OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New MacDefender variant: MacSecurity

Published May 6th, 2011 at 12:53 PM EDT , modified March 5th, 2013 at 2:39 PM EST

A new variant of MacDefender has appeared, called MacSecurity.  The name is different, as is the appearance of the fake “anti-virus scan” website.  However, in all other respects, it is the same as MacDefender, as far as I can tell.

MacSecurity comes packaged in a file named anti-malware.zip, inside of which is an installer called MacSecurity.mpkg.  This file is automatically downloaded from the site as soon as you visit, rather than requiring a click on a page element.  Once again, downloading this file opens it immediately if Safari’s Open “safe” files after downloading option is turned on.  As before, I recommend you turn this option off.

The site appearance is more Mac-like, which may prove to be less of a tip-off to unsavvy users.

Like Linc Davis, I did not choose to run the installer, but extracted the app from the .mpkg file manually.  Running the app resulted in being shown a window with a fake anti-virus scan:

There is also no way to quit MacSecurity, even through the menu item that is added to the menu bar:

Removal, as best I can determine, only involves quitting the app via Activity Monitor (in the /Applications/Utilities folder) and then deleting the app itself.  Look for an app named MacSecurity with an icon like this:

For more on the MacDefender outbreak, see other posts in my Tech News blog.

Tags: , , , ,

3 Comments

  • jeff says:

    I looked for the the app via Activity Monitor (in the /Applications/Utilities folder) and could not find it…what now?

  • Al Varnell says:

    [VirusTotal has a listing that] is apparently the third version called MacProtector.
    [Link edited by host]

  • Thomas says:

    Jeff, note that these trojans are fairly straightforward… if you don’t see an app named MacDefender, MacSecurity, or apparently now MacProtector (or something similar if there’s an undiscovered fourth variant), then you’re not infected.

This post is more than 90 days old and has been locked. No further comments are allowed.