Fake AV Targets Mac OS X Through Poisoned Search Links

Attackers are distributing a fake antivirus specifically designed to look like a real Mac OS X application using poisoned search results.

Relying on the supposed "invulnerability" of Apple's operating system got even riskier as malware developers have launched a rogue antivirus specifically targeting Mac OS X users, according to a security firm.

The bogus antivirus program, called MAC Defender downloads itself onto the user's computer and automatically launches a scanner to "find" several viruses on the system, security firm Intego said May 2. The rogue software is taking the name of the legitimate MacDefender program in order to trick users into thinking it's a real security software.

"In the past," the company wrote, "these types of sites-very common vectors of Windows malware-only delivered Windows .exe applications. The fact that such a site is providing a Mac rogue antivirus is new, and extremely rare. While the site itself still shows a fake Windows screen, the rogue antivirus itself is a well-designed Mac application."

Intego claimed the makers of this scareware have used black hat search engine optimization tactics to boost malware Websites to the top of Google and other search engine results for some keywords. Neither Sophos nor Intego identified the affected keywords, although some users told The Next Web they were infected while looking at images of piranhas.

The professional-looking software has been seen on both Google image search and on regular search results pages. When users click on the rogue link, they are redirected to a Website containing malicious JavaScript code that displays a fake scan with a results window claiming the system has been infected. The code also analyzes whether the user is running Windows or Mac OS X and downloads a compressed ZIP file customized for the operating system.

If the user has the "open safe files" option checked in Safari, or a comparable option in other browsers, then the rogue file opens on its own, according to Intego. Intego recommended turning off the option that allows files to open automatically.

If a user gets this far, they can still stop the infection, as the installer will cause the system to prompt the user for a system password before installing the "MACDefender Setup" program.

"This latest attack can be very convincing, as the malware pretends to be a legitimate Mac anti-virus program called MacDefender and claims to find some very important applications and functions that may have been compromised," Chester Wisniewski, Sophos senior security advisor, wrote on the NakedSecurity blog.

MACDefender tries to convince users to enter credit card information to buy a one-year license for $59.95, a two-year license for $69.95 or a "lifetime" software license for $79.95 to remove the supposed infection.

"What is really at risk is your credit card information if you succumb to the attack and provide your information," Wisniewski said.

The application attaches itself to the computer's launch menu and has no dock icon, making it difficult to quit. MAC Defender also opens Web pages for adult content Websites in the user's Web browser every few minutes; this tricks users into thinking their machines are infected by a virus, according to Intego.

It's not clear whether MAC Defender was acting as a virus or as a form of scareware designed to steal Mac users' credit card details, but for the moment, it seems pretty low-risk because it still requires user interaction to actually install the malware. Just downloading the file won't infect the computer, according to Intego.

To remove the MACDefender application, users should go to Activity Monitor in Applications/Utilities and disable anything that relates to the file. Users should look for any references to the scareware in Startup Items, Launch Agents and LaunchDaemons and quit running processes. Finally, users should drag the MAC Defender application to the trash and trash any other MACDefender reference found under Spotlight.