OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

MacProtector is yet another MacDefender variant

Published May 7th, 2011 at 7:04 AM EDT , modified March 5th, 2013 at 2:38 PM EST

A number of people are reporting yet another MacDefender variant this morning.  This time, it’s named MacProtector, but it sounds like the method of operation is the same.  Mac users should be on their guard against an attack of this type, regardless of the name.  (If you haven’t been following along, see all my coverage of the MacDefender trojan.)

If anyone can send me a link where MacProtect can be found, so I can verify that it behaves the same as MacDefender, please do!

Edit: Thanks to pieinoz for pointing me to just the right search terms to use on Google Images to find MacProtector.  As I suspected, it does appear to be nothing more than a variant of MacDefender.  After updating my ClamXav definitions this morning, I found that it will detect both MacSecurity and MacProtector.

Tags: , , , ,

9 Comments

  • Mark says:

    Hey, Any ideas what other tokens or files macdender variants install besides the launch agent and app? Here’s why. At my work, we purposely infected a mac with macsecurity variant. I was able to “buy” the software with a special visa testing number that it took. The app did confirm it was now registered and my mac was (miraculously) clean! However. Then I followed the manually removal. Killed macsecurity processes. removed startup items, removed app. Restarted. Then I wanted to test and see what would happen exactly when I refuse to register. (expecting to get taken to porn sites).

    However, when I reinstalled the pkg, macsecurity says it’s registerd still and all is well. This leads me to believe macsecurity is still either communicating with a server or installed another file that we have yet to find.

    Any solutions would be very helpful.

    • Thomas says:

      I imagine it probably also left behind a preference file. I didn’t bother to look for the preference file, since it wouldn’t really do anything other than just sit there taking up a tiny amount of space. If you find it, post back what it’s called and where it can be found!

  • Mark says:

    Found it. Also installs a plist and a folder in ~/ilbrary/caches

    the folder is called “alppe.it” it has a .db file inside. Currently looking to see what’s in that.

    The list is com.alppe.it.plist

  • Mark says:

    We also determined it adds an entry to the cookies.plist file that is inside ~/library/cookies

  • Kathy says:

    MacProtector installed itself on my computer. I found in library/caches a folder called “com.aple.sv” which also has a .db file inside it. Would this be the same as your “alppe.it”
    folder? I am wondering if i should delete it or is it suppose to be there?

  • David says:

    Having been “conned” into buying this I’m told that payment is to WWW.BROWSE4SOFT.COM and their customer support phone number is given as: +1-800-959-40-31.

    [Editor’s note: I have not verified this information, and allowing it to be posted should not be taken as endorsement of its accuracy. However, I have heard someone else report www.browse4soft.com as being associated with this malware.]

  • Bill says:

    I just got infected with MacProtector on my MacBook, and don’t know how to get rid of it. HELP!!!!!

  • cheryl says:

    This article was very helpful as well as the article about identifying and removing MacDefender Trojans. Something called MacProtector automatically downloaded while I was browsing the internet. This happened twice already. Anyway I saw window that said “To help protect your computer, Apple Web Security have detected Trojans and ready to remove them.” with a Remove all button. So i pressed remove all and I saw that it wanted me to install something. That was suspicious.. even if the red flashing words said I had 65 viruses and 10 threats. (now i’m not very computer savvy so it was very tempting to install) Anyway, I call Apple because I was concerned that my computer may have a virus or something. They had no idea what it was and told me to google it (really..? lol, thanks for the help apple)

    Is there any way to prevent it from downloading without my knowledge? The websites I was browsing when this happened were college websites, which I have always assumed are very safe.

This post is more than 90 days old and has been locked. No further comments are allowed.