A few readers have contacted me in the past couple of days describing malware they got on their Macs while surfing the net. Macs are usually not the target of malicious software, but the web pages these readers were visiting tricked them into thinking they were already infected and automatically downloaded a fix called Mac Defender.

The Fix is a Lie

Mac Defender is not the solution, it’s the problem. If one of these crafty websites is visited javascript on the page will automatically download a compressed zip archive containing Mac Defender. If the user’s browser is Safari and is set to “Open ‘safe’ files after downloading” the archive is decompressed and the Mac Defender installer is started. The entire process is very convincing, but if the installer is stopped before an administrative password is entered nothing will happen and no malicious software will be installed. However if the user continues through the installation process and an administrative password is supplied Mac Defender will be installed, and the host Mac will become infected.

After the installation process is complete Mac Defender launches, displaying its interface, and adding a small orange shield icon to the Mac OS X menubar that turns red when “viruses” are detected. Mac Defender occasionally displays alerts, telling users that viruses are found, and opens web pages for pornographic web sites in the user’s web browser every few minutes. This is most likely to make users think that they are infected by a virus, but all of this activity is generated by Mac Defender.

Clicking the Register button on the About screen takes users to a web page where they can purchase a license for the program. Users are asked to provide a credit card number on an insecure web page. Registering Mac Defender stops the counterfeit alerts, but captures the user’s financial information for nefarious purposes.

Removing Mac Defender

Mac Defender cannot easily be quit because there is no Dock icon. It adds itself to the user’s Login Items so that it will launch each time the user logs in. The easiest way to remove Mac Defender is by booting into safe mode.

To start up into Safe Mode (to Safe Boot), do this:

1. Be sure your Mac is shut down.
2. Press the power button.
3. Immediately after you hear the startup tone, hold the Shift key. The Shift key should be held as soon as possible after the startup tone, but not before the tone.
4. Release the Shift key when you see the gray Apple icon and the progress indicator (looks like a spinning gear).
5. Locate MacDefender.app in the Applications folder and place it in the Trash.
6. Empty the Trash and reboot.
7. After you have logged in normally you should launch Safari and go to the Safari menu.
8. Choose “Reset Safari‚Ķ” and click reset with all options selected. (This will erase all your browser’s history, cache, cookies, and previously saved names passwords among other things.)

Preventing It

One way to prevent your Mac from automatically attempting to install Mac Defender is to disable the opening of “safe” files in Safari after downloading.

To uncheck this setting,

1. Launch the Safari application.
2. From the Safari menu choose Preferences.
3. On the first tab that appears, General, uncheck ‘Open “safe” files after downloading.’

The Mac Defender application might still be downloaded to your computer after open “safe” files is turned off but it will not start automatically. As always be vigilant about what applications and services you authorize using your administrator password, and you should not be infected by this bogus Mac Anti Virus.

For more information about Mac Defender please visit Macworld, and the Integro Security Blog

Update

Apple has added there own instructions on how to remove the Mac Defender Malware. I find it interesting that they don’t mention unchecking ‘Open “safe” files after downloading’ in Safari which would prevent Mac Defender from launching in the first place. As new variants of Mac Defender emerge I still stick to my instructions which will remove the malware no matter what it calls itself in Activity Monitor.