is an internet rogue security program that can be installed by unwitting users of computers running the Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
operating system. The Mac security firm Intego
Intego is a software company founded in 1997. They create backup, antivirus, anti-spam, firewall and data protection software for Mac OS X. The company's slogan is "we protect your world." In September 2007, Intego launched The Mac Security Blog, which provides articles about Mac security issues,...
discovered the fake antivirus software on May 2, 2011, with a patch not being provided by Apple until May 31. The software has been described as the first major malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
threat to the Macintosh platform (although it does not attach to or damage any part of OS X). However, it is not the first Mac-specific Trojan, and is not self-propagating.
Users typically encounter the program when opening an image found on a search engine. It appears as a pop-up indicating that viruses have been detected on the users' computer and suggests they download a program which, if installed, provides the users' personal information to unauthorized third parties.
The software has been traced through German websites, which have been closed down, to the Russian online payment ChronoPay. AppleCare employees were told not to assist callers in removing the software, but Apple later promised a software patch. The Mac OS X security update 2011-003 was released on May 31, 2011, and includes not only an automatic removal of the trojan, and other security updates, but a new feature that automatically updates malware definitions from Apple.
The program appears in malicious links spread by search engine optimization poisoning
In computing, spamdexing is the deliberate manipulation of search engine indexes...
on sites such as Google Image Search
Google Images is a search service created by Google that allows users to search the Web for image content. The feature was introduced in July 2001. The keywords for the image search are based on the filename of the image, the link text pointing to the image, and text adjacent to the image. When...
. When a user accesses such a malicious link, a fake scanning window appears, originally in the style of a Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
application, but later in the form of an "Apple-type interface". The program falsely appears to scan the system's hard drive. The user is then prompted to download a file that installs Mac Defender, and is then asked to pay US$59.95 to US$79.95 for a license for the software. Rather than protect against viruses, Mac Defender hijacks the user's Internet browser to display sites related to pornography
Pornography or porn is the explicit portrayal of sexual subject matter for the purposes of sexual arousal and erotic satisfaction.Pornography may use any of a variety of media, ranging from books, magazines, postcards, photos, sculpture, drawing, painting, animation, sound recording, film, video,...
, and also exposes the user to identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
(by passing on credit card information to the cracker). A newer variant installs itself without needing the user to enter a password. All variants require the user to actively click through an installer to complete installation even if a password is not required.
Mac Defender was traced to ChronoPay by the email address of ChronoPay financial controller Alexandra Volkov. The email address appeared in domain registration for mac-defence.com and macbookprotection.com, two web sites Mac users are directed to in order to purchase the security software. ChronoPay is Russia's largest online payment processor. The web sites were hosted in Germany and were suspended by Czech registrar Webpoint.name. ChronoPay had earlier been linked to another scam in which users involved in file sharing were asked to pay a fine.
According to Sophos, by May 24, there had been sixty thousand calls to AppleCare
AppleCare is a service and support plan offered by Apple Inc. that extends the standard Apple warranty and phone support for its products to two years for iPods, iPads, and iPhones or three years for Macs.-AppleCare Protection Plan:...
technical support about Mac Defender-related issues, and Ed Bott of ZDNet
ZDNet is a business technology news website published by CBS Interactive, along with TechRepublic and SmartPlanet. The brand was founded on April 1, 1991 as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication owned by CNET...
reports that the number of calls to AppleCare increased in volume due to Mac Defender, and that a majority of the calls now pertain to Mac Defender. AppleCare employees have been told not to assist callers in removing the software. Specifically, support employees have been told not to instruct callers on how to use Force Quit and Activity Monitor to stop Mac Defender, as well as not to direct callers to any discussions pertaining to the problems caused by Mac Defender. An anonymous AppleCare support employee said that Apple instituted the policy in order to prevent users from relying on technical support instead of anti-virus programs.
On May 24, 2011 Apple issued instructions on the prevention and removal of the malware.
On May 31, 2011 Apple released security update 2011-003 which addressed the threat and removed the trojan from any affected Mac computers, and added a feature that automatically updates malware definitions from Apple.
Mac Guard variant
A new variant of the program, Mac Guard, has been reported which does not require the user to enter a password to install the program, although one still does have to run the installer.