Mac Defender

[+Thayios Subscriber²]

My first "infected" Macbook Pro came in today.

Removal steps I used:

1) Delete Installer Packages

2) Use Activity Monitor to "Kill" running proccess

3) Use "App Zapper" to clean it up

Done! :)

[saxondale.]

Or just do a software update?

[+Thayios Subscriber²]

I was under the impression that the update that removes it was part of rollup update so-to-speak and it had not been released yet? Either way I did check for updates as soon as it got there (I remembered seeing it on Neowin about the to-be-released update removing it ) but nothing came up, the MBP was all up to date.

[Elliott]

It will be included in 10.6.8, but it was also released as a standalone Mac Security Update.

[SaltLife]

  On 03/06/2011 at 00:45, Tech Greek said:

I was under the impression that the update that removes it was part of rollup update so-to-speak and it had not been released yet? Either way I did check for updates as soon as it got there (I remembered seeing it on Neowin about the to-be-released update removing it ) but nothing came up, the MBP was all up to date.

Disregard

[Xtreme $niper]

  On 02/06/2011 at 23:54, Tech Greek said:

My first "infected" Macbook Pro came in today.

Removal steps I used:

1) Delete Installer Packages

2) Use Activity Monitor to "Kill" running proccess

3) Use "App Zapper" to clean it up

Done! :)

I think this shouldn't be a surprise to those who are not being caught up into the sensationalist hype that some people are trying to stir up in the industry.

This is hardly a virus. Yes, it's malware, but only because of the intent of the application. My understanding is that this is just a program that runs, simulates some warnings about how your computer contains viruses, and then prompts you for your credit card information with a promise that it will delete all those other "viruses" from your computer.

My impression is that this is just a program that asks you to enter data about yourself, sends it to the creators and calls it a day. Am I wrong in that respect? Does it actually infect files on your computer or cause harm to the stability of the system? (Other than annoying the crap out of you with notifications about fake viruses).

[Damian]

  On 03/06/2011 at 14:47, Xtreme $niper said:

I think this shouldn't be a surprise to those who are not being caught up into the sensationalist hype that some people are trying to stir up in the industry.

This is hardly a virus. Yes, it's malware, but only because of the intent of the application. My understanding is that this is just a program that runs, simulates some warnings about how your computer contains viruses, and then prompts you for your credit card information with a promise that it will delete all those other "viruses" from your computer.

My impression is that this is just a program that asks you to enter data about yourself, sends it to the creators and calls it a day. Am I wrong in that respect? Does it actually infect files on your computer or cause harm to the stability of the system? (Other than annoying the crap out of you with notifications about fake viruses).

Basically Nagware. Yet people are making a big deal about it.

[DavidM]

  On 02/06/2011 at 23:54, Tech Greek said:

My first "infected" Macbook Pro came in today.

~snipped~

Removal steps I used:

1) Delete Installer Packages

2) Use Activity Monitor to "Kill" running proccess

3) Use "App Zapper" to clean it up

Done! :)

I wish it was that easy on Windows.... I love Windows 7 and have no desire to get a Mac, but damn that seem ALMOST TOO easy. :) Good for Apple, unfortunately the hype and coverage of this malware is just going to encourage more and more people to try and attack OSX.

[+Thayios Subscriber²]

This computer was running slow, and you couldn't quit it or force quit it. You actually had to use the activity monitor to find the task or use a terminal command.

So, in my opinion it's malware , not a virus - but the fact that it tries to make it look official (similar to Windows Defender) and asks for credit card information is even worse.

You can blow it out of proportion, or put on a blind fold. It's the first of what WILL come on this OS sooner or later in my PROFESSIONAL opinion.

[cooky560 Veteran]

How can an app that doesn't require administrative rights evade a Force Quit?

[.Neo]

  On 04/06/2011 at 16:06, cooky560 said:

How can an app that doesn't require administrative rights evade a Force Quit?

From what I know some applications that don't have a Dock icon won't appear in the Force Quit Applications window. It can be forced quit from Activity Monitor just fine though.

  On 03/06/2011 at 15:32, DavidM said:

I wish it was that easy on Windows.... I love Windows 7 and have no desire to get a Mac, but damn that seem ALMOST TOO easy. :) Good for Apple, unfortunately the hype and coverage of this malware is just going to encourage more and more people to try and attack OSX.

When it comes to removing applications in general Mac OS X tends to be a lot more transparent than Windows. MACDefender is nothing more than an application that generates annoying pop-ups. It doesn't infect the system or spread on its own.

[divinatum]

As others have said, I can't truly call MacDefender malware, but just nagware... and barely that.

If it infected itself into the system, had some kind of exploit package to escalate privileges to root, or anything... yeah, it'd be a problem. But for now, the only thing it's "exploiting" overall is human reaction. Okay, you could also say it's exploiting the "Run safe files after downloading" in Safari, but I'd expect that feature to be off, or removed in 10.6.8 or 10.7.

But when literally removal is quit, drag to trash, empty trash, pat yourself on the back for a job well done... It's just being blown out of proportion by the media like "Antennagate"

[+Thayios Subscriber²]

Personally, I'm sitting here laughing because it sounds like you guys haven't EVER removed this thing, yet, you're commenting on how easy it is to remove and it's just some random program you can just close and remove by dragging to the trash can.

1) It's not in the "Force Quit" menu

2) I had to use the ACTIVITY MONITOR in order to kill it

3) I had to use APP ZAPPER to remove the remains of it, because it does more than just install it self in the applications folder.

Your normal customer/client will not be able to remove this program, and with it starting every time, it'll keep running until a misinformed customer will finally give them their credit card in an attempt to get it to go away.

Now, I'm no where near an OSX/Unix expert as I am a Windows but I can promise you, it's not just nagware. If it's asking for my customers credit card, it's BAD for the customer. Would you want your mother giving her credit card to these people because she thinks it is a LEGITIMATE LOOKING software? I don't think so!

If I can't just go to Mac Defender and close it out, and all processes are effectively stopped then something is wrong. If I can't just drag the application to the trash and remove it because it's still running after closing it out, then something is wrong.

This is not a debate of how easy it is to remove it, or what GENRE of a VIRUS/MALWARE it is because it's THAT, it is a MALICIOUS SOFTWARE. It is meant to SCAM people and TAKE THEIR MONEY. That is the WORST kind of MALICIOUS SOFTWARE that you could ever possibly have.

STOP BEING BLIND AND OBLIVIOUS GUYS :woot:

[Damian]

Next time install the update via Software Update or Apple Downloads and let the malware detector take care of it. Yes that was easy wasn't it? Even your average consumer can do that.

[divinatum]

Everything I've seen says it's contained in the .app. Hell, you don't HAVE to use activity monitor. Remove it from the startup items in Accounts, and logout. "Virus" Defeated.

I'm gonna go confirm that it's all contained in the app by "infecting" my laptop. brb. Couldn't find a download in 5 minutes. Gave up. Looked at uninstall scripts instead. It's all self contained in the .app

[+Thayios Subscriber²]

@ Div

It's possible this may have been a different varient of it.

Like I said, it was NOT killable by Force Kill - the first thing I went to and dragging it to the trash said it was still open, only killable by Activity Monitor.

@ Damian

Already did all the updates that day, as stated before.

--

I'm starting to think this one may have been a different variant of the original Mac Defender. :blink:

http://blog.intego.com/2011/05/02/intego-security-memo-macdefender-fake-antivirus/

There is no Version number on that screen shot. My thoughts about it being a newer different version may be true - all the images I'm seeing looked similar but not the same.

[Elliott]

  On 06/06/2011 at 15:32, Tech Greek said:

Like I said, it was NOT killable by Force Kill - the first thing I went to and dragging it to the trash said it was still open, only killable by Activity Monitor.

If it's all self-contained in the app bundle, dragging it to the trash and restarting the computer should've worked, but killing the process with Activity Monitor works just the same.

The reason you didn't see it in the Force Kill dialog is because the process the app runs is an agent, not an app. Agents (i.e. iChatAgent) are meant to be background processes that are managed by a main app and don't show themselves in the force kill dialog.

[+Thayios Subscriber²]

I did try to drag it to the trash, it didn't work. It told me it was still open and wouldn't allow it.

There were two other files that were in other locations, I wish I could remember what they were. Looked like cache of some sort.

[Charisma Veteran]

I love reading the BS those things say. Tip #1, if there are spelling and grammatical errors in the "product description", chances are quite high that it's not legit. :laugh:

[alexalex]

You have now MacDefender, MacProtector, MacSecurity, MacGuard, and MacShield..... all are the fake AV

[Elliott]

  On 06/06/2011 at 15:53, Tech Greek said:

I did try to drag it to the trash, it didn't work. It told me it was still open and wouldn't allow it.

There were two other files that were in other locations, I wish I could remember what they were. Looked like cache of some sort.

Ah, I see what you mean. OS X treats active apps differently from active documents. Killing the process in Activity Monitor was probably the easiest way (well, except for installing the software update that kills it :p).

The other two files were probably a cache and plist. Those wouldn't execute anything.

[+Thayios Subscriber²]

Alright Gents,

Back with more - found this one on a google result. It's getting worse...

IF YOU BROWSE TO THE IP - YOU'RE ON YOUR OWN!

Now obviously WE know it's fake.

I showed it to my assistant (aka my girlfriend! ^_^) and the only reason she knew it was fake was the wording "have detected" other than that she thought it was legitimate.

[cooky560 Veteran]

so she missed the Windows executable names in the list (.exe, .vbs) and the fact her home space is now "Computer"? :p

[what]

I got forwarded to it from Google yesterday as well. Hope they do something about it.

[capr]

  On 03/06/2011 at 15:23, Damian. said:

Basically Nagware. Yet people are making a big deal about it.

Friends computer basically blocked his internet connection and kept sending him to porn sites instead of the sites he wanted to go to. it's a bit more than nagware when that happens.