The rouge anti-virus program will "detect" nonexistent threats as being present on the user's system in an effort to persuade them to hand over their credit card information and purchase a "subscription" to the program. If that doesn't do enough to convince the user to buy the fake anti-virus program, it will start popping up pornographic websites to create an actual problem on the system
The malware, first reported on various discussion boards last week, initially appears in the web browser as a fake anti-virus scan (with graphics from Microsoft Windows) when the user clicks a web link.
At the time of our initial analysis, the fake scan sites were appearing after the user clicked an infected link in Google image searches. Initial user reports indicate that a wide variety of keywords will show search results containing infected links.
If the user clicks on various links or buttons on the fake scan webpage rather than closing it immediately, the actual malware will be downloaded to the user's system. The fake scan site checks the web browser settings to determine if the user is running Mac OS X or Microsoft Windows, and then downloads the appropriate installer for the user's operating system.
If the user has their web browser to automatically open 'safe' files such as zip archives, the installer for the malware will appear without further user interaction. Once the user runs the installer (and enters their admin password when prompted), the malware is installed to the Applications folder, sets itself as a login item, and starts to run.
The malware appears as a menu bar item in OS X, but without a Dock icon or any way to exit the program. The program immediately starts to "scan" the infected system, alerts the user they are infected with various malware, and prompts them to purchase the program in order to remove the threats. If the user decides not to purchase a subscription, the malware will start displaying pornographic websites at random on the infected system.
Safe browsing tips
1. Watch where you surf. By sticking with safe, well-known websites, you will be less likely to visit a site that will attempt to infect you with this malware. When clicking on results from a search engine, be extra vigilant for websites that seem fishy.
2. Watch what you download. Download files only from trusted sources and safe sites. If a file automatically downloads or an installer randomly appears, be sure to determine if it is legitimate instead of blindly installing it. If you are unsure, err on the side of caution and don't install the program without further research.
3. Use the security features in OS X. Disable web browsers from automatically opening "safe" files. In Safari, you can disable this feature by clicking the "Safari" menu, then clicking "Preferences," then uncheck the "Open "safe" files after downloading" checkbox. Turn on the built-in Firewall, and consider legitimate security software, especially when a computer is shared by multiple users.
For manual removal users should follow either of these two methods:
1. Open Activity Monitor from the Utilities folder. Make sure the drop-down menu is set to "all processes."
2. Use the search field in Activity Monitor to search for MacDefender.
3. Click on the MacDefender process. Click the "Quit Process" button. Click "Force Quit."
4. Drag the MacDefender program (installed in the Applications folder by default) to the Trash. Empty the Trash.
5. Remove MacDefender from the Login Items for your Account in the OS X System Preferences (if it exists).
Method two (advanced)
1. Open the Terminal application from the Utilities folder.
2. Type the following command in the terminal (without quotes) and hit the return key: 'ps -ax | grep -i MacDefender'
3. Note the process ID associated with the MacDefender program (the first digits listed in the result).
4. Type the following command in the terminal (without quotes, and substituting the process ID noted above for XXXX) and hit the return key: 'kill XXXX'
At this time the MAC Defender program will no longer be running. Continue with steps 4 and 5 from Method One for removal.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.