MAC Defender Rouge Anti-Virus for Mac OS X analysis and removal

Macworld Australia Staff
4 May, 2011
View more articles fromthe author
Press Release

May 2, 2011 – Las Vegas, Nevada. SecureMac reports that a new privacy and security threat is targeting computers running Apple’s Mac OS X disguised as an anti-virus program called MAC Defender. The rouge anti-virus program will “detect” nonexistent threats as being present on the user’s system in an effort to persuade them to hand over their credit card information and purchase a “subscription” to the program. If that doesn’t do enough to convince the user to buy the fake anti-virus program, it will start popping up pornographic websites to create an actual problem on the system

The malware, first reported on various discussion boards last week, initially appears in the web browser as a fake anti-virus scan (with graphics from Microsoft Windows) when the user clicks a web link. At the time of our initial analysis, the fake scan sites were appearing after the user clicked an infected link in Google image searches. Initial user reports indicate that a wide variety of keywords will show search results containing infected links. If the user clicks on various links or buttons on the fake scan webpage rather than closing it immediately, the actual malware will be downloaded to the user’s system. The fake scan site checks the web browser settings to determine if the user is running Mac OS X or Microsoft Windows, and then downloads the appropriate installer for the user’s operating system.

If the user has their web browser to automatically open ‘safe’ files such as zip archives, the installer for the malware will appear without further user interaction. Once the user runs the installer (and enters their admin password when prompted), the malware is installed to the Applications folder, sets itself as a login item, and starts to run. The malware appears as a menu bar item in OS X, but without a Dock icon or any way to exit the program. The program immediately starts to “scan” the infected system, alerts the user they are infected with various malware, and prompts them to purchase the program in order to remove the threats. If the user decides not to purchase a subscription, the malware will start displaying pornographic websites at random on the infected system.

MAC Defender uses Javascript to display the fake scan webpage and download the installer file, unlike the Boonana malware detected by SecureMac in October 2010, which uses Java as the technology behind infections. While disabling Java in the web browser was an easy solution to avoid Boonana infections, Javascript is used on a large number of websites, and disabling Javascript will result in a significantly degraded web browsing experience. Instead, SecureMac offers the following simple tips to avoid infection by MAC Defender:

Safe Browsing Tips

1. Watch where you surf. By sticking with safe, well-known websites, you will be less likely to visit a site that will attempt to infect you with this malware. When clicking on results from a search engine, be extra vigilant for websites that seem fishy.

2. Watch what you download. Download files only from trusted sources and safe sites. If a file automatically downloads or an installer randomly appears, be sure to determine if it is legitimate instead of blindly installing it. If you are unsure, err on the side of caution and don’t install the program without further research.

3. Use the security features in OS X. Disable web browsers from automatically opening “safe” files. In Safari, you can disable this feature by clicking the “Safari” menu, then clicking “Preferences,” then uncheck the “Open “safe” files after downloading” checkbox. Turn on the built-in Firewall, and consider legitimate security software, especially when a computer is shared by multiple users.

If you find yourself infected with this new malware, there are a number of alternatives for removal:

Removal Instructions

MacScan users can identify the new malware by running a spyware scan with the latest spyware definitions update, which was release May 2, 2011. A 30-day demo of MacScan can be downloaded from SecureMac at To update spyware definitions from within the program, click the “MacScan” menu and then click “Check for updates.” Once the malware has been detected and isolated, users should drag the “MacScan Isolated Spyware” folder from their Desktop to the Trash in order to remove MAC Defender from their system.

For manual removal users should follow either of these two methods:

Method One

1. Open Activity Monitor from the Utilities folder. Make sure the drop-down menu is set to “all processes.”

2. Use the search field in Activity Monitor to search for MacDefender.

3. Click on the MacDefender process. Click the “Quit Process” button. Click “Force Quit.”

4. Drag the MacDefender program (installed in the Applications folder by default) to the Trash. Empty the Trash.

5. Remove MacDefender from the Login Items for your Account in the OS X System Preferences (if it exists).

Method Two (Advanced)

1. Open the Terminal application from the Utilities folder.

2. Type the following command in the terminal (without quotes) and hit the return key: ‘ps -ax | grep -i MacDefender’

3. Note the process ID associated with the MacDefender program (the first digits listed in the result).

4. Type the following command in the terminal (without quotes, and substituting the process ID noted above for XXXX) and hit the return key: ‘kill XXXX’

At this time the MAC Defender program will no longer be running. Continue with steps 4 and 5 from Method One for removal.

MacScan quickly detects, isolates and removes malware from Macintosh computers using both real-time spyware definition updating and unique detection methods. The software also manages internet-related clutter on your computer. It is designed for Mac OS X version 10.2.4 and later. Since 1999, SecureMac has been at the forefront of Macintosh system security. The site not only features complete Macintosh Anti-Spyware and Antivirus solutions, but also operates as a clearinghouse for news, reviews and discussion of Apple computer security issues. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience trouble free.


Leave a Comment

Please keep your comments friendly on the topic.

Resource Centre

  1. Introducing layout themes and styles in FileMaker Pro 13

    FileMaker Pro, help, inspector, macworld australiaIf you are reading this, you are most likely aware of the benefits offered by FileMaker Pro 13, from streamlining your business’ data to organising projects, but how do you make your FileMaker Pro and FileMaker Go database solutions look the part?

    This is where layout themes and styles come in.

    Would you like the layout to show your business logo when your employees are entering data into the database? Would you like to create conformity across all pages, maybe with a colour theme that matches your business?

    In order to increase usability for your database, a well-designed layout will make the solution both appealing to look at, but also more efficient – as those entering or viewing data will be able to easily navigate the fields in front of them.

    What is a style?

    In FileMaker Pro, a style is the way a layout object, layout part and the database’s background appear. This encompasses the colour or transparency of objects and backgrounds, the style of line used within the layout, the borders of objects and parts, the shape of objects, the shadows outside or inside an object’s border, and the display state of an object.

    For example, when your draw a square on your layout, the initial appearance of the square will be determined by the theme currently being used by the layout. The colour of the square, the lines that define it and any shadow that appears are all differing styles that add up to make a theme.

    The initial theme is called the default and ensures that all objects added to the layout carry a similar look. So, if you add a second square to the layout, it will have the same colour and borders. Though this does not have to be the case if you would like to differentiate them.

    And a theme?

    A theme is the collection of a number of styles used in a layout. Themes are the full picture of how your layout or report appears, and encompass all of the individual styles applied to objects, parts and the background. The theme does not affect the way a layout functions, but when you apply a theme to a layout it will alter the way it looks and feels.

    Making alterations

    Adjusting a style in a theme is very simple. If you click on the object, layout part or background you would like to alter, open the Inspector and head to the Appearances tab, you will see the Style label field at the top. This indicates the current style.  If no changes have been made, it will likely read as ‘Default’.

    Alter the style of the object, layout part or background by editing the property settings on the Appearance tab of the Inspector. Once you have made your layout look the way you would like, select the red arrow that will have appeared as you were making your changes and click ‘Save As New Style’.

    Type in a new name for your style and press OK. Continue to create as many additional styles as you would like in your layout. If you would like to apply a style to multiple objects or modify a style slightly between two objects, your previous styles will be available in the Styles list on the Style tab of the Inspector.

    Once you have made all of the changes you would like, you have the option of creating a new theme or saving the changes to the current theme.

Contact us