Mac security specialist Intego issued a memo on Monday warning users of Apple's desktop and laptop computers to keep any eye out for a crafty new antivirus program called MAC Defender. As fate would have it, the app is nothing more than a nasty virus in sheep's clothing, and a few accidental clicks on search engines such as Google might mess up your day rather badly."
The MAC Defender software uses commonly searched terms to get prominent placement in search engine results. So, users looking for legitimate protection against viruses on their Macs might be duped into downloading and installing MAC Defender instead. Clicking the links that show up in search results brings up a fake Windows screen that tells the user a virus has been "detected," another clue that something is fishy. JavaScript code then automatically downloads a zipped installer for MAC Defender. If the "Open 'safe' files after downloading" option is turned on in Safari, the installer will be unzipped and run. Since the installer requires a user password, it won't install without user interaction. However, inexperienced users may be fooled into thinking the software is legitimate.
Once installed, the program apparently pretends to detect viruses and opens Web browser windows with pornographic sites, to help sell the charade that the computer is infected. It also configures itself to launch at startup and is difficult to quit as it only appears as a menu bar icon and not in OS X's Dock. If users try to clean the "viruses", they first have to register MAC Defender; clicking on the link to do so via the program's About screen takes them to an unsecure Website that offers a 1-year, 2-year, or lifetime license to the program for $60, $70, or $80 respectively. Registering halts the virus warnings, thus "confirming" that the program is working.
As with the rare Mac malware threats that have arisen in the past, the best defense against a Trojan horse like MAC Defender is education and common sense. There's no need to panic, as long as you're taking the usual proper precautions while browsing the Web. You should uncheck Safari's 'Open "safe" files after downloading' option in the General pane of its Preferences. This will prevent files like ZIP archives from automatically being opened. And, of course, you should always be wary of installing any application from an unknown source.
Action to take: In
Safari, go to the
Safari menu and choose
Preferences. In the first tab
General, ensure that the option to '
open safe files after downloading' is
not enabled.
Arstechnica.com comments:
While MAC Defender wouldn't likely fool an experienced user, Intego notes that its appearance in the wild is yet another opportunity to detail some useful security precautions. Don't let your browser automatically open downloads. If your browser asks if you want to run an installer even though you didn't try to download one, click "cancel." And never give your password to run installers you aren't 100 percent sure about."
Also see Macworld.com
New Mac Trojan Horse masquerades as virus scanner
UPDATE 10th May:
If you have been caught out by this 'scareware', simple removal instructions can be found here:
http://www.fixkb.com/2011/05/uninstall-mac-defender.html
If you want to import iPhone/iPod pictures without launching iPhoto, you can do it really rapidly with Preview instead. Connect the iPhone, launch Preview, and choose Import from xxx's iPhone. You see a thumbnail of all the pictures and you can then import whatever you want. A green checkmark shows what's already been imported.
Highlight the Applications folder and choose Get Info from the File menu. Click the padlock to authenticate changes you are about to make. In the Sharing and Permissions section, set the Privilege from Read & Write to Read only for the 'admin' group and also for the 'everyone' group if not already set. Click the padlock to lock the settings. Close the Info box.
When any modification wants to be made to the Applications folder, you get a confirmation dialog which won't let it install until you authenticate.
Notice that now when you open the Applications folder there is a 'write-protect' icon in the bottom left of the window.
