Mac Defender
{{short description|Rogue security software}}
Mac Defender (also known as Mac Protector, Mac Security, Mac Guard,{{cite web |title=Intego Mac Security Blog |date=25 May 2001 |url=http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/ |access-date=27 May 2011 |archive-url=https://web.archive.org/web/20110527094155/http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/ |archive-date=27 May 2011 |url-status=dead }} Mac Shield,{{cite web|title=Mac malware morphs to 'MacShield'|url=http://technolog.msnbc.msn.com/_news/2011/06/03/6780300-mac-malware-morphs-to-macshield|work=Technolog|publisher=MSNBC|accessdate=5 June 2011|url-status=dead|archiveurl=https://web.archive.org/web/20110606015001/http://technolog.msnbc.msn.com/_news/2011/06/03/6780300-mac-malware-morphs-to-macshield|archivedate=6 June 2011|df=dmy-all}} and FakeMacDef){{cite web|title=Threat Description: Rogue:OSX/FakeMacDef.A|url=http://www.f-secure.com/v-descs/rogue_osx_fakemacdef_a.shtml|publisher=F-Secure|accessdate=11 February 2013}} is an internet rogue security program that targets computers running macOS. The Mac security firm Intego discovered the fake antivirus software on 2 May 2011, with a patch not being provided by Apple until 31 May.{{cite news|last=Hamburger|first=Ellis|title=WARNING: This Mac App Is Stealing Credit Card Numbers|url=http://articles.businessinsider.com/2011-05-02/tech/29963959_1_credit-card-numbers-antivirus-rogue-program|archive-url=https://web.archive.org/web/20120425203112/http://articles.businessinsider.com/2011-05-02/tech/29963959_1_credit-card-numbers-antivirus-rogue-program|url-status=dead|archive-date=25 April 2012|accessdate=7 December 2011|date=2 May 2011}} The software has been described as the first major malware threat to the Macintosh platform (although it does not attach to or damage any part of OS X).{{cite web |title=Macs face first virus threat |date=4 May 2011 |url=http://www.techday.co.nz/netguide/news/macs-face-first-virus-threat/20020/ |publisher=techday.co.nz |access-date=27 May 2011 |archive-url=https://web.archive.org/web/20111009063519/http://www.techday.co.nz/netguide/news/macs-face-first-virus-threat/20020/ |archive-date=9 October 2011 |url-status=dead }}{{cite web |title=Say hello to MAC Defender, the first major widespread piece of Mac based malware |url=http://www.left-click.us/news/blog/mac-defender |publisher=left-click.us |access-date=27 May 2011 |archive-url=https://web.archive.org/web/20120626231144/http://www.left-click.us/news/blog/mac-defender |archive-date=26 June 2012 |url-status=dead }}{{cite web |work=Mac Defender has been making a lot of noise as one of the first major Mac security threats |first=Adam |last=Dachis |date=25 May 2011 |title=How to Protect Your Computer from Mac Defender and Its Counterparts |url=http://lifehacker.com/5805609/how-to-protect-your-computer-from-mac-defender-and-macguard |publisher=lifehacker.com}}{{cite web |title=New Mac Trojan horse masquerades as virus scanner |url=http://www.macworld.com/article/159595/2011/05/macdefender_trojan_horse.html |publisher=macworld.com |author=Dan Moren |date=2 May 2011}}{{cite web |last=Trenholm |first=Richard |date=20 May 2011 |title=Mac Defender fake antivirus software is first major attack on Apple computers |url=https://www.cnet.com/tech/services-and-software/mac-defender-fake-antivirus-software-is-first-major-attack-on-apple-computers/ |access-date=2023-01-17 |website=CNET}}{{cite web|title=Mac Defender fake antivirus software is first major attack on Apple computers|url=http://crave.cnet.co.uk/software/mac-defender-fake-antivirus-software-is-first-major-attack-on-apple-computers-50003812/|publisher=crave.cnet.co.uk|access-date=27 May 2011|archive-url=https://web.archive.org/web/20110722084915/http://crave.cnet.co.uk/software/mac-defender-fake-antivirus-software-is-first-major-attack-on-apple-computers-50003812/|archive-date=22 July 2011|url-status=dead}} However, it is not the first Mac-specific Trojan, and is not self-propagating.
A variant of the program, known as Mac Guard, has been reported which does not require the user to enter a password to install the program,{{cite web |work=Christian Science Monitor Horizons blog |date=26 May 2001 |title=Mac Guard: Apple users hit by second Mac malware scam |url=http://www.csmonitor.com/Innovation/Horizons/2011/0526/Mac-Guard-Apple-users-hit-by-second-Mac-malware-scam< }} although one still does have to run the installer.{{cite web |publisher=Mac Security Blog from Intego |title=New Mac Defender Variant, MacGuard, Doesn't Require Password for Installation |date=25 May 2011 |url=http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/ |access-date=27 May 2011 |archive-url=https://web.archive.org/web/20110527094155/http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/ |archive-date=27 May 2011 |url-status=dead }}
Symptoms
Users typically encounter the program when opening an image found on a search engine. It appears as a pop-up indicating that viruses have been detected on the users' computer and suggests they download a program which, if installed, provides the users' personal information to unauthorized third parties.
The program appears in malicious links spread by search engine optimization poisoning on sites such as Google Image Search. When a user accesses such a malicious link, a fake scanning window appears, originally in the style of a Windows XP application, but later in the form of an "Apple-type interface".{{cite web|last=Mills|first=Elinor|title=How bad is the Mac malware scare? (FAQ)|url=http://news.cnet.com/8301-27080_3-20064394-245.html|work=CNET|date=19 May 2011}} The program falsely appears to scan the system's hard drive.{{cite web|last=Wisniewski|first=Chester|title=Mac users hit with fake anti-virus when using Google image search|url=http://nakedsecurity.sophos.com/2011/05/02/mac-users-hit-with-fake-av-when-using-google-image-search/|work=Naked Security|publisher=Sophos|accessdate=24 May 2011|date=2 May 2011}} The user is then prompted to download a file that installs Mac Defender, and is then asked to pay US$59.95 to US$79.95 for a license for the software. Rather than protect against viruses, Mac Defender hijacks the user's web browser to display sites related to pornography, and also exposes the user to identity theft (by passing on credit card information to the cracker).{{cite magazine|last=Chen|first=Brian X.|title=New Mac Malware Fools Customers, But Threat Still Relatively Small|url=https://www.wired.com/gadgetlab/2011/05/mac-malware/|magazine=Wired|publisher=Condé Nast Digital|accessdate=24 May 2011|date=19 May 2011}} A newer variant installs itself without needing the user to enter a password.{{cite web |url=http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/ |publisher=The Mac Security Blog » INTEGO SECURITY MEMO |title=New Mac Defender Variant, MacGuard, Doesn't Require Password for Installation |access-date=27 May 2011 |archive-url=https://web.archive.org/web/20110527094155/http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/ |archive-date=27 May 2011 |url-status=dead }} All variants require the user to actively click through an installer to complete installation even if a password is not required.{{cite web |url=http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/ |publisher=The Mac Security Blog » INTEGO SECURITY MEMO |title=New Mac Defender Variant, MacGuard, Doesn't Require Password for Installation |access-date=27 May 2011 |archive-url=https://web.archive.org/web/20110527094155/http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/ |archive-date=27 May 2011 |url-status=dead }}
Origin
The software has been traced through German websites, which have been closed down, to the Russian online payment ChronoPay.
Mac Defender was traced to ChronoPay by the email address of ChronoPay financial controller Alexandra Volkova.{{cite news |title=Apple takes on Mac Defender Scam |work=International Business Times |date=29 May 2011 |url=http://www.ibtimes.com/articles/154071/20110529/apple-takes-on-mac-defender-scam.htm }} The email address appeared in domain registration for mac-defence.com and macbookprotection.com, two web sites Mac users are directed to in order to purchase the security software. ChronoPay is Russia's largest online payment processor. The web sites were hosted in Germany and were suspended by Czech registrar Webpoint.name. ChronoPay had earlier been linked to another scam in which users involved in file sharing were asked to pay a fine.{{cite journal |url=https://www.pcmag.com/article2/0,2817,2386060,00.asp |title=MacDefender Scareware Linked to Russian Payment Site |journal= News & Opinion |publisher= PCMag.com}}{{cite news |url=http://www.ibtimes.com/articles/153863/20110528/russia-s-chronopay-linked-to-mac-scareware-scam.htm |title=Russia's ChronoPay Executive Linked to Mac Defender Scam |journal=International Business Times}}
Apple response
According to Sophos, by 24 May, 2011, there had been sixty thousand calls to AppleCare technical support about Mac Defender-related issues, and Ed Bott of ZDNet reported that the number of calls to AppleCare increased in volume due to Mac Defender and that a majority of the calls at that time pertained to Mac Defender.{{cite web|last=Bott|first=Ed|title=An AppleCare support rep talks: Mac malware is "getting worse"|url=https://www.zdnet.com/article/an-applecare-support-rep-talks-mac-malware-is-getting-worse/|work=ZDNet|access-date=24 May 2011|date=18 May 2011}} AppleCare employees were told not to assist callers in removing the software.{{cite web|last=Cluley|first=Graham|title=Malware on your Mac? Don't expect AppleCare to help you remove it|url=http://nakedsecurity.sophos.com/2011/05/18/malware-on-your-mac-dont-expect-applecare-to-help-you-remove-it/|work=Naked Security|publisher=Sophos|accessdate=24 May 2011|date=18 May 2011}} Specifically, support employees were told not to instruct callers on how to use Force Quit and Activity Monitor to stop Mac Defender, as well as not to direct callers to any discussions pertaining to the problems caused by Mac Defender.{{cite web|last=Wisniewski|first=Chester|title=Apple support to infected Mac users: 'You cannot show the customer how to stop the process'|url=http://nakedsecurity.sophos.com/2011/05/24/apple-support-to-infected-mac-users-you-cannot-show-the-customer-how-to-stop-the-process/|work=Naked Security|publisher=Sophos|accessdate=24 May 2011|date=24 May 2011}} An anonymous AppleCare support employee said that Apple instituted the policy in order to prevent users from relying on technical support instead of anti-virus programs.
AppleCare employees were told not to assist callers in removing the software, but Apple later promised a software patch.{{cite web|title= Mac malware authors release a new, more dangerous version |date=25 May 2011 |url=https://www.zdnet.com/article/mac-malware-authors-release-a-new-more-dangerous-version/|publisher=ZDNet}} On 24 May 2011 Apple issued instructions on the prevention and removal of the malware.{{cite web|title=How to avoid or remove Mac Defender malware|url=http://support.apple.com/kb/ht4650|accessdate=1 June 2011|date=24 May 2011}} The Mac OS X security update 2011-003 was released on 31 May 2011, and includes not only an automatic removal of the trojan, and other security updates, but a new feature that automatically updates malware definitions from Apple.{{cite web|title=About Security Update 2011-003|url=http://support.apple.com/kb/HT4657|accessdate=31 May 2011|date=31 May 2011}}