How bad is the Mac malware scare? (FAQ)

Windows users are familiar with the fake anti-malware ruse, but this is the first time it's been targeted at the smaller Mac market. CNET tells you what MacDefender is and what it means for Macintosh users.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
6 min read
MacDefender pretends to be anti-malware software that detects infections on your computer.
MacDefender pretends to be anti-malware software that detects infections on your computer. Intego

Macintosh users are being targeted with malware that poses as an antivirus warning and tries to trick people into paying for software they don't need.

This ruse isn't new. So-called rogue antivirus has been hitting Windows machines for years. But this is the first time this type of malware has been written to target the much smaller Mac market.

This FAQ sorts through the facts to help determine how serious the issue really is.

What is the malware?
MacDefender, also known as Mac Security and Mac Protector, is a fake antivirus program that is designed to scare people into thinking that their computers are infected with malware and that they have to pay with a credit card to clean the machine up. People get infected with the rogue antivirus programs when they happen to stumble upon Web sites hosting the malware. The malicious sites are created solely to distribute malware and they are search engine optimized so they will appear high up in search results. They use an image related to a popular news topic as bait to lure people to the site, according to Mac antivirus firm Intego, which warned about MacDefender earlier this month. For instance, one of the sites was in the top five spots this week for searches on "DSK," or Dominique Strauss-Kahn, the French official on the International Monetary Fund who was arrested on sexual assault charges last weekend, according to Intego spokesman Peter James. The malicious sites are taken down and changed from day to day so blocking them is difficult.

How widespread is the malware?
While it's definitely not an epidemic, it does seem to be hitting the radar more than other Mac malware has in the past. Ed Bott at ZDNet reports that an AppleCare support rep told him call volume on the support line was four to five times higher than normal and most of the calls were about the malware. "It started with one call a day two weeks ago, now it's every other call. It's getting worse. And quick," the unnamed source is quoted as saying."

Bott also published what appeared to be an internal Apple document with guidance for support reps when they get calls about MacDefender. It advises reps to not confirm or deny that the software has been installed and not attempt to remove or uninstall any malware software. Meanwhile, Bott reports that he found more than 200 separate discussion threads on discussions.apple.com about the matter, including comments from many who had been tricked into installing the malware. He offers juicy tidbits from those discussions here.

Intego said it had been contacted by a "huge number" of customers worried about the malware, and that it had collected dozens of samples of the code. "The news stories were making it worse because it makes Mac users worried and they are more convinced that the fake antivirus warning is real," Intego spokesman James said in an interview today. "It's a self perpetuating process."

Apple declined to provide comment for this story.

How does it work?
The malware has gone through several changes so depending on the version, the screens and wording may be different. An early version displayed some fake Windows screens, but later versions changed that to use an Apple-type interface. Typically, when you click on one of the malicious images you are directed to a site where JavaScript starts running and automatically downloads the program. A warning pops up saying something like, suspicious activity has been detected on the machine, or Apple Web Security has detected malware on the machine and is offering to remove it. Clicking "ok" launches what looks like a scan of the machine and then you are told that the machine is infected and clicking "ok" launches what looks like a Mac OS installer that then asks you to type in your administrator password for the computer. Doing so installs the malware and displays a process that looks like another scan of the computer and provides alerts on supposed infections. In order to clean up the infections, you are required to provide register your machine and it asks for credit card information, according to Intego.

In other versions, just visiting the site downloads a zip file to the hard drive with a name like "MacDefender" or "MacSecurity" and an extension of .mpkg. If your Mac is set up to automatically open "safe" files, a screen will offer to guide you through the installation process. Clicking "continue" will display another screen that asks for your administrative password and the application is launched. A window will display saying your machine is infected, offering the option of cleaning up the computer if you register and provide credit card information.

After installation, a menu item is added to the Mac OS X menubar. The icon looks like a small orange shield that turns red and flashes when it "finds" viruses. If you fail to "register" and provide your credit card information the malware will start to open up porn pages in your browser in an attempt to spur you to pay. The malware will re-launch every time you log into your Mac thereafter until it is removed. It also does not install a dock icon so it is not easy to close the program and you will need to end the process through the Activity Monitor before removing the malware. Intego created a video demonstration showing how the malware works.

What can I do to protect myself?
Don't visit untrusted Web sites, especially ones that could be preying on a hot news topic. Don't install programs unless they come from a reputable source. Don't supply your administrative password except when you are intentionally installing software from a trusted source. Consider changing your settings so you have two accounts, an administrative account and a regular account for regular surfing. If an installer appears mysteriously, block it from installing. Quit out of odd warnings and pop ups, particularly if the "back" or "cancel" option is not highlighted, by clicking the red dot in the upper corner of the pop-up window. Move any suspicious looking files that appear related to MacDefender from your downloads folder into trash. In Safari under "preferences" uncheck the "open safe files after downloading" box. Consider using antivirus software such as Intego or ClamX AV, which is free. Avoid providing your credit card number through an application. If you have provided your credit card information, call your financial institution immediately and have the card canceled. My colleague Seth Rosenblatt explains how to remove the malware in a blog post. And there is more information on how to protect against MacDefender on the TUAW site and BleepingComputer.com.

Does this mean the Mac is not secure?
No. It means that criminals who used to focus on Windows machines to reach the most potential victims are now targeting Mac too. Around the same time MacDefender first appeared, a new crimeware kit showed up on criminal underground sites that makes it easy to write botnet malware for Mac OSX, according to security blogger Brian Krebs. And yesterday, security researcher Joshua Long argued in a blog post that the Mac App Store is putting users at risk after he found outdated versions of software there, including at least one with a critical security hole.

But others, like blogger John Gruber, insist that the reports that Mac security is taking a hit are mere hype. Ars Technica's Jacqui Cheng talked to a bunch of third-party Mac support specialists who said they had not seen a noticeable spike. She also talked to some Apple Store support staffers who said the opposite, including one who said he had never had to remove a virus or malware from a Mac until this month.

Macs are not inherently more secure than Windows, says security expert Charlie Miller, who has successfully attacked Safari on the Mac in three Pwn2Own contests over the past few years. In the instance of MacDefender, the malware requires user action and does not exploit a vulnerability in the Mac OS. In addition, Macs have built-in antivirus, although that does not appear to be protecting against MacDefender, he added.

"There are about 10 pieces of malware that have been written for the Mac, while Microsoft says that one in 14 downloads (on PCs) is malicious," he said. "So, it's big news because it's rare."