Apple investigating ‘MACDefender’ trojan

“Apple is actively conducting an internal investigation into the Mac Defender malware attack,” Ed Bott reports for ZDNet. “An internal document with a Last Modified date of Monday, May 16, 2011 notes that this is an ‘Issue/Investigation In Progress.’ The document [see full article] provides specific instructions for support personnel to follow when dealing with a customer who has called AppleCare to request help with this specific attack.”

“There are two different resolution paths, depending on whether the customer says Mac Defender / Mac Security has or has not been installed. According to this document, if the caller says he or she has not installed the software, the support rep should ‘suggest they quit the installer and delete the software immediately,'” Bott reports. “That is followed by this disclaimer: ‘AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer’s Mac is infected or not.”

Bott reports, “If the software is already installed, support personnel are instructed to make sure all security updates have been installed using Software Update. They are then to direct the customer to the ‘What is Malware?’ Help document using Finder. The final step is clear: ‘Explain that Apple does not make recommendations for specific software to assist in removing malware. The customer can be directed to the Apple Online Store and the Mac App Store for antivirus software options.'”

Full article here.

MacDailyNews Take: If Microsoft apologist Bott devoted his entire life to spending as much time detailing each individual Windows trojan as he has this one, he’d die of old age before he finished covering 1% of them.

Let’s give Apple a chance to investigate and, as always, here’s our usual reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their Macs, should not be surprised to find their Macs are compromised.

Related articles:
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011


  1. This POS popped up on my MacPro and I looked at it for a few seconds. It was well-done!

    Then I deleted it, and shutdown my system as if to kill any malingering taint.

    1. Popped up on my twice so far- once from an ad on, and again from a Google image search. If you have the javascript on and open ‘safe’ files on, it will unzip and start an installer. Yes, this happens all the time to windoze users. But, seriously, why believe it at all? A Finder window in a browser? Bad grammar? I suppose since Macs don’t get these things historically, the usual Mac user might be interested in a novelty sense. Anyway, yes, there will be more such versions of this phish down the road. Forewarned is forearmed.

  2. On the windows side at work we see these ‘jewels’ every day.

    Really its a sign that software security has been greatly improved over the last 10 years. I do not remember the last time we had an actual virus outbreak.

    It is always some application that tricks the user into installing it. Seems like malware developers figured out it was easier to social engineer the user than find genuine holes in the operating system to exploit.

    You also cannot just patch human beings or human nature.

  3. Views on MDN’s take:
    – Spock: Yes, that’s logical.
    – Apple user: Yes, but I thought it was an app.
    – Windows user: I might as well carry on. What’s another Trojan on top of the 100 that’s already swimming round my PC.

    Conclusion: We can’t all be Spock.

  4. Apple store employee was shocked to find that by default, Sniw Leopard has the Firewall off and open files after downloading on. This was the other night @ the store. Showed him on a display computer.
    Bot so smart- especially sincemany end users run as an Admin & do not set up a user account.

      1. Spelling error due to iPhone auto correct-FYI typed on the fly.
        As to technical knowledge, go to an Apple Store open sys prefs and check the Firewall ( it will be off ). Then open Safari & Prefs you will see “open safe files after downloading”- it will be checked. This is the same if you do a basic install from a retail OS DVD.
        That’s not opinion- that’s fact.
        Item next:
        I have been using personal computers since the late 1970’s and have set up and used just about every OS at one time or another. Wrote my first SW in college in 1979 back when storage meant a cassette tape drive.
        I was admining UNIX systems as part of my job for the DoD when Reagan was in the White House and many who are reading this were riding a tricycle in the driveway.
        Yes, I know Apple Stores have a server in between display units and the net, but my point is that the default configuration is wide open to millions of users who set up an admin account & don’t change the defaults.

      2. he IS correct on the settings.
        my new iMac came EXACTLY how he described.

        First thing i did since i got it right after the trojan crap was just starting.
        I run firefox and noscript, so so far (knock on wood) i haven’t even seen the popup yet.

        but it just makes me ask… just how many people fall for this crap?
        wait… my Uncle is calling, another Virus on his PC…..

  5. I have an article up on my Mac-Security blog providing a generic method for removing Scamware/Rogueware Trojan horses such as ‘MAC Defender’ (the proper spelling), ‘Mac Security’ and ‘MacProtector/Apple Security Center/Apple Security Alert’:

    Removing Scamware: Generic Instructions

    So far, this series of Trojans is not dangerous except if you are fooled, aka socially engineered, into forking over money for the bogus software.

    Lest anyone start buying into the ongoing FUD Fest regarding Mac OS X security: There continue to be NO viruses and NO worms for Mac OS X. All Mac OS X malware (currently 34 according to my count) are either Trojan horses or hacker tools (which technically are not malware). There is no ‘flood’ of Mac malware. Windows continues to have over 150x more malware on a per user basis, a fact that destroys ye olde ‘security through obscurity’ troll FUD BS. Mac OS X is fundamentally safer than Windows. (So sorry trolls!) But keep in mind that Mac OS X is NOT perfect and regularly has critical security updates.

    The Rules Of Computing:

    1) Make a backup. Make them regularly, both locally and off site (such as via ‘the cloud’). This is your very best defense against malware infections.

    2) Verify all software before installing it. Verify the source is reliable and that the software app is reliable. Use Google to look it up. Download from reliable sources such as VersionTracker, MacUpdate, Major Geeks, etc. Don’t every blindly install emailed software.

    3) Verify that websites you visit are legitimate. This third rule is difficult. Use web browser tools to help you check where you visit against a blacklist of known bad websites. Don’t ever blindly click on emailed links.

    4) Keep your computer up-to-date with security updates.

    I hope that helps!

      1. Firesheep was intended as a cattle prod applied to the entire web community, pointing out that SSL should be always active on every website at all times. Sadly the response has been rather drowsy.

        In the meantime the best defense comes from the Electronic Frontier Foundation in the form of the Firefox add-on HTTPS Everywhere.

        Its purpose is to FORCE the use of SSL (aka HTTPS) on most websites affected by the Firesheep hacker tool. EFF has been regularly updating it as further sites affected by Firesheep add SLL capability.

        The general thing Mac users can do is to avoid using the Internet via wide open Wi-Fi connections. If you like to hang out at a café etc. that does not provide you with any protection, any password or prerequisite web page before you can use their Wi-Fi service, then ASK the location to turn on some kind of login procedure on their router.

        Ideally all routers should provide WPA2 encryption protection. (WEP encryption is considered worthless at this point as any hacker can crack into it within 1 minute flat).

  6. I never could figure out user accounts.

    I never could figure out how to have two iPhones, two MobileMe, and one computer.

    I have no idea what malware is.


  7. BTW: Mark Allen and friends, who write and support ClamXav, have dutifully made certain that the ClamAV malware definitions for Mac OS X are up-to-date. ClamXav is FREE. Thanks to their efforts, I highly recommend installing and using ClamXav if you are ever concerned about Malware infection on your Mac. You will also find that ClamAV can be installed and run through the Snow Leopard Cache Cleaner utility application, well worth buying @ $15.

    1. And before anyone goes installing ClamXav they really should take a look at the troubleshooting (support) pages. At that point they may soon come to the conclusion that the AV software causes 1000 times more issues, data losses, and interruptions than any (non-existent) viruses. It is also noteworthy that no AV software can protect you from the first wave of malware or users who willingly install Trojans.

      Using Macs with impunity since OS8. No AV software, no problems. Ever.

        1. I disagree with you both. ClamX consumes very little CPU cycles and RAM. I am running ClamX Sentry and Activity monitor will bear witness to my statement.

          I run Maya and ZBrush and Photoshop at the same time and I don’t notice any detrimental activity while ClamX Sentry is running. In fact, Little Snitch is a bigger pain in the ass than ClamX.

          Anyone who is part of a larger network, and a mixed one at that, like my home system has to weigh the pros and cons of installing AV software…

          Mark my words, all Mac users will eventually install AV software on their computers. It’s inevitable.

          1. Run AV SW as it is required for access to my employer’s systems- no exceptions.
            Good AV SW does not drag on any decent HW & having a Mac mini server (LR TV with Plex & EyeTV & a MacPro tower on my desk makes me confident in that statement.

      1. In my Mac experiences since 1992 I have only been affected by one piece of malware worm for Mac OS 8.x which was designed to mess up fonts on graphic artist machines. It sadly shipped on a series of CDs at the time.

        If one runs an anti-malware (“AV” or anti-virus) program with real-time scanning, it can indeed slowdown the computer. I’ve tried a bunch of them over the years. The only one I like at the moment is Intego’s VirusBarrier X6. It has had occasional bugs where one of its processes will go into ‘race condition’ where it eats the CPU alive. But I’ve been doing testing with Intego to route out the cause. I have not run into it with the most recent update. Otherwise I don’t notice VirusBarrier running until it occasionally warns me about a bad web link or image file I’ve clicked. I never use the real-time scanning as I see no point.

        Essentially ALL the current Mac OS X malware use ‘social engineering’ to fool you into installing the thing. If one is careful about what one installs and what links one clicks, there isn’t really much danger.

        Where I warn people to be careful is when they are newbies or when they are working with newbies or outright technophobes. In these cases the “LUSER Factor” can be quite high whereby the user has no idea that installing WAREZ may result in their computer getting botted, or they take the current MAC Defender series of scamware/rogueware seriously and pay for the crap.

        As for the problem of susceptibility to first-run malware, it’s inevitable unless you’re running a heuristic analysis system as part of your anti-malware installation. I find heuristic analysis to be wrong more often than it’s right and hate the stuff. The best approach is to use a quality anti-malware app that repeatedly checks every day for new malware signature files and nags you to install them. This is the case with VirusBarrier X6, which nagged me twice today to install the new update, which no doubt includes the signature for the new version of the Black Hole RAT hacker tool just released on the net.

        Going totally sellout over Intego, I have a great contact over at their offices and very much respect their work. They consistently find new malware before just about anyone but Sophos, whom I generally respect as well. Therefore, Intego tend to be the first to release new malware signature files. (I don’t get paid for any of my anti-malware blogging or rants BTW).

  8. ClamX scanned my downloads folder and found MacProtector contained an infected file and moved it to the quarantine folder.

    I’ve encountered this malware twice today. Both times I clicked on images in Google search.

    My computer was scanned and I was told I had 52 viruses on my Mac. It then launched the OS X installer in preparation of installing MacProtector. I just quit the installer but the malware was still in my downloads folder.

    I have my first malware quarantined! It’s time to dissect this sucker and see what makes it tick.

  9. I should note that, ClamX Sentry missed the malware once it downloaded. I checked the logs and saw it scanned the MacProtector payload and found nothing suspicious.

    Once I launched the ClamX application, it updated the definitions, as planned. I then instructed the app to scan the downloads folder and Bingo! it found the malware.

    Brau’s right. You can’t defend yourself against malicious software. Because just like combat, you never hear the bullet that rips your head off.

    Time Machine should be in everyone’s arsenal.

    1. Your post had me attempt to update my ClamX (ClamXav_2.1.1). However, the Sha1 checksums didn’t match. I have checked it a few times now, but the numbers aren’t even close.
      Supposed to be:

    2. Your post had me attempt an update to my ClamX, but once downloaded the sha1 checksums didn’t match. I have checked a few times, no match. Something maybe off with ClamX, I have decided not to run the dmg file (ClamXav_2.1.1.dmg)

  10. Apple will see more than a few infected Macs being brought in to the Apple Store.

    Apple has to address this issue, even if it’s only to reiterate some common sense rules about the installation process, because too many ignorant Mac users are falling prey to this malware…

    1. It was interesting to hear that you do not see a drop off in performance with ClamX. My experience has been quite the opposite. The last time I installed it, the MBP slowed down considerable. I had to shut down background activity in order to regain speed.
      It seems to me that the background processes were performing scans on the system. In the past this has taken 12 hours to complete (reading from the log).
      Any advice you can give would help.

  11. My septuagenerian father installed Mac Protector after it downloaded and popped up on his screen, thinking it was Apple software. I told him the only way Apple provides software is through Software Update and then deleted it from his Applications folder. To the inexperienced, it sounds helpful and authentic.

    1. Sorry to hear that, but the malicious software is still there.

      The application, MacProtector probably was installed in the Applications folder because its a legitimate piece of software, however, the download included another file called, Archive.pax.gz. That file is unzipped and installed right along with the MacProtector application.

      I would advise you to read ZDNet’s Apple to support reps: “Do not attempt to remove malware” located here:

      1. “Apple to support reps: “Do not attempt to remove malware””

        This is good advice as performing support over the phone for such problems is a big PITA. Been there, done that for years. Apple are minding their backsides.

        But the MAC Defender/Mac Security/MacProtector series is essentially benign, except that it is annoying and suckers in some people to pay for the crap and give away their credit card data.

        The names of the files downloaded by this scamware/rogueware can literally be anything. Typically they download as a compressed file, such as the ‘archive.pax.gz’ you noted. They then expand into either a .dmg file or one of the package file formats for installation. So far the installer for all of them has been identical apart from the name-of-the-day the perpetrator is using. You can see what the current version generally looks like HERE.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.