Mac Defender

Last updated

Mac Defender (also known as Mac Protector, Mac Security, [1] Mac Guard, [2] Mac Shield, [3] and FakeMacDef) [4] is an internet rogue security program that targets computers running macOS. The Mac security firm Intego discovered the fake antivirus software on 2 May 2011, with a patch not being provided by Apple until 31 May. [5] The software has been described as the first major malware threat to the Macintosh platform (although it does not attach to or damage any part of OS X). [6] [7] [8] [9] [10] [11] However, it is not the first Mac-specific Trojan, and is not self-propagating.

Contents

A variant of the program, known as Mac Guard, has been reported which does not require the user to enter a password to install the program, [12] although one still does have to run the installer. [13]

Symptoms

Users typically encounter the program when opening an image found on a search engine. It appears as a pop-up indicating that viruses have been detected on the users' computer and suggests they download a program which, if installed, provides the users' personal information to unauthorized third parties.

The program appears in malicious links spread by search engine optimization poisoning on sites such as Google Image Search. [14] When a user accesses such a malicious link, a fake scanning window appears, originally in the style of a Windows XP application, [14] but later in the form of an "Apple-type interface". [15] The program falsely appears to scan the system's hard drive. [14] The user is then prompted to download a file that installs Mac Defender, and is then asked to pay US$59.95 to US$79.95 for a license for the software. [14] Rather than protect against viruses, Mac Defender hijacks the user's Internet browser to display sites related to pornography, and also exposes the user to identity theft (by passing on credit card information to the cracker). [14] [16] A newer variant installs itself without needing the user to enter a password. [17] All variants require the user to actively click through an installer to complete installation even if a password is not required. [18]

Origin

The software has been traced through German websites, which have been closed down, to the Russian online payment ChronoPay. Mac Defender was traced to ChronoPay by the email address of ChronoPay financial controller Alexandra Volkova. [19] The email address appeared in domain registration for mac-defence.com and macbookprotection.com, two web sites Mac users are directed to in order to purchase the security software. ChronoPay is Russia's largest online payment processor. The web sites were hosted in Germany and were suspended by Czech registrar Webpoint.name. ChronoPay had earlier been linked to another scam in which users involved in file sharing were asked to pay a fine. [20] [21]

Apple response

According to Sophos, by 24 May, 2011, there had been sixty thousand calls to AppleCare technical support about Mac Defender-related issues, [22] and Ed Bott of ZDNet reported that the number of calls to AppleCare increased in volume due to Mac Defender and that a majority of the calls at that time pertained to Mac Defender. [23] AppleCare employees were told not to assist callers in removing the software. [24] Specifically, support employees were told not to instruct callers on how to use Force Quit and Activity Monitor to stop Mac Defender, as well as not to direct callers to any discussions pertaining to the problems caused by Mac Defender. [22] An anonymous AppleCare support employee said that Apple instituted the policy in order to prevent users from relying on technical support instead of anti-virus programs. [24]

AppleCare employees were told not to assist callers in removing the software, but Apple later promised a software patch. [25] On 24 May 2011 Apple issued instructions on the prevention and removal of the malware. [26] The Mac OS X security update 2011-003 was released on 31 May 2011, and includes not only an automatic removal of the trojan, and other security updates, but a new feature that automatically updates malware definitions from Apple. [1]

See also

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">Scareware</span> Malware designed to elicit fear, shock, or anxiety

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

<span class="mw-page-title-main">Windows Live OneCare</span> Discontinued Microsoft security software

Windows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Windows. A core technology of OneCare was the multi-platform RAV, which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued. The software was available as an annual paid subscription, which could be used on up to three computers.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

The Oompa-Loompa malware, also called OSX/Oomp-A or Leap.A, is an application-infecting, LAN-spreading worm for Mac OS X, discovered by the Apple security firm Intego on February 14, 2006. Leap cannot spread over the Internet, and can only spread over a local area network reachable using the Bonjour protocol. On most networks this limits it to a single IP subnet.

Intego is a Mac and Windows security software company founded in 1997 by Jean-Paul Florencio and Laurent Marteau.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">MacSweeper</span> Rogue security software

MacSweeper is a rogue application that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland-based computer security software company, on January 17, 2008.

<span class="mw-page-title-main">VirusTotal</span> Cybersecurity website owned by Chronicle

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

<span class="mw-page-title-main">Microsoft Security Essentials</span> Discontinued antivirus product for Microsoft Windows

Microsoft Security Essentials (MSE) is a discontinued antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

OSX.FlashBack, also known as the Flashback Trojan, Fakeflash, or Trojan BackDoor.Flashback, is a Trojan horse affecting personal computer systems running Mac OS X. The first variant of Flashback was discovered by antivirus company Intego in September 2011.

MacKeeper is a cleanup utility for macOS. MacKeeper was developed by ZeoBIT, later acquired by Kromtech, and is currently owned by Clario Tech.

<span class="mw-page-title-main">Technical support scam</span> Type of fraud and confidence trick

A technical support scam, or tech support scam, is a type of scam in which a scammer claims to offer a legitimate technical support service. Victims contact scammers in a variety of ways, often through fake pop-ups resembling error messages or via fake "help lines" advertised on websites owned by the scammers. Technical support scammers use social engineering and a variety of confidence tricks to persuade their victim of the presence of problems on their computer or mobile device, such as a malware infection, when there are no issues with the victim's device. The scammer will then persuade the victim to pay to fix the fictitious "problems" that they claim to have found. Payment is made to the scammer via gift cards, which are hard to trace and have few consumer protections in place. Technical support scams have occurred as early as 2008. A 2017 study of technical support scams found that of the IPs that could be geolocated, 85% could be traced to locations in India, 7% to locations in the United States and 3% to locations in Costa Rica. Research into tech support scams suggests that millennials and those in generation Z have the highest exposure to such scams; however, senior citizens are more likely to fall for these scams and lose money to them. Technical support scams were named by Norton as the top phishing threat to consumers in October 2021; Microsoft found that 60% of consumers who took part in a survey had been exposed to a technical support scam within the previous twelve months. Responses to technical support scams include lawsuits brought against companies responsible for running fraudulent call centres and scam baiting.

macOS malware includes viruses, trojan horses, worms and other types of malware that affect macOS, Apple's current operating system for Macintosh computers. macOS is said to rarely suffer malware or virus attacks, and has been considered less vulnerable than Windows. There is a frequent release of system software updates to resolve vulnerabilities. Utilities are also available to find and remove malware.

References

  1. 1 2 "About Security Update 2011-003". 31 May 2011. Retrieved 31 May 2011.
  2. "Intego Mac Security Blog". 25 May 2001. Archived from the original on 27 May 2011. Retrieved 27 May 2011.
  3. "Mac malware morphs to 'MacShield'". Technolog. MSNBC. Archived from the original on 6 June 2011. Retrieved 5 June 2011.
  4. "Threat Description: Rogue:OSX/FakeMacDef.A". F-Secure. Retrieved 11 February 2013.
  5. Hamburger, Ellis (2 May 2011). "WARNING: This Mac App Is Stealing Credit Card Numbers". Archived from the original on 25 April 2012. Retrieved 7 December 2011.
  6. "Macs face first virus threat". techday.co.nz. 4 May 2011. Archived from the original on 9 October 2011. Retrieved 27 May 2011.
  7. "Say hello to MAC Defender, the first major widespread piece of Mac based malware". left-click.us. Archived from the original on 26 June 2012. Retrieved 27 May 2011.
  8. Dachis, Adam (25 May 2011). "How to Protect Your Computer from Mac Defender and Its Counterparts". Mac Defender has been making a lot of noise as one of the first major Mac security threats. lifehacker.com.
  9. Dan Moren (2 May 2011). "New Mac Trojan horse masquerades as virus scanner". macworld.com.
  10. Trenholm, Richard (20 May 2011). "Mac Defender fake antivirus software is first major attack on Apple computers". CNET. Retrieved 17 January 2023.
  11. "Mac Defender fake antivirus software is first major attack on Apple computers". crave.cnet.co.uk. Archived from the original on 22 July 2011. Retrieved 27 May 2011.
  12. < "Mac Guard: Apple users hit by second Mac malware scam". Christian Science Monitor Horizons blog. 26 May 2001.
  13. "New Mac Defender Variant, MacGuard, Doesn't Require Password for Installation". Mac Security Blog from Intego. 25 May 2011. Archived from the original on 27 May 2011. Retrieved 27 May 2011.
  14. 1 2 3 4 5 Wisniewski, Chester (2 May 2011). "Mac users hit with fake anti-virus when using Google image search". Naked Security. Sophos. Retrieved 24 May 2011.
  15. Mills, Elinor (19 May 2011). "How bad is the Mac malware scare? (FAQ)". CNET.
  16. Chen, Brian X. (19 May 2011). "New Mac Malware Fools Customers, But Threat Still Relatively Small". Wired. Condé Nast Digital. Retrieved 24 May 2011.
  17. "New Mac Defender Variant, MacGuard, Doesn't Require Password for Installation". The Mac Security Blog » INTEGO SECURITY MEMO. Archived from the original on 27 May 2011. Retrieved 27 May 2011.
  18. "New Mac Defender Variant, MacGuard, Doesn't Require Password for Installation". The Mac Security Blog » INTEGO SECURITY MEMO. Archived from the original on 27 May 2011. Retrieved 27 May 2011.
  19. "Apple takes on Mac Defender Scam". International Business Times. 29 May 2011.
  20. "MacDefender Scareware Linked to Russian Payment Site". News & Opinion. PCMag.com.
  21. "Russia's ChronoPay Executive Linked to Mac Defender Scam". International Business Times.
  22. 1 2 Wisniewski, Chester (24 May 2011). "Apple support to infected Mac users: 'You cannot show the customer how to stop the process'". Naked Security. Sophos. Retrieved 24 May 2011.
  23. Bott, Ed (18 May 2011). "An AppleCare support rep talks: Mac malware is "getting worse"". ZDNet. Retrieved 24 May 2011.
  24. 1 2 Cluley, Graham (18 May 2011). "Malware on your Mac? Don't expect AppleCare to help you remove it". Naked Security. Sophos. Retrieved 24 May 2011.
  25. "Mac malware authors release a new, more dangerous version". ZDNet. 25 May 2011.
  26. "How to avoid or remove Mac Defender malware". 24 May 2011. Retrieved 1 June 2011.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.