MACDefender is a scareware program designed to trick Mac users. Usually, MACDefender is delivered via the Web, often via tainted search engine results. (See Search Engine Poisoning: Understanding Web Malware). While scareware has long plagued Windows users, it's a relatively new threat for Mac users.
MACDefender is distributed under many different names, including the following:
- Best Mac Antivirus 2011
- Mac Defender
- Mac Protector
- Mac Security
- MACDefender
- MacProtector
- MacSecurity
- Apple security alert
- Apple Web Security
MACDefender (aka Mac Protector / Mac Security) generally relies on social engineering in order to get installed onto a victim's Mac. However, Safari users have an added whammy - by default the Safari browser will automatically open "safe" files after downloading. And while you may not knowingly download the file, some search engines will automatically render any content of pages that appear first in search engine results. Thus Safari users can be exposed simply by conducting an otherwise legitimate search via a search engine that happens to result in a site that delivers the MACDefender scareware.
In other cases, users may be directed to a website that displays a fake Finder window which claims to be the "Apple security center". A bogus warning will also be displayed, claiming that "Apple Web security" has detected trojans and is ready to remove them. Closing the page or clicking on any of the dialogs causes an attempt to download the scareware.
Whether the file is intentionally downloaded and opened or it happens automatically thanks to the combined search/Safari bug, the result for Mac users will be a prompt to install MACDefender (or Mac Protector, MACSecurity, or other similar name).
If you follow the instruction to install MACDefender, the scareware will install itself to a folder (usually using the same program name) and add itself as a login startup item. The scareware will then display fake warnings of malware (that doesn't really exist). Clicking the cleanup button leads to a payment dialog instructing the victim to enter their credit card info in order to purchase the full version in order to remove the bogus infections.
To further the ruse that the system is infected, MACDefender may also periodically (and frequently) display pop-ups from pornographic websites.
Of course, purchasing the product doesn't actually remove anything - the alleged infections don't exist at all. The only thing it accomplishes is to fund the attackers, as well as possibly leading to additional credit card fraud.
To remove Mac Defender aka Mac Protector / Mac Security, follow these steps:
- Locate and kill the process for MacDefender (see How to Quit Processes in Mac OS X for help).
- Using Finder, locate the MacDefender folder and drag it to the trash.
- Remove the login startup process (see How to Remove Login Items in Mac OS X for help).
- Safari users should then disable the Open "Safe" Files feature (see How to Disable Safari Open "Safe" Files for help)
While MACDefender aka Mac Protector has been the most prevalent Mac scareware to date, it is not the first. Macsweeper and iMunizator, discovered in 2008, are earlier examples of scareware for Mac.