Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update)

Apple has published KnowledgeBase article HT4650, “How to avoid or remove Mac Defender malware,” which states:

Summary
A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender “anti-virus” software to solve the issue.

This “anti-virus” software is malware (i.e. malicious software). Its ultimate goal is to get the user’s credit card information which may be used for fraudulent purposes.

The most common names for this malware are MacDefender, MacProtector and MacSecurity.

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.

In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.

Products Affected
Mac OS X 10.4, Mac OS X 10.6, Mac OS X 10.5

Resolution
How to avoid installing this malware

If any notifications about viruses or security software appear, quit Safari or any other browser that you are using. If a normal attempt at quitting the browser doesn’t work, then Force Quit the browser.

In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password. Delete the installer immediately using the steps below.

1. Go into the Downloads folder or your preferred download location.
2. Drag the installer to the Trash.
3. Empty the Trash.

How to remove this malware

If the malware has been installed, we recommend the following actions:
• Do not provide your credit card information under any circumstances.
• Use the Removal Steps below.

Removal steps
• Move or close the Scan Window
• Go to the Utilities folder in the Applications folder and launch Activity Monitor
• Choose All Processes from the pop up menu in the upper right corner of the window
• Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector
• Click the Quit Process button in the upper left corner of the window and select Quit
• Quit Activity Monitor application
• Open the Applications folder
• Locate the app ex. MacDefender, MacSecurity, MacProtector or other name
• Drag to Trash, and empty Trash

Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.
• Open System Preferences, select Accounts, then Login Items
• Select the name of the app you removed in the steps above ex. MacDefender, MacSecurity, MacProtector
• Click the minus button

Use the steps in the “How to avoid installing this malware” section above to remove the installer from the download location.

More info here.

Related articles:
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011

32 Comments

  1. MDN should probably sticky this at the top for now..
    sadly there are enough windows users migrating to Mac now that this needs to be dealt with.

    And side note, Apple SHOULD uncheck that box about installing downloaded files from trusted sources OUT OF THE BOX… that’s pretty stupid.
    my New 2011 iMac had it checked when i fired up Safari the first time.

    1. I agree – the fact that Apple has Safari default to ‘open “safe” files after downloading’ is really, really stupid. It’s one of the first things I immediately uncheck on a new machine/account.

    2. Opening safe files should not be unchecked by default, it should be expanded to allow you to define what files are safe and what are not. An installer whitelist could be provided for App store apps for example. It should be OK to automatically open a ZIP file that contains images but not one that contains an executable.

      1. problem is, 95%+ of mac users would never even know it had options.. those switching to mac would never know it was there.
        turn it off, first time you download something they should have a dialog box pop up and explain how to change settings.

    3. Agreed. I’ve always thought that the automatically install trusted…was a dumb feature. I always turn that off. Everyone should turn that off. Must be an idiot ex Windows Eng they hired that conceived that stupid feature into Mac OS X.

    4. @FTB sez: “Apple SHOULD uncheck that box about installing downloaded files from trusted sources OUT OF THE BOX”

      YES.

      The anti-malware community have been YELLING THIS at Apple since Safari was first released. It’s one of those few poor but persistent decisions Apple has made to the detriment of its users. Apple know better. I expect the MAC Defender fiasco will finally convince them to play it safer.

      It never hurts to give Apple a swift kick in the ass every now and again to get them moving on problems they’ve ignored.

      No way is Apple perfect. They’re just the best there is.

    5. I posted that this issue and the fact that the application firewall is turned off by default is the setup of Snow Leopard the other day and was attacked by a poster as being wrong and ignorant concerning such things.
      For the record, I qualify opinions as such when posting and state things as facts only when known to be so.

      1. Why?

        All you have to do to remove MAC Defender is force-quit it and drag it into the trash. Wiping your Mac clean and starting from scratch is totally pointless.

    6. Also Apple has that checked because it makes installing Widgets a no-brainer. I leave mine unchecked and tell clients to do so unless then need a Widget, then just check it temporarily for that specific moment of download.

    1. A key point here is that Mac malware does no harm unless (1) you are “stupid” and intentionally run the installer, (2) you give your admin password when asked, and (3) you enter sensitive information such as credit card info when asked. And even if the malware manages to overcome those obstacles and gets installed, the user can undo the damage with some basic common sense steps (and hopefully be “smarter” next time).

      And “malware” does not equal “virus.” If the malware requires user interaction to work, it is not a virus.

      1. As long as the names of the installed programs (not necessarily the installer) are a clear give-away, these removal instructions will be useful. But what if the malware authors went a step further and did a better job at hiding the processes?

  2. This is gigantic. Given that literally the ONLY possible malignant software a mac user has to worry about is trojan horses such as this so called malware. apple basically is closing the door to malware altogether. not to mention, we won’t have to suffer any more of this misinformed tech journalist mislabeled virus nonsense anymore. It is especially notable in its equalizing of their user base by elevating “dumb” users to the same level of protection as their knowledgeable users. maybe scary?

    1. “Wow basically the first apple made anti-malware component introduced into OS X”

      NO.

      Apple introduced system level anti-malware into Mac OS X with 10.6 Snow Leopard. It covers the iServices Trojan horse, which is the most dangerous currently in the wild as it bots/zombies Macs. Apple’s anti-malware also covers the RSPlug Trojan horse, which has been the most prolific with a reported 17 variations.

  3. You have to hand it to Apple for consistency. They don’t say a word to the public until they’re ready to say it PERFECTLY. No blowhard HP/RIM/Sony/Samsung ad nauseam doltish moves from Apple. You have to wait for it . . . but they get it right.

    Personally, I am astounded how effective MAC Defender (the proper spelling, with the space in it) has been at messing over so many Mac users. It’s highly amusing that the basturd trolls have ranted for years that Mac users “believe they can’t get malware” and yet a FAKE report of loads of malware manages to fool so many people. As per usual, trolls are tards. But Mac users need to grow up and learn about social engineering, hopefully not the hard way.

    1. @ Derek,
      ” It’s highly amusing that the basturd trolls have ranted for years that Mac users “believe they can’t get malware” ”

      Actually you are trolling or just lame. Macs are not immune to anything, just highly resistant. LOL And Malware is the same as a regular program, just a “bad” program. Yes more info needs to be out there about social engineering,,,, but how about if Apple ends up making a few small tweeks and suddenly its 100 times harder to get those malware programs thru??????

      Never hurts.

      Just a thought,
      en

  4. FYI-
    Intego, who first ID’d this malware and has been the subject of snarky comments on this site, produces a product that catches this before anything happens. That’s exactly what AV SW is supposed to do & Mac users that had it installed with current updates didn’t have this problem in the first place.
    Maybe an apology is in order.

    1. um actually- the only mac users who had a problem were the ones who would also give their car keys to anyone on the street thinking they were a valet.

      you can’t cure stupid, and of course intego would love to capitalize on the stupidity of users. otherwise they’d make zero money. and i am sure it’s hard enough for them to sucker the small base of stupid people that use macs as it is…

  5. Yea!!!!! Thanks Apple for stepping up and giving a real solution the this problem instead of denying the existence of it. This is the right thing to do Apple Thank You!

  6. Another step to prevent this is to uncheck the auto launch of downloads once they are complete. Safari has this checked by default. In Safari preferences under general the last item should be unchecked so the program won’t launch the installer right away.

  7. It looks like Apple made a major strategic decision here. By providing solution for Mac Defender, Apple has declared that it will, from now on, take care of malware problems for Mac users. This is actually quite big. Microsoft took twenty years of dealing with malware problems to finally start providing their own solution for free.

    This decision will expose Apple to future criticism, should their response to any future malware outbreaks not be efficient enough.

Leave a Reply to eldernorm Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.