Quick Links

Every Apple fanboy will tell you that Macs are safe from malware, but it’s just not true. Recently a fake AV program has been targeting and infecting OS X computers in the wild. Here’s a quick look at how it works, how to remove it, and also how to prevent it in the first place. The virus in question is actually a fake antivirus and trojan which goes by a few different names. It may present itself as Apple Security Center, Apple Web Security, Mac Defender, Mac Protector, and possibly many other names. Note: we encountered this malware on a handful of user workstations at my day job, and then spent some time doing analysis of how it works. This is a real piece of malware, that’s really infecting people.

Screenshot Tour of a Mac Protector Malware Infection

The infection comes about from a webpage redirect which will present the user with the following page, that makes it appear like a real Mac OS X popup dialog.

image

If the user clicks remove all they will immediately begin downloading a package which will install the virus.

Once downloaded your computer will probably automatically begin installation. Luckily, for now, you still have to manually walk through the installation process. As more vulnerabilities are found this will probably change in the future just like it has for Windows' users in the past. Note: This was installed on a fully patched fresh install of OS X 10.6.7 with Symantec Endpoint Protection 11.0.6 fully up to date.

The installer will start and you will need to walk through the normal OS X process. Users will also be prompted for a username and password with administrative rights during the installation.

You may notice the new shield-like icon in the menu bar.

The program will automatically run and pretend to be loading some sort of database for what we can assume is virus definitions.

You will then be barraged with notifications and popups letting you know about your fake infection.

Just like fake antivirus programs on Windows, if you click on the cleanup button or on one of the notifications you will be told that your software is not registered and needs to be paid for.

If you click on the register button you will be asked for your credit card information. Note: Do not fill out, submit, or even type your credit card info in this window.

If you close out of this window you will be asked to put in your serial number to continue.

Mac Protector/Defender Removal

To remove the virus close out of all of the windows with either the command+Q keyboard shortcut or click the red orb in the top left corner.

Now browse to your hard drive -> Applications -> Utilities and open the Activity Monitor. Locate the MacProtector process and click quit process.

Confirm the pop-up asking if you are sure you want to quit the process.

Open your Apple menu and select system preferences.

Select Accounts from the new window.

If you are not able to edit your account settings click on the lock in the lower left corner of the window and put in your admin password.

Select your user from the left and then click the login items tab. Select the MacProtector entry and then click the minus (-) button at the bottom of the window.

Close out of system preferences and go back to your Applications folder. Find the MacProtector application that was installed and either drag it to the trash, right click and move to trash, or drag to your favorite app zapper program.

How to Prevent Getting the Virus

There are some precautions you can take in getting this virus. First of all, use common sense when browsing the internet. If the website looks suspicious or the warnings look fishy, don't click on them. There will also probably be other warnings that something may contain a virus. For instance, the virus I managed to download was later flagged by Google as being harmful to my computer.

If you are using Safari you should also disable the setting to automatically open "safe" files after downloading. Go to your Safari preferences and uncheck the box to disable this setting.

You should also scan your downloads with an antivirus program. When the installer package is scanned with Symantec Endpoint it detects the virus immediately.

If you don't have Symantec on your Mac, the Windows scanner also has definitions to detect this virus.

Have you encountered a Mac OS X malware infection in the wild? Be sure to share with your fellow readers in the comments.