In association with heise online

20 May 2011, 11:08

Mac scareware becomes more visible - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom Mac Protector running
Going under the name "Mac Defender", "Mac Security" or "Mac Protector", a fake anti-virus application is getting attention as professional criminals target it at Mac users. According to Mac anti-virus maker Intego, they are being contacted by a "huge number of customers who are worried about this fake anti-virus". There are also reports of an upsurge in calls to Apple support lines concerning this scareware.

Using the trick that has become commonplace with Windows rogue anti-virus software of hijacking a browser window through a manipulated advert or web site, the criminals behind Mac Defender display a warning that the system is infected with viruses or that "suspicious activity" has been detected.

Fake dialog windows can then trick the user into downloading an application which, if the Safari browser is set to automatically open "safe" files, will automatically launch an installer that asks for an administrator's password on the system. If the user enters the password, the malware will be installed and run, issuing more fake virus warnings, and demanding registration along with the user's credit card information to "clean up" the system. If the user does not register, the malware starts regularly opening pornographic web sites. A video from Intego shows the process with the earlier "Mac Protector" variant.

Intego showing how Mac malware gets users to enter their password so that it can be installed.

Users of the Safari web browser should disable automatic file opening in Safari (Preferences -> General and uncheck "Open 'safe' files after downloading"). More importantly though, users should, when prompted for their user name and password, be asking themselves "what is requesting this information" and remembering that they are giving it privileges to modify their system.

According to leaked internal memos, Apple employees have been instructed not to attempt to remove the scareware because it has been installed by the user rather than through a vulnerability in the operating system. Instead, they are told to recommend that the user install all available security updates, which currently would not help, and to install a virus scanner. Apple already has a basic anti-malware mechanism in Mac OS X 10.6 Snow Leopard, but it is somewhat limited in the range of malware it detects and it has not been updated to detect the Mac Defender/Protector/Security malware. Apple have not commented on the outbreak. offers guides for users who have installed Mac Protector and Mac Defender and want to remove them.

Update - Researchers at Microsoft's Malware Protection Center suspect that the Mac scareware may have a lot in common with some Windows scareware. They have noted the similarity between the Mac Defender scareware and "Windows Web Security" (Winwebsec) scareware, on their blog. Both programs share similar URLs for purchase pages and for calling home and have very similar page layouts for credit card detail entry. They also share the same payment gateway URL; just changing "buy.php" to "mac.php" is sufficient to change the criminal site's branding.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit