MacDefender malware protection and removal guide
Screenshot thanks to @jaythenerd
The MacDefender malware has been causing trouble for Mac users all over the world; people are calling Apple Support in a panic, spending time visiting their local Apple Store Genius, and getting all stressed out about it. What's worse: the malware is mostly harmless to your computer. It's a scam trying to rip off your credit card number, not hurt your Mac (not that the theft of your credit info is a good thing).
The attack, which displays a message stating that your machine has been infected with viruses that only a "MacDefender" app can remove, has been spreading rapidly -- most of the folks encountering it are coming across it via Google image searches, where results have been 'poisoned' with the malware download. MacDefender doesn't infect Macs with a virus, nor does it run a keylogger as a background process on your machine. It's simply trying to scare users into providing credit card information by registering an unneeded piece of software. MacSecurity and MacProtector are the same scam software, differing in name only.
It's been reported by ZDNet's Ed Bott that Apple is telling support reps not to assist with removing this malware. You're on your own, but TUAW is here to help you. Read more to find out how to protect yourself from MacDefender, what a MacDefender attack looks like, and how to remove the app if it is installed on your Mac.
Protecting yourself from MacDefender
You can limit your exposure to these kinds of scams and malware. The malware targets Safari, so follow these steps to protect your Mac:
1 - Launch Safari.
2 - Select Preferences > General from the Safari menu.
3 - Uncheck the "Open 'safe' files after downloading" box found in the area I've outlined in red below:
This action keeps MacDefender malware from automatically launching, even if it's downloaded to your Mac. If you happen to find the downloaded app in your Applications folder, you can simply drag it to the Trash and then Empty Trash to remove it. A clean Downloads folder can help you identify new files that may have been downloaded without your approval.
How do you know when MacDefender or any of its variants are attacking your Mac? Read the next section for details.
What a MacDefender attack looks like
Once your browser has been directed to the malevolent site, you'll see a page very similar to the one seen at the top of this post. It's telling you that your Mac is infected with viruses. As mentioned earlier, hackers are already changing the look of the malicious websites, so don't expect the page to look exactly like this.
Usually, just visiting the bad website downloads a file to your hard drive. That file is generally named something like BestMacAntivirus2011.mpkg.zip or anti-malware.zip, but the name may be different. Keep an eye on your downloads folder and keep it clean so that any new downloads that cause the folder to "bounce" will catch your attention, and you may catch that the malware file has been downloaded. It has an extension of .mpkg and a name of MacDefender, MacSecurity, or MacProtector. If you see this file in your downloads folder, put it into the Trash, empty the Trash, and you've just saved your Mac from the malware.
If your Mac is set up to automatically open "safe" files, you still have a chance to keep MacDefender off your machine. In this case, the file is unzipped and the installer package (a file with an .mpkg extension) launches. You're going to see a standard installer window that looks something like this (note: this is the MacSecurity variant pictured):
Sure, this looks pretty official, but do not click the Continue button. You have a chance to save yourself from MacDefender at this point by just quitting the installer, and then throwing away the .mpkg file in your Downloads folder.
Let's say that you decide to click the Continue button. At this point, you've just opened the door to MacDefender and its variants. You'll be asked to provide your administrative password to install the application, at which time the app is added to your Applications folder, launched, and adds files to your login items so that the malware launches every time you log into your Mac.
Wondering what the malware icon looks like? Here's the icon that's used for all current variants:
The name may be different, but the icon is the same for each variant of MacDefender -- so far.
If you've gone this far and the malware is running on your Mac, it now displays a scan window that says your Mac is infected with viruses. The following screenshot (courtesy of BleepingComputer.com) is typical of what you'll see:
Looks pretty official, doesn't it? Of course, here's where things get really dicey. If you want to remove the nonexistent "viruses," you have to register MacDefender. To do that, you're asked for your credit card number.
-- DO NOT REGISTER THIS PROGRAM! --
If you have already done so, call your credit card company immediately and cancel the card. Once you've taken care of the credit card issues, come back to TUAW and read the following section so that you can remove the offending malware from your Mac.
Once MacDefender is running on your Mac, it displays the scan window shown just above. If you try to drag the app to the Trash, you are notified that the app is in use. That means that you need to kill any running processes on your Mac that are related to the malware before you can start deleting the files.
To start, close the Scan window, which is designed to float above all other windows for maximum annoyance. Remember, your Mac is not infected with viruses -- these guys are just trying to get your credit card number.
Now launch Activity Monitor. You can find this in the Utilities folder that is located in your Applications folder (/Applications/Utilities). Look for a process with the name of MacDefender, MacSecurity, MacProtector, or whatever other variant shows up. When you've found that process, click on it to highlight it, and then click the Quit Process button as seen in the screenshot below (from Reed Corner Design):
After clicking the Quit Process button, another dialog appears:
Click Quit to stop the process from running. You can now remove the malware from your Mac. First, get rid of the application itself. Look in your Applications folder for the MacDefender icon shown previously or look for a file with a name of one of the malware variants. Drag that icon to the Trash, and then Empty Trash.
The application is gone, but it will try to launch itself at login and probably display an error message on your Mac screen as a result. Let's fix that -- open System Preferences (under the Apple menu or in your Dock) and click the Accounts icon. You'll see something similar to this mockup:
See the item that says MacDefender? It's set to automatically open when you log into your Mac. To remove the malware from the Login Items list, click on the malware in the list to highlight it, and then click the minus button ("-") that's below the text in this window.
At this point, you've moved towards a safer Mac -- the malware is gone and so is the login item. You can go further than this if you'd like by doing a search for MacDefender (or whatever the malware was called on your Mac) in Spotlight, and then removing any files that have the malware name in them.
Moving ahead in the age of Mac malware
MacDefender is the first major malware attack in many years to specifically target Macs, and it's probably not going to be the last. In addition to our recommendation on changing Safari preferences to not open downloaded "safe" files immediately, there are some common-sense things you can do to protect yourself from future malware attacks:
1 - Never install any apps unless you are absolutely sure of where they're coming from and what they are.
2 - If an installer appears on your screen and you're not sure how it got there, don't let it install the software.
4 - Never give your credit card number to anyone through an app. Most reputable software vendors provide other ways to purchase their products (Mac App Store or payment by PayPal) that do not compromise your credit card.
5 - Be cautious when entering admin credentials for strange applications (thanks to @jtjdt for the tip). The only time you should ever be prompted for your administrative password is when you are deliberately installing an application or plug-in.
6 - If your primary account on your Mac has administrative rights, consider changing that so that you have a separate admin account and your day-to-day account is a 'standard' account. This can protect against some privilege escalation approaches, and helps guard against issues in one account affecting the entire Mac.
TUAW doesn't believe in scaring its readers. MacDefender is a warning to those of us who use Macs that hackers are now starting to pay attention to our previously malware-free world. A little bit of paranoia goes a long way in a world that can be, sadly, malicious rather than embracing, but a few simple precautions and a bit of situational awareness can go a long way towards keeping us all safe on our Macs.