel better by saying Macs have viruses.

This is NOT a virus it is a software application that uses the gullibility gof people to get them downloading and installing it. It is the lies and propaganda spread by the Windoze users that makes people believe they need this crap in the first place.

No operating system can protect people from downloading and installing malicious software if they are stupid enough to do it.

I have very little respect for this site as it takes every opportunity to exaggerate and try to convince people that Mac is not as good as it is. For a site that is supposed to be about high technology it is ridiculous that you support Windows trash and put down Macs that are years ahead of Windoze.

Frank Woolf

@Frank Woolf: I refer to MacDefender as malware several times in the article, not a virus.

I also think that trying to make this a semantic argument is totally counterproductive to keeping people safe, which was the point of this article. The average Mac user does not know the difference between a virus and a trojan horse, and might even use "virus" as a catch-all term for malicious software.

There may be no OS X viruses in the wild right now, but there have been, and telling Mac users they're 100% safe from viruses only gives them a false sense of security which in turn makes life easier for trojan horse authors.

And on your final point, all full-time employees (including myself) and many part-time employees of Gizmag use Macs. If you think there's an anti-Apple sentiment here, you're mistaken.

Tim Hanlon

\"No operating system can protect people from downloading and installing malicious software if they are stupid enough to do it.\"

We should not just accept this as fact. Rather, we should find a way to protect stupid people from downloading malicious software. Just because we are smart enough to avoid the malware doesn\'t mean the stupid people deserve to get the malware. I mean, you don\'t say people who get robbed deserved to get robbed because they can\'t fight off the robber.


Ok, so what if I clicked \"OK\" instead of force quit the application?

Jesse Davis

We can all be rather tired sometimes, and can fall for traps. I don\'t believe anybody can say they\'ve never done something stupid.

btw does MS provide updates of Windows to protect users from semi-consciously installing known malware apps?

Post a Comment

Login with your Gizmag account:

Related Articles
Looking for something? Search our articles