Attackers are distributing a fake antivirus specifically designed to look like a real Mac OS X application using poisoned search results.
Relying on the supposed
"invulnerability" of Apple's operating system got even riskier as malware
developers have launched a rogue antivirus specifically targeting Mac OS X
users, according to a security firm.
The bogus antivirus program,
called MAC Defender downloads itself onto the user's computer and automatically
launches a scanner to "find" several viruses on the system, security firm
Intego said May 2. The rogue software is taking the name of the legitimate
MacDefender program in order to trick users into thinking it's a real security
"In the past," the company
wrote, "these types of sites-very common vectors of Windows malware-only
delivered Windows .exe applications. The fact that such a site is providing a
Mac rogue antivirus is new, and extremely rare. While the site itself still
shows a fake Windows screen, the rogue antivirus itself is a well-designed Mac
Intego claimed the makers of
this scareware have used black hat search engine optimization tactics to boost
malware Websites to the top of Google and other search
for some keywords. Neither Sophos nor Intego identified the
affected keywords, although some users told The
they were infected while looking at images of piranhas.
software has been seen on both Google
and on regular search results pages. When users click on the
code that displays a fake scan with a results window claiming the system has
been infected. The code also analyzes whether the user is running Windows or
Mac OS X and downloads a compressed ZIP file customized for the operating
If the user has the "open
safe files" option checked in Safari, or a comparable option in other browsers,
then the rogue file opens on its own, according to Intego. Intego recommended
turning off the option that allows files to open automatically.
If a user gets this far,
they can still stop the infection, as the installer will cause the system to
prompt the user for a system password before installing the "MACDefender Setup"
"This latest attack can be
very convincing, as the malware pretends to be a legitimate Mac anti-virus
program called MacDefender and claims to find some very important applications
and functions that may have been compromised," Chester
, Sophos senior security advisor, wrote on the NakedSecurity
MACDefender tries to
convince users to enter credit card information to buy a one-year license for
$59.95, a two-year license for $69.95 or a "lifetime" software license for
$79.95 to remove the supposed infection.
"What is really at risk is
your credit card information if you succumb to the attack and provide your
information," Wisniewski said.
The application attaches
itself to the computer's launch menu and has no dock icon, making it difficult
to quit. MAC Defender also opens Web pages for adult content Websites in the
user's Web browser every few minutes; this tricks users into thinking their
machines are infected by a virus, according to Intego.
It's not clear whether MAC
Defender was acting as a virus or as a form of scareware designed to steal Mac
users' credit card details, but for the moment, it seems pretty low-risk
because it still requires user interaction to actually install the malware.
Just downloading the file won't infect the computer, according to Intego.
To remove the MACDefender
application, users should go to Activity Monitor in Applications/Utilities and
disable anything that relates to the file. Users should look for any references
to the scareware in Startup Items, Launch Agents and LaunchDaemons and quit
running processes. Finally, users should drag the MAC Defender application to
the trash and trash any other MACDefender reference found under Spotlight.