'MACDefender' on Apple's radar as OS X malware spreads - report

Posted:
in macOS edited January 2014
A malware program that targets Mac OS X systems dubbed "MACDefender" has apparently gained traction in the wild, prompting Apple to tell its support representatives they should not attempt to remove the software.



According to an internal AppleCare document obtained by Ed Bott of ZDNet, the "MACDefender" software is considered an "Issue/Investigation in Progress." The confidential internal document, issued to representatives this week, notes that "AppleCare does not provide support for removal of the malware."



A series of bullet points accompanying the document state that employees should not confirm or deny that the malware has ben installed, attempt to uninstall it, or send customers to Tier 2 for further resolution. In addition, representatives are also told not to refer customers to the Apple Store, as those employees do not remove malware either.



"Explain that Apple does not make recommendations for specific software to assist in removing malware," the document reads. "The customer can be directed to the Apple Online Store and the Mac App Store for antivirus software options."



Bott also previously reported via his Microsoft Report that an AppleCare representative said malware for the growing Mac platform is "getting worse." The anonymous person claimed that call volume at AppleCare is four to five times higher than normal, and the "overwhelming majority" of calls are related to MACDefender or another alias.



"Many Mac users think their Mac is impervious to viruses and think this is a real warning from Apple," the anonymous person reportedly said. "I really wish I could say not many people will fall for this, but in this last week, we have had nothing but Mac Defender and similar calls."







The MACDefender malware first gained attention earlier this month, when it was spotted by an antivirus company. The program automatically downloads in web browsers through JavaScript.



But users must also agree to install the software and provide an administrator password, which led Intego to categorize the threat as "low." However, the latest details would suggest that users are unaware of what they are installing and proceed with the installation anyhow.



The malware spreads through search engines like Google via a method known as "SEO poisoning." The sites are designed to game search engine algorithms and show up when users search for certain topics.



Users on Apple's support forums have advised killing active processes from the application using the Mac OS X Activity Monitor. MACDefender can then be deleted from the Applications folder by dragging it into the trash.
«1345

Comments

  • Reply 1 of 94
    object-xobject-x Posts: 42member
    So the one thing missing in this story is what MACDefender actually does once it's installed. Anyone know?
  • Reply 2 of 94
    Isn't this the kind of problem the Mac App Store is designed to defend against?
  • Reply 3 of 94
    applestudapplestud Posts: 367member
    Quote:
    Originally Posted by Object-X View Post


    So the one thing missing in this story is what MACDefender actually does once it's installed. Anyone know?



    i think it's a barrage of pornography. Could be wrong though.



    As the article notes, this is only a threat if you actively allow the installer to proceed by entering the administrator password. Most moderately advanced users will recognize this and refuse to continue. However, as macs become more and more popular, it's true that many less-experienced users could be confused or tricked. I certainly emailed some family members who are new to macs and reminded them to never enter their administrator password unless they were completely sure why they were doing it and trusted the download source.
  • Reply 4 of 94
    applestudapplestud Posts: 367member
    Quote:
    Originally Posted by David Forbes View Post


    Isn't this the kind of problem the Mac App Store is designed to defend against?



    Absolutely. Notice the installed base for iPhones and iPads greatly exceeds that of macs, yet the malware issue is non-existant. This is apple's solution to the problem, and personally I think it's a good one.
  • Reply 5 of 94
    asciiascii Posts: 5,941member
    It's partly Apple's fault for having the "open safe files after downloading" feature is Safari. That feature is just asking for this kind of attack.
  • Reply 6 of 94
    rob55rob55 Posts: 1,255member
    Quote:
    Originally Posted by AppleStud View Post


    i think it's a barrage of pornography. Could be wrong though.



    I'm not sure, but I recall reading that it's an antivirus or anti-malware program like it's name suggests. When asked to activate the program, you have to enter CC info and when you do, it tells you the card didn't work and asks you to try another card all the while collecting your CC info. Allegedly, a user had entered 4 or 5 different CC numbers before getting wise to the scam.
  • Reply 7 of 94
    macrulezmacrulez Posts: 2,455member
    deleted
  • Reply 8 of 94
    Quote:
    Originally Posted by AppleStud View Post


    Absolutely. Notice the installed base for iPhones and iPads greatly exceeds that of macs, yet the malware issue is non-existant. This is apple's solution to the problem, and personally I think it's a good one.



    I disagree simply because this is not a case where a user is searching for and intentionally downloading software. The App Store is great for providing a trust-based location for finding s/w and applications to meet Mac users' needs, and in the case of the iOS devices, it is the ONLY place to find apps.



    Traditional Mac computers (iMac, MacBooks, Mac Pro, etc), aren't (yet?) locked into the App Store ecosystem (not sure they should be really). MAC Defender and MAC Security obviously aren't part of that ecosystem either, and as described in the article, downloaded via Javascript. The end user in this case, regardless of the existence of the App Store, still chose to download and install the malware.



    In the end, the argument becomes, does Apple lock-down all computing systems to App Store purchases/updates? An even better question might be - could they?
  • Reply 9 of 94
    asciiascii Posts: 5,941member
    Quote:
    Originally Posted by David Forbes View Post


    Isn't this the kind of problem the Mac App Store is designed to defend against?



    Yep, and a good solution it is for the novice user. Perhaps once enough A-level apps are on the App Store, the default setup for OS could only allow installing from the App Store.



    I think it's unacceptable for a computer to only allow installation from there, since it's supposed to be a much more of a pro tool than e.g. an iPad, but it's acceptable for it to be the default setting which a pro can disable.
  • Reply 10 of 94
    musermuser Posts: 9member
    Quote:
    Originally Posted by David Forbes View Post


    Isn't this the kind of problem the Mac App Store is designed to defend against?



    You're trolling. But for those who don't know, the answer is no, that is not what the Mac App Store is for. The Mac App Store is to provide a centralized, ready-made marketing channel for developers to sell Mac software to customers. Apple gets a fee for providing this service. Any developer is also free to market software through any other channel. The Mac App Store has absolutely nothing to do with stopping viruses and malware.
  • Reply 11 of 94
    asciiascii Posts: 5,941member
    Quote:
    Originally Posted by muser View Post


    The Mac App Store has absolutely nothing to do with stopping viruses and malware.



    What about the fact that Apple performs QA on any apps they allow on there?
  • Reply 12 of 94
    Quote:
    Originally Posted by ascii View Post


    It's partly Apple's fault for having the "open safe files after downloading" feature is Safari. That feature is just asking for this kind of attack.



    I don't recall if that is on or off by default, but that still does not solve the problem. It only means the non paranoid among us only have to take an additional step and that is opening the DMG file after it is downloaded. I am sure that will pose no barrier to the people who will run anything they get.



    I seem to recall one of the tech writers claiming he could name a file "this is a virus.com" and people would still run it. The same applies to many Mac users as well. Social engineering is OS agnostic as this incident shows. :-)
  • Reply 13 of 94
    mstonemstone Posts: 11,510member
    It's all those switchers. Allow/Deny clickers. They are conditioned to always click Allow because on Windows if they click Deny the message just pops up again over and over.
  • Reply 14 of 94
    hiker275hiker275 Posts: 53member
    Quote:
    Originally Posted by AppleStud View Post


    i think it's a barrage of pornography.





    REALLY!!! And this is FREE???? Kewl... How can I find this supposed malware.
  • Reply 15 of 94
    asciiascii Posts: 5,941member
    Quote:
    Originally Posted by Protagonistic View Post


    I don't recall if that is on or off by default, but that still does not solve the problem. It only means the non paranoid among us only have to take an additional step and that is running opening the DMG file after it is downloaded. I am sure that will pose no barrier to the people who will run anything they get.



    I seem to recall one of the tech writers claiming he could name a file "this is a virus.com" and people would still run it. The same applies to many Mac users as well. Social engineering is OS agnostic as this incident shows. :-)



    It's on by default. Yes you're right there's still the danger of someone seeing it in their downloads list or folder later and running it.



    Actually I think this shows the opposite of what that tech writer said. People install stuff based solely on the name, they don't do any research. If it sounds good ("MACDefender") they're in. But he was just joking of course.



    I think by default OS X should allow installing off CDs and installing off the App Store, and anything else (which is just web downloads really) requires some kind of obscure setting in the Security pane.
  • Reply 16 of 94
    lkrupplkrupp Posts: 7,470member
    Quote:
    Originally Posted by David Forbes View Post


    Isn't this the kind of problem the Mac App Store is designed to defend against?



    It's not an app. You visit a web site and you get a screen that appears to be scanning your Mac for malware. Then it is announced that you do indeed have malware and offers to install Mac Defender for you to clean your system. If you are running as an admin user, enter your password and let the installation take place you are toast. I have personally encountered this phishing expedition myself on a website that caters to, shall we say, prurient interests.



    Bottom line, as with all malware, the user has to purposely allow this stuff to be installed. It's phishing, not a virus or worm. None the less I suppose there are enough clueless idiots who will dutifully install this crap and then call Apple for help. The price of higher market share I guess. These poor souls switched to the Mac because they kept getting their clocks cleaned by Windows malware and thought they were safe and could forget about malware.
  • Reply 17 of 94
    all the stories on this just make it seem like a bigger threat then it actually is. Unlike a windows counterpart that may execute simply by visiting wrong webpage and exploit the OS or something. This is an app the user not only has to download, but run and type their admin password giving it permission to do harm. Sure it's under a guise but honestly i blame any user who installs it without foresight to know what they are doing. A simple google search would tell you more then you need to know about a program you are unsure of. If you didn't get it from a reputable source, you should look into it before saying yes, that simple. Mac trojans are always blown way out of proportion. All this coverage is gonna do is make the ignorant windows fanboy masses think "haha macs get virus's too" and the mac users that don't know better panic.



    I should write a program and call it "Big Bad" and when it runs it asks for your admin password, name, address, CC, SSN and after you enter all of it, it gives a popup saying "i just broadcasted all your info to a million cyber criminals. haha. Thanks for being a mindless idiot. j/k. But if this was a real threat that's what would have happened. Know what you install next time" and if you deny the app permission or info it'll just say "Congradulations, you made a wise choice based on rational thinking"
  • Reply 18 of 94
    It used to be that people who understood computing better than the average person, were the ones who bought Macs. Now the average and below-average are buying them also.



    This means a larger target for malware writers, which means we all will see more Mac malware in the years ahead. Thanks, new Mac users who don't understand computing.
  • Reply 19 of 94
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by AppleStud View Post


    i think it's a barrage of pornography. Could be wrong though.



    As the article notes, this is only a threat if you actively allow the installer to proceed by entering the administrator password. Most moderately advanced users will recognize this and refuse to continue. However, as macs become more and more popular, it's true that many less-experienced users could be confused or tricked. I certainly emailed some family members who are new to macs and reminded them to never enter their administrator password unless they were completely sure why they were doing it and trusted the download source.



    Lion has included a very minor, but important change to the windows you input your admin credentials. It won?t stop the ignorant from foolishly installing items but having the button now state the action it will take is a good movie, albeit a minor one.
  • Reply 20 of 94
    esummersesummers Posts: 912member
    Quote:
    Originally Posted by ascii View Post


    It's partly Apple's fault for having the "open safe files after downloading" feature is Safari. That feature is just asking for this kind of attack.



    Executable files are never considered safe and are never automatically launched. So NO this feature is NOT asking for this kind of attack.
Sign In or Register to comment.