Mac antivirus and security developer Intego has issued a blog report on a new malware threat for OS X systems called "MacDefender" that has surfaced. The threat is a Trojan horse that is being targeted to Mac systems through "Search Engine Optimization (SEO) poisoning" efforts, and uses Safari's "Open Safe Files" feature to run the installer for the malware.
SEO Poisoning takes advantage of common search terms that Google, Yahoo, Bing, and other search engines use to present results, and forces a malicious Web page to the top of the search provider's results page. If you then click the link to the malicious Web page, harmful scripts and routines are then attempted on your system.
In this case, the malware sites are taking advantage of Safari's "Open Safe Files" feature to download a ZIP file containing the MacDefender malware installer, which is then launched automatically by Safari.
It is unknown what the MacDefender malware does, but in this case it appears that the attackers are attempting to further trick users by disguising the malware as a legitimate anti-malware scanner.
Be sure to never install software that automatically downloads from the Internet. If you see the installer screen for MacDefender show up, or any other installer window without your prior intent to install the software, be sure to quit the installer. Force-quit it if you have to by pressing Option-Command-Escape to bring up the force-quit window. This will ensure you do not interact with the installer's interface, which in itself may be suspect.
If you have installed the MacDefender software, you should be able to uninstall the software by searching for and removing any references to "MacDefender" on your system. You may want to check the following locations for files that MacDefender may have installed:
Applications folder: Go to the Applications folder (and subfolders like "Utilities") and remove any folder or application that is associated with MacDefender. List folder contents by date modified or created, to see if any files have been put there recently, and remove them.
Login Items: Go to the "Login Items" section of the Accounts system preferences and remove any reference to MacDefender in there. Do this for all accounts on the system.
Activity Monitor: Open Activity Monitor and sort the list of running processes by name. Then locate any that you suspect are associated with MacDefender and force-quit them. Unfortunately this may be more difficult to do if the name of the running process is different than MacDefender, but it is worth a shot.
Launch agents and daemons:Go to the following folders and see if any launch daemon or agent property list files reference MacDefender (open them and search through them if necessary). Do this for all files located in the following directories, but be sure you only remove the files that clearly are associated with MacDefender. If you remove others you will disable OS X features that may destabilize your system:
Antivirus definitions for Intego's VirusBarrier X6 software are being updated to address this threat, and it is likely that other legitimate antivirus software companies are doing the same for their programs. Therefore, if you run VirusBarrier or other antivirus utilities then be sure to check for an update soon, and run a full scan on your system to remove the MacDefender malware.
While this threat is a new attack attempt on OS X users, its threat level is relatively low because it does require a fair amount of user interaction to install the malware. You have to first provide the correct search terms to the search engine, and then proceed with the installation by manually clicking the buttons in the installer window. As long as you avoid doing this for software you have not purposefully downloaded, then you should be good to go.
An additional security point is that threats like this will have a more difficult time affecting your system if you run your system in a Standard or Managed account instead of an administrator account. This will ensure that even if threats are installed they will have a more difficult time accessing vital or private components of your system.
Finally, if you are concerned about this and similar threats, be sure to uncheck Safari's "Open safe files after downloading" option that is available in the "General" section of the Safari preferences. Doing this will prevent Safari from automatically launching malware files that have been disguised as legitimate documents, disk images, or archives.
Update, 9 a.m. PT: This threat is not related to the MacDefender geocaching Web site that distributes the GCStatistic and DTmatrix geocaching tools.
Update No. 2, 11 a.m. PT: This malware appears to be a scam software suite more than a direct security breach. When the program is installed it will regularly launch pornographic Web sites in an attempt to fool you that you have a virus installed, and then offer you options to upgrade the software for a sum of money. The program's interface is well made and looks professional, which is clearly used to help coerce people in the scam.
The program has a few characteristics, including that it does not show a Dock icon (this is relatively easy to implement in any program) and also places a menu extra in the system toolbar. Most malware for OS X has tried to remain hidden, but this one is a full and visible attempt to scam you.
Ultimately this type of scam is nothing new to computer systems, and has been around Windows PCs and Macs for a while (albeit primarily Web and e-mail based). This is perhaps the first time it has surfaced as an installable program for OS X, though.