Recently a new series of Trojan horse attempts have targeted OS X users with downloadable malware applications that try to lure you to providing personal information, and with malicious Web sites that trick you into downloading malware onto your systems. Despite warnings about these new malware attempts, numerous people have fallen for these efforts and have downloaded and installed the malware distributed by these sites.
In the past few days since these scams surfaced, a number of MacFixIt readers have contacted us wondering about whether or not their systems are safe after having seen the site on their systems or even downloading the files to their computers. They want to know what they can do to check for and remove the malware.
What the recent malware does
If you have seen the "Apple Security Center" Web site and have clicked on the "Remove All" button, the site will download an installer file for malware that runs locally on your system. The program is distributed in several forms that so far have taken the names "Mac Defender," "Mac Security," and "Mac Protector." When installed it will run in the background and launch pornographic Web sites and other unwanted content, and show a fairly clean and crisp-looking scanner interface that will ask you to purchase an upgrade.
If you provide your information to the program, you chance identity theft and charges to your credit cards.
Luckily the malware is fairly easy to remove, as it basically runs as a background process on your system that is launched by an action the user takes (logging in, etc.). If you have not installed any programs or opened any files downloaded from these sites, then you should be good to go and can just delete the downloaded files. If you have only visited the site and have not downloaded any files, then you do not need to do anything.
However, if you have opened the downloaded files and especially if you are seeing the malicious behaivor (unwanted pornographic sites randomly opening), or the scanner program launching and saying you have infected files, then you will need to check for and remove the program. To remove it, follow these steps:
Shut it down.
Open the Activity Monitor utility and perform a search for the malware (or browse through the list of running processes for it--sort by name to prevent the list from jumping around). The malware should be called "MacDefender," "MacSecurity," or "MacProtector" and will be running under the current user's name (see the "User" column of activity monitor). Reputable antivirus software for your system will be running under the user name "root" and will have required a full installation that required you to supply your administrator credentials.
With the malware selected in Activity Monitor, click the "Quit Process" button and confirm to quit it (use the force-quit option if it will not quit).
If you want to use the Terminal to do this, you can run the following command to kill the processes by name (the "sudo" portion may not be needed, but this will ensure the system can fully kill the running processes):
sudo killall macdefender macsecurity macprotector
Remove the program.
Go to the /Applications folder and move the program to the trash (it should likewise be called "MacDefender," "Mac Security," or "Mac Protector"). Also locate the installer file (likely in your Downloads directory, or wherever you have Safari store downloaded items) and move it to the trash as well. When you have done this, empty the trash.
Remove references to the program.
So far the program is launched at log-in by the system's "Login Items" feature. Go to the "Accounts" system preferences and choose your account name. Then go to the "Login Items" tab and remove any reference to the software from that list.
With the malware removed your system should be good to go; however, there is always the possibility that the malware will change in the future and adopt a new name or a new method of trying to trick users. Generally malware is more prevalent on underground, software piracy, and pornographic Web sites, but numerous people have reported the current Trojans showing up when browsing MSN and other reputable sites. Therefore, in order to better protect yourself you may need more than basic Internet "street smarts." To better protect your system, try some of the following suggestions:
Disable auto-handling of files
Apple supplies a few options to automatically handle files, including the option in Safari to automatically open "Safe" files. Unfortunately the files that Safari considers to be "Safe" are not always so. Therefore, go to Safari's preferences and uncheck the option to open safe files.
Always manually install programs or open documents
In addition to Safari, check your other Internet-based programs such as e-mail clients, chat programs, and Web browsers to see if they automatically launch files received from the Internet. For instance, Mail has an option to automatically add iCal invites to your calendars. Turn this feature off and manually click on any received invitations only after you have confirmed they are legitimate. Do this for all files received on your system.
Install a reputable malware scanner.
There are a number of reputable malware scanners out there, so purchase one, install it, and keep it updated with the latest malware definitions. Some of these scanners are free, and others are commercial products (this list is not complete):
- Sophos Antivirus (Mac Home edition)--This is a reputable package that has a free "Home" version available for Mac users.
- MacScan--This is distributed by the "SecureMac" developers who run the SecureMac.com blog on Mac malware and other security threats.
- Intego VirusBarrier--Another long-standing Mac antivirus utility, VirusBarrier has tackled this threat from when it first came out.
- Kapersky--Kapersky is a reuptable program for Windows and Linux, and also has an option for OS X users. Some virtualization programs for OS X ship with trials of Kapersky antivirus.
- ClamXav--This is a popular and free open-source antivirus scanner.
- iAntivirus--this is a free Mac-specific virus scanner for OS X users.
- Avast--This is a commercial antivirus suite that has been developed for OS X, and is a reputable option for Windows as well.
- MacKeeper--This is a maintenance and OS tweaking tool that uses the Avira antivirus engine.
- Norton Antivirus--One of the longest-standing antivirus and security suites for OS X.
- McAfee VirusScan--McAfee's VirusScan developed from the original "Virex" for Mac, and has been developed since into a solid option for OS X users.
Set up specific downloads folders
Know where your programs download files on your system. By default most will use the system's Downloads folder; however, some will place files in other locations on your system. Here are some common folders where files may be downloaded:
- /username/Library/Mail Downloads
- /username/Library/Application Support
In these paths, the name "FOLDER" can be the name of the application or a designated downloads folder for that application. For instance, the downloads folder for Mail is called "Mail Downloads" where various attachments are stored. If possible, set up your programs to download files to the same folder so files can be easily managed. Do this for chat programs, e-mail clients, and Web browsers.
Protect your backups by excluding these download folders from them. This can be done in Time Machine's preferences or in the settings for a drive cloning utility if you use one.
Additionally, set up an antivirus utility to regularly scan these download folders for threats. If you set your scanner, do check these folders "on access," then they will check files as they are added to the folders. Currently it is not necessary to scan your whole system "on access" (though this is an option) but I would recommend regularly scanning the entire user folder periodically (once a week, or once a month) to cover all the less commonly used download folders that may have been set up by various programs you use.