Published May 2nd, 2011 at 7:12 AM EDT , modified May 7th, 2011 at 7:17 AM EDT
MacDefender has been noticed by the security companies this morning. Intego reps are posting on Apple Support Communities looking for samples of this trojan, and Intego has posted a blog entry describing what they have discovered. Apparently, this trojan is somehow downloaded after people searching the Google Images database get redirected to a malicious site. How the installer ends up running by itself is unknown, but may point to a security hole in Safari.
Safari has an option in the General pane of its preferences to open “safe” files after downloading. As stated in the description of that preference item, “safe” files should only include certain kinds of documents. Any application, including an installer, would definitely not be considered safe. However, somehow, MacDefender’s installer is being opened by Safari, which is extremely concerning. For now, turning this option off by making sure the box is not checked, as shown here, would be advisable.
Of course, installation cannot proceed form there without entry of an administrative password by the user. However, many people have been scared into doing just that. It is important to remember to never give your password to an installer you did not open intentionally. It should also be noted that there are many similar fake anti-virus scams out there. Keep in mind that nothing can scan your hard drive for viruses without already being installed!
One thing that is not yet clear is how this installer is slipping past Quarantine, which should be warning the user that the application was downloaded and ask if it should really be opened. (For more info about Quarantine, see my Mac Virus Guide.)
Edit: I have received confirmation from a developer on the Apple Support Communities that a zipped .pkg file will indeed unzip and run on its own in Safari, if the above option is turned on, and will not trigger a Quarantine warning. I have also found further information about what it does. Apparently, once installed, it pretends quite convincingly to be real anti-virus software, even causing strange behavior (opening porn sites in your web browser every few minutes) and reporting that it has found the virus responsible. In order to actually remove the “virus” that it has found, you have to provide a credit card (apparently via unsecured web site) to “purchase” the app.
I strongly recommend to anyone who has “bought” this software to immediately contact your credit card company and cancel the card, since there is no guarantee that you will only be charged what the software claims it will cost, and since the transaction was not secure, there’s no guarantee some second malicious party didn’t intercept your credit card information.
I haven’t heard anything further regarding Fast Windows Antivirus. I’m unclear as to whether folks were misidentifying MacDefender, whether there’s some relationship involved (perhaps two different trojans with the same code base but different names) or if that was just noise. In any case, turn off Safari’s Open “safe” files after downloading option (or use a different browser, such as Firefox) and be on your guard against mysterious installers, regardless of what they are called. And install any security updates coming out of Apple, hopefully in the near future.
Tags: Mac OS X, MacDefender, malware, trojan
This post is more than 90 days old and has been locked. No further comments are allowed.