Macintosh users targeted with fake ‘anti virus’ program

Macintosh users love the fact that they get very few virus infections, but there is a new and rather sinister program which is targeting the user base. Research is showing that the infection is four to five times higher than normal.

The Malware is devious, because it is posing as a fake antivirus program under the names of Mac Defender, Mac Security and Mac Protector. This tool is used to scare users into thinking that their computer is infected with malware. The solution is to pass over a credit card number to ‘clean the machine'.

Mac antivirus firm Intego, warned about Mac Defender earlier this month. They sites the rogue program makers are using are targeted high on search engine results to get as many people as possible targeted. When the malicious sites are taken down they just pop up again, elsewhere. They are using an image related to popular news topics to get people to click and then fake ‘infection' warnings are shown, to scare the Mac user base.

It isn't being classed as an epidemic yet, but Ed Bott at ZDNet is saying that AppleCare support representatives are getting high volumes of calls on their support lines about the problem. Bott is taking the problem seriously and has posted resource information to help representatives deal with the problem. There have been hundreds of discussion threads on Apple.com about the subject, including comments from people who had fallen for the scam, passing over credit card information for the cure.

Genuine security firm Intego have been contacted by a huge number of people who are worried about the malware and they have been sourcing the code from customers who have been infected. “The news stories were making it worse because it makes Mac users worried and they are more convinced that the fake antivirus warning is real. It's a self perpetuating process.” Intego said.

Apple have not issued a public statement on the problem.

According to ZDNet, the workings of the malware is straightforward:

The malware has gone through several changes so depending on the version, the screens and wording may be different. An early version displayed some fake Windows screens, but later versions changed that to use an Apple-type interface. Typically, when you click on one of the malicious images you are directed to a site where JavaScript starts running and automatically downloads the program. A warning pops up saying something like, suspicious activity has been detected on the machine, or Apple Web Security has detected malware on the machine and is offering to remove it. Clicking “ok” launches what looks like a scan of the machine and then you are told that the machine is infected and clicking “ok” launches what looks like a Mac OS installer that then asks you to type in your administrator password for the computer. Doing so installs the malware and displays a process that looks like another scan of the computer and provides alerts on supposed infections. In order to clean up the infections, you are required to provide register your machine and it asks for credit card information, according to Intego.

In other versions, just visiting the site downloads a zip file to the hard drive with a name like “MacDefender” or “MacSecurity” and an extension of .mpkg. If your Mac is set up to automatically open “safe” files, a screen will offer to guide you through the installation process. Clicking “continue” will display another screen that asks for your administrative password and the application is launched. A window will display saying your machine is infected, offering the option of cleaning up the computer if you register and provide credit card information.

After installation, a menu item is added to the Mac OS X menubar. The icon looks like a small orange shield that turns red and flashes when it “finds” viruses. If you fail to “register” and provide your credit card information the malware will start to open up porn pages in your browser in an attempt to spur you to pay. The malware will re-launch every time you log into your Mac thereafter until it is removed. It also does not install a dock icon so it is not easy to close the program and you will need to end the process through the Activity Monitor before removing the malware.

KitGuru says: Its rather devious, and hopefully not the start of Mac targeted scam campaigns.

Become a Patron!