• ARTICLES
SEARCH

How-To Geek

Mac OS X Viruses: How to Remove and Prevent the Mac Protector Malware

image

Every Apple fanboy will tell you that Macs are safe from malware, but it’s just not true. Recently a fake AV program has been targeting and infecting OS X computers in the wild. Here’s a quick look at how it works, how to remove it, and also how to prevent it in the first place.

The virus in question is actually a fake antivirus and trojan which goes by a few different names. It may present itself as Apple Security Center, Apple Web Security, Mac Defender, Mac Protector, and possibly many other names.

Note: we encountered this malware on a handful of user workstations at my day job, and then spent some time doing analysis of how it works. This is a real piece of malware, that’s really infecting people.

Screenshot Tour of a Mac Protector Malware Infection

The infection comes about from a webpage redirect which will present the user with the following page, that makes it appear like a real Mac OS X popup dialog.

image

If the user clicks remove all they will immediately begin downloading a package which will install the virus.

Once downloaded your computer will probably automatically begin installation. Luckily, for now, you still have to manually walk through the installation process. As more vulnerabilities are found this will probably change in the future just like it has for Windows’ users in the past.

Note: This was installed on a fully patched fresh install of OS X 10.6.7 with Symantec Endpoint Protection 11.0.6 fully up to date.

The installer will start and you will need to walk through the normal OS X process. Users will also be prompted for a username and password with administrative rights during the installation.

You may notice the new shield-like icon in the menu bar.

The program will automatically run and pretend to be loading some sort of database for what we can assume is virus definitions.

You will then be barraged with notifications and popups letting you know about your fake infection.

Just like fake antivirus programs on Windows, if you click on the cleanup button or on one of the notifications you will be told that your software is not registered and needs to be paid for.

If you click on the register button you will be asked for your credit card information.

Note: Do not fill out, submit, or even type your credit card info in this window.

If you close out of this window you will be asked to put in your serial number to continue.

Mac Protector/Defender Removal

To remove the virus close out of all of the windows with either the command+Q keyboard shortcut or click the red orb in the top left corner.

Now browse to your hard drive -> Applications -> Utilities and open the Activity Monitor. Locate the MacProtector process and click quit process.

Confirm the pop-up asking if you are sure you want to quit the process.

Open your Apple menu and select system preferences.

Select Accounts from the new window.

If you are not able to edit your account settings click on the lock in the lower left corner of the window and put in your admin password.

Select your user from the left and then click the login items tab. Select the MacProtector entry and then click the minus (-) button at the bottom of the window.

Close out of system preferences and go back to your Applications folder. Find the MacProtector application that was installed and either drag it to the trash, right click and move to trash, or drag to your favorite app zapper program.

How to Prevent Getting the Virus

There are some precautions you can take in getting this virus. First of all, use common sense when browsing the internet. If the website looks suspicious or the warnings look fishy, don’t click on them.

There will also probably be other warnings that something may contain a virus. For instance, the virus I managed to download was later flagged by Google as being harmful to my computer.

If you are using Safari you should also disable the setting to automatically open “safe” files after downloading. Go to your Safari preferences and uncheck the box to disable this setting.

You should also scan your downloads with an antivirus program. When the installer package is scanned with Symantec Endpoint it detects the virus immediately.

If you don’t have Symantec on your Mac, the Windows scanner also has definitions to detect this virus.

Have you encountered a Mac OS X malware infection in the wild? Be sure to share with your fellow readers in the comments.

Justin is a Linux and HTPC enthusiast who loves to try new projects. He isn't scared of bricking a cell phone in the name of freedom.

  • Published 05/18/11

Comments (74)

  1. whiplash55

    At least its easy to get rid of, I have seen Windows malware that could be removed in “Program and Features” but not to often.

  2. david

    Thanks for another great tutorial HTG! Im with you whiplash, it does seem like it isnt too bad to remove. which is good for me because im proficient with windows and not at all with mac!

  3. durr

    Protip: Install Gentoo

  4. Santo

    Even with the updated Symantec Endpoint Protection, if malware can infect a MAC then only human common sense can be considered the best and first defense against any kind of infection. This applies to all operating systems.
    I had already come across many Windows PC’s with updated OS and updated Symantec Endpoint Protection getting infected these type of infections. Hope all users take precaution and be alert.

  5. Drod

    Also make sure you open the Download folder to delete any application copies of Mac Defender. I recently removed this virus and found many copies in this folder.

  6. trm96

    The only thing you really have to do to remove it is either delete the program itself (after killing it of coarse) and then delete all the files associated with it in both your user library folder as well as the system’s library folder. Or better yet you could just use a program like AppZapper and it will find all files and delete them.

    And for the love of God stop using Safari, use Chrome or Firefox!

  7. durr

    trm96
    lawl Chrome. Two words: WebGL exploit

  8. silversuperman

    very awesome I have some family members w/ Macs. I just forwarded this article. HTG is def 1 of my top 5 sites I visit. Keep up the great work. :-D thank you again HTG!

  9. ize

    Does this fake antivirus (malware) also collect my login information, my email username and password, or other private information?

    Or it just collect our information from the fake pop up credit card information?

  10. Knightwing

    Welcome to our world Macs! I guess this makes them even more useless then they already are.

  11. daddysu

    No system or av program will ever stop 100% of new threats. They have to see the virus before they can prevent it. OS makers and AV companies try to be as proactive as they can be but are usually stuck being reactive

  12. xs

    Further proof that you shouldn’t install antivirus or anti malware software on MAC.

  13. izzy

    for comcast customers, you get a full version of norton antivirus for mac, just saying LOL

  14. mwg817

    I am not a MAC owner, yet. However, if MAC is anything Windows, I learned long ago anything from Symantec is useless. I use McAfee Security Suite on my Win 7 machine and never have any trouble. I am planing on purchasing a MacBook Pro and hopefully I can use something other than Norton (Symantec) for protection.

  15. Ed

    This is an excellent, well written and composed article. Thank you very much.

  16. Meh

    @XS

    Further proof you shouldn’t install Max OSX period!!

    Want rock hard security get BSD >:)

  17. durr

    Meh
    OSX == BSD
    FreeBSD based

  18. abz

    thanks a lot man helped me out (y)

  19. Tommy

    This is bs!! Not a virus. You have to install it yourself!!! I’m unfollowing you as we speak.

  20. aoi_sora9x

    For windows, best anti virus right now IMO is windows security essential

    Yeah, it’s free, it’s light, and it’s good.

  21. tommy

    if anything, this is evidence of Mac’s security.
    anybody can make a website
    anybody can make a program
    you have to go to that website
    you have to run the downloaded program
    you have to enter your admin password!?!?

  22. dave

    I’d really like to see more Mac articles. I’m new to the Mac but have used PC’s long enough that my paranoia is always on high will on the Internet. But I had no idea about the Activity Monitor utility.
    It’s the little things.

  23. ichido ['}

    Give a Linux Distro a try.
    They are FREE, as in No Cost, and they are Virus-Proof!
    You can Multi-Boot Linux Distro with your MAC or Windows PC.
    I have been running 5 PCs for more than 5 years without any Anti Virus Program and I have never had any infection!
    Try it and see if you like Free Software and No Virus!
    I prefer Ubuntu or Mint Linux.

    Look here for more info on Linux Distros:
    http://distrowatch.com/

  24. Kirk

    Felt like an idiot getting this on my MAC …. Thanks for the clear instructions on how to get it off!

  25. StvMrx

    Haha, there are more steps listed for installing this ‘virus’ than there are for getting rid of it! Further evedence that there is NO need for antivirus on a mac. You’re an idiot. And if you really encountered this on several macs in your workplace, then you must work with idiots.

  26. Michael

    @StvMrx
    They said a handful of Macs, and if the company is of any decent size than that is feasible.

    These occurrences will become more frequent as a growing number of users switch to Macs. Unfortunately, they are switching because the computers are easy for non-tech savvy users to turn on and GO! Thus making the likelihood that they will install this software higher. Thankfully I do not have to support Macs on my network, and all my Windows machines are extremely locked down.

  27. Hatryst

    Now that a virus has hit Macs, we are reading its reviews all over the web, but no one provided the solution. Thank you HTG for explaining the removal procedure !

  28. Shaun

    I think this is a further tribute to the security of OSX. With windows, all you need to do is visit a website. With Mac, you have to make several stupid errors including providing an admin password to get a virus. It’s still the most functional and secure operating system you can get (that also has a beautiful interface).

  29. JRC

    Wow you’re really reaching here windowtards. I count about 5 steps that a user has to go through in order to actually get this thing on their Mac including having to in put their admin password. While on a windows machine it only requires opening the wrong file on a website and BAM! Sorry, this barely rises to the level of threat for a Mac user.

  30. aoi_sora9x

    Wah, at first the mac users are like “MAC HAS NO VIRUS, WINDOWS SUCKS”
    now they are like “MAC HAS VIRUS BUT IT TAKES LESS STEPS TO REMOVE THAN WINDOWS. WINDOWS SUCKS”

    really guys? You like that apple kool-aid you are drinking so much? And uncle Jobs?

  31. Graham

    I got the fake screen and the download, then a popup that said Symantec Endpoint Protection Alert; The contents of anti-malware.zip is infected. Do you want to repair it? I clicked no, suspecting a Trojan. The MacProtector thing isn’t showing up on my Activity Monitor. What do I do?

  32. Kari

    One thing that always stands out with any kind of malware is the poor English, just read through some of the screenshots above. This alone should alert you to the fact you’re dealing with the product of some .ru script kiddie.

  33. Jenny

    This should NOT be described at all as a virus. You should be educating people on the difference not misleading/confusing them via this article. It does not replicate hence is not a virus – simple! You should fix the article ASAP to maintain self respect as a tech authority!

    It is “malware” (bad software) and specifically a “trojan” (disguised as something else). Malware will exist by definition on any operating system. Just write a program to delete files, disguise it as something else and you have malware. The paranoia/sensationalism is not required just simple logic.

  34. AC

    No mention of using Google Chrome, WOT, and Sophos? Shame on you, HTG.

  35. AF

    Or just stop visting the dodgy porn sites.

  36. Ruben.cc

    I’m not entirely sure what your definition of a “virus” is, but for me it’s certainly not something that a user has to willingly download, execute and then provide his admin password to install. This is a lot of fuzz over nothing. If you have users that just blindly follow links, download and install anything they’re given than you should probably just take away their computer and give then a pencil and paper to work with and make sure they don’t hurt themselves with the pencil. Your panic story sounds like a user typing “sudo rm -rf / ” at a terrminal, providing an admin password and then should “Oh my God, it’s a virus!”.

  37. Bejaysus

    Firstly the definition of a computer virus varies from person to person, so if you have some criticism it might an idea to point it out in a constructive manner as opposed to some of the horrendous comments coming out of people above. I’d personally consider this to be malware due to the fact it requires so much user interaction to install.

    In my definition a computer virus is a piece of software that exploits a vulnerability in an operating system (i.e. a piece of code or a misconfiguration of an operating system) which allows it the virus to execute it’s own code. I’m saying all this as I have yet to see a certified industry wide definition for Malware, Viruses, etc.

    Frankly I think that while the definitions do not match what my definitions are there is still some very useful information in this article, i.e. where some people were duped into installing this software and needed the removal techniques.

    On another note just because someone lacks the computing knowledge to realise that it’s malware does not make then “idiots”. Bare in mind not everyone’s world revolves around computers and technology, otherwise sites like this where information is freely exchanged would not contain such a wealth of content. “Knowledge is Power” as Francis Bacon said.

    And seriously people who cannot see the benefits of all OSs (Windows, Mac, and Linux) and decide to berate others by calling them Fans boys for Mac or Fan boys for Windows really need to grow up. I’ve been using Windows for 15+ years along with Linux for 5+ years, and have recently switched to a Macbook Pro it’s a fantastically designed device and the OS is certainly alot more stable (out of the box than any Windows system I have used to date), that being said I have alot of Windows knowledge and I will continue to expand on that and have no intention of dropping any Windows product line from my skill sets.

  38. Bejaysus

    Oh and….

    @Graham – I think you are fine based on the information you have presented, it looks like you don’t have any problems as your anti-virus software seems to have picked it up but maybe someone who is more proficient in OS X can confirm this.

  39. John

    At least it’s easy to kill. It’s rarely that simple with Windows. Sometimes a simple system restore can fix it, but sometimes it take a complete reformatting of the HDD.

  40. Christian K.

    You have to go no further than Apple’s support site, & search for “arbitrary code execution” (i.e. install programs without needing user interaction).

    http://support.apple.com/kb/index?page=search&src=support_site.kbase.search&locale=en_US&q=arbitrary%20code%20execution

    Apple makes wonderful products, so it’s not a surprise that this day is coming. I agree with the opinion that you are far, far more likely to encounter malware on a windows platform, but I don’t expect it to stay that way.

  41. bugmenot

    To all the Apple users ( and “new” ex-windows users who just bought a MAC ), who thought the MAC couldn’t get a virus……You were wrong. :-(

    And to those same users……if you think that this is the ONLY virus out there for the MAC…..you’ll be sadly mistaken again. The network security tools I use to scan for viruses / network intrusions has shown several MAC viruses and holes PER MONTH for the LAST 3 YEARS !!!!! Soon your pretty MACBOOKS will be just as virus ridden as the windows machines are now, only when your Macbook breaks it can only be serviced by Apple……who will charge you 3-5 times what the “windows” computer guy charged you…….oh well, I guess that the price you pay for being stylish.

  42. Ivydapple

    Mac needs an antivirus as much as Windows does. It’s important for Mac users to know they’re vulnerable to malware, too. Apple should stop saying Macs can’t get viruses–it’s false advertising and gives users a false sense of security.

  43. Revenent

    At the end of the day, it is the user who is foolish enough to click on the link, key in an administrator password and actually allow the software/malware to be installed. Just use a bit of common sense and this simple malware will never reach you regardless of the platform you are working on.

  44. Earl Jones

    Mac users are usually less intelligent and computer savvy than standard computer users. Therefore the average Mac user will likely jump through the hoops required to install this malware. Simple solution is to go Gentoo, but no OS is virus/malware-proof of course. Naturally most Mac users are obsessive fans of the company and would never betray big brother by looking at superior products.

  45. Earl Jones

    And one more small note- If Apple OS ever gets large enough to matter in the world you can expect tons of viruses, adware, and trojans to start coming out on a regular basis. The tiny world community that it currently exists in allows for a relatively low level of malware infection, though it does exist often.

  46. Sorin

    In conclusion linux is the best, it can be fedora,ubuntu,debian,centos,gentoo,dsl,slax or any other distro,linux is the best in security,stability and customization .

  47. EarthRat

    This proves that MAC is not invincible and to the moron that says LINUX is invincible, you are fooling yourself, ever run a LINUX server before? Before you go spewing your ignorance about things you don’t understand get educated!

    Thanks for the tip HTG, this is what keeps me coming back…

  48. Anosike

    Am happy to be part of this class, it has really impacted knowledge in me and i wish to get updates in subsistent time. Cheers

  49. K Smith

    Wow, thanks this was very user friendly and quick. The local Mac store told me about this. I went to the Geek Squad at Best Buy and they new about “MAC PROTECTOR”. BB/GS told me it would cost at least $70 and it would take them 6 hours to remove it a and they would need my notebook for 5 -7 Days. What BS thanks for being out there. Oh, they also told me I could get rid of it by backing up my system and then reload the original Mac OS X system with the supplied system CDs. Don’t think I will be asking BB/GS anymore questions. Wow; what a rip they are!!!!!!!!!!!!!!!!!!

  50. sharon

    I am a new user of mac after getting fed up with pc’s. I have had my computer for a week and tonight I was reading an email when this virus warning came up. My grown kids were yelling at me (they both have mac computers) saying only I could get a virus on a mac. I thought this warning was true but I am smart enough not to pay for anything unless I know what it is so I did a search and came up with this page and I followed your instructions and removed it. I kept getting all different porn sites coming up.
    Does this mean the virus is gone? If I need to do something more what is it?

    Thanks

  51. andy

    Thanks for your help! I just bought this Macbook Pro a week ago and was browsing this morning when suddenly Mac Protecter popped up and started downloading all these packages. I freaked out started to panic… this is a very pricey machine. Immediately i typed in Mac Protecter and found your website. Thank you, Thank you!

  52. Sunsmasher

    This grammatical mess in the popup:
    “Apple Web Security have detected trojans and ready to remove them” should be immediate warning to any reasonable sophisticated user.
    95% of the time: grammatical errors/mispellings = fishy.

  53. Sunsmasher

    That’s “reasonably” that is….

  54. fertgirl76

    I just encountered this “fake” virus last night and had porn sites pop up all over the place! Even when I quit all internet applications, they would pop up. Gross!
    Thank you for the advice. Since I don’t have much information stored (other than applications) I was thinking about just trashing my hard drive, but I’ll try this first. I’ll pass on the info to other Mac users, too!

  55. POOOOOOOOOOOO

    MACS suck donkey ballz

  56. ck house

    It worked!! Thank you for the honesty.
    CK

  57. rd

    Thanks alot!

  58. ale

    ok , so what if you are one of the idiots who failed for this and purchased the mac protector and gave away your credit card info…what should i do know?

  59. ale

    fell

  60. AL

    I’m so glad I found this article! This nasty thing just happened to my mac today and I was like “super frightened”. So now I’ve removed it! (I even went to apple store, the Genius Bar guy didn’t really know how to deal w it. Cuz they are not trained to deal w virus problems…)

    THANKSSSSSS!!!!

  61. Max

    Thanks a gazillion…this site saved me a ton of stress…clear directions and bam! I was virus free!

  62. Svend

    I’ve cleaned up at least a dozen Windows PCs with this kind of thing on it, all of them were running reputable AV packages such as Symantec, McAfee, Trend, AVG… you name it, none of them stop it. Their forums are full of discussions argueing about why they should/should not have blocked this kind of thing.
    With Mac use enjoying an increase it was only a matter of time before they started to get targeted by this kind of confidence trick.
    The best prevention we found of Windows was to stop users having admin level access. Then switch on User Access Control (UAC – Vista and win7).

  63. MacLaren Scott

    Thank you a million times! Your instruction were easy and quick. Wish I had found your site first. :)

  64. jim

    Yes, it’s maleare. The reason it’s so serious is because it requires user interaction. People are downplaying this saying oh it’s not serious because it requires user interaction.

    They are MAC users that bought MAC hardware which leads a person to believe that they …. will click on and install without hesitation.

  65. LV

    Wow thanks! I’ve come across this pop-up for like 20 times. Thank God it neve unzipped automatically. Finally I know what it is !

  66. Nut

    All of you morons saying that Macs can’t get infected…just forget it…Macs can get viruses…if Macs can’t, then why would AVG Linkscanner for Mac and ClamXav exists? They exists because Macs can get viruses like Windows.
    For those Apple fans that don’t know how a infected computer behaves, try installing Windows 7 on Bootcamp and try use computer with IE8, no Windows Update, no SP1, and no antivirus, you comp will behave like nuts within hours. Fake popups, BSOD, and etc…
    Guys, get educated. Information is there for a reason.
    Anyway, good article though, even I’m not a Mac user.

  67. Nut

    Also for those that are switching to a Mac from Windows…think twice…you will loos your applications since most of them are Windows only…although you can use Bootcamp but that’s beyond the scope of average users.
    So what I can only say is…get educated.

  68. chrisj

    funny, i use windows and haven’t had a virus in years and don’t even use a virus protection. here’s how I do it: I don’t go to offbeat websites that I don’t know like gambling or coupon sites, I don’t try and download free stuff from torrents, I don’t open email from people I don’t know, if i look at porn I do it veryyyy carefully, and my browsers are set to not re-open the last page visited (in case I have to bust out a control-alt-delete on the browser cuz I got spoofed to a bad site). With a little knowledge and prevention, you don’t have to pay for an overpriced mac. And if you engage in the stuff I just mentioned because you believe your mac or your ‘best malware protection program in the world’ are going to save you, you don’t know as much about computers as you think you do anyway.
    Good article btw…I work in IT and have seen this with some clients, which is why I read it.

  69. $3@Kr@!t

    Its harder to remove this from a Win computer because you get anywhere from 2 to 30 other pieces of malware, one being the TDSS RK/BK. I think I saw someone say that Linux doesn’t get malware; please!
    Why do you think rootkits are called rootkits; Do research.
    As with Mac defender and Mac malware the Black Hats are just getting warmed up, the Mac community needs to wake and realize their OS is not a god OS.
    $3@Kr@!t
    Security Consultant

  70. jojon

    hay nako nakakatamd naman sana lahat hlajsjsjsjjs

  71. Cinnymutt

    Thanks for explaining this. When I cool off from my meltdown I will read the entire article. This fake alert prevented my computer from shutting down or closing Safari. I was suspicious after the “remove all” didn’t remove anything so imdid a forced shutdown. Hope I didn’t screw anything up. Hopefully the Genius Bar people will fix this tomorrow. Thanks again.

  72. JD

    Guys I was literally using a mac for like 5 mins and came across this very virus!
    The worst part is All I was doing is browsing google.
    I was just googling a mac question and immediately it opened up and started downloading a zip!
    This is bad and safari is dumb for automatically downloading stuff.

    Im amazed how fast that happened. Fortunately I didnt launch the app.

    P.S good to see another great article Justin. Miss hearing ya on mintCast buddy!

  73. Aram Fingal

    To answer your question, MWG817, At the moment, it looks like Sophos is head and shoulders above the rest on the Mac.

  74. Aram Fingal

    I understand that there are a few vocal Mac fanboys out there who have been saying that the Mac is immune to malware but these are a small minority. Many of us have been watching the situation on Windows and taking what lessons we can to prevent the same thing on the Mac. My experience is that most Mac users don’t even know how little malware OS X has had so far. I have often had Mac users say something like “My machine is slow. I must have viruses.” By the way, isn’t the fact that this malware is getting anywhere proof, in itself, that Mac users don’t believe they are immune to malware. Otherwise they wouldn’t believe it when it says they have viruses.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!