The recent MacDefender Trojan has been receiving “rebranding” facelifts since it came out. It has now been deployed as MacProtector, MacDetector, MacSecurity, Apple Security Center, and there are no doubt more iterations to come. The malware has been updated, and now sports an improved UI that looks like a native Mac OSX application, unlike the first variant, which appeared to be Windows software.
EDIT: A new variant is now being deployed that can install without credentials. The image below shows a fake Finder window displayed within the browser. If you see this window, close the browser, or Force Quit if you can't quit. Don't select the "Cancel" or "Remove All" buttons, as this will install the malware without asking for your password. As this makes the malware more likely to be deployed, we recommend users disable "Open "Safe" files after downloading," at least until Apple pushes their pending security update.
As a quick recap, the infection is spread via poisoned search engine results on image searches. When a bad link is followed in a search, the user is presented with an alert that Trojans or other threats have been detected on the system. At the start of the attack, either a simple dialog box over your browser window, or a fake Finder window with a warning similar to this will be displayed:
(Image courtesy Nerds On Site)
If the default setting of “Open “Safe” Files After Downloading” is enabled in your browser, the software will download, the installer will launch, and you will be prompted to enter your password to complete installation of software, which is actually the malware payload. A new variant called MacGuard is also live and will install without credentials.
As soon as the malware is installed and launched, you'll be informed the software is an "Unregistered Copy" and give you an option to register. If you close the browser and quit the installer, the malware can safely be deleted from the downloads folder, and no harm is done.
(Image courtesy Nerds On Site)
Of course, when you "register" the software will try to get you to purchase it, for as much as $79.95. If you do purchase, not only do you have a bogus charge on your card, you also have given your credit card to criminals.
Some key considerations for Mac users to be aware of are:
Mac users can defend themselves from variants of this attack by:
Finally, users of any system should be aware there is currently no legitimate antivirus or security software that alerts you through a browser that malware of any type has been detected and that security software must be installed to remove it. A modern browser may block a suspect site, but it won’t behave in this manner. This is a sure-fire attempt to scare a user into installing a malicious program. In general, if you see a suspicious warning that asks you to install software, simply close the browser, or Force Quit if you need to. NEVER click “OK,” “Cancel” or any other button or links in the window alerting you to fake infections, as that is often what starts the actual download or installation of the malware.
Should you have an infection and require removal instructions, Apple has just posted an official article on their support database at http://support.apple.com/kb/HT4650. In this article, they indicate that software updates for removing and blocking the software will be forthcoming.
If you are an ESET Cybersecurity user and had an infection prior to installing our software and need removal help, remember ESET offers free customer support.
Author ESET Research, ESET