Fake Anti-Virus Targets Mac OS X

AUSTIN — A new piracy and security threat is targeting computers running on Apple's Mac OS X disguised as an anti-virus program called MAC Defender.

The fake anti-virus program will "detect" nonexistent threats as being present on the user's system in an effort to persuade them to hand over their credit card information and purchase a "subscription" to the program, according to security firm Intego and SecureMac.

If that doesn't convince the user to buy the fake anti-virus program, it will start popping up pornographic websites to create an actual problem on the system.

The malware initially appears in the web browser as a fake anti-virus scan (with graphics from Microsoft Windows) when the user clicks a web link.

The fake scan sites were appearing after the user clicked an infected link in Google image searches. Initial user reports indicate that a wide variety of keywords will show search results containing infected links. If the user clicks on various links or buttons on the fake scan webpage rather than closing it immediately, the actual malware will be downloaded to the user's system.

The fake scan site checks the web browser settings to determine if the user is running Mac OS X or Microsoft Windows, and then downloads the appropriate installer for the user's operating system. If the user has their web browser to automatically open safe files such as zip archives, the installer for the malware will appear without further user interaction.

Once the user runs the installer (and enters their admin password when prompted), the malware is installed to the Applications folder, sets itself as a login item, and starts to run. The malware appears as a menu bar item in OS X, but without a Dock icon or any way to exit the program.

The program immediately starts to scan the infected system, alerts the user they are infected with various malware, and prompts them to purchase the program in order to remove the threats.

If the user decides not to purchase a subscription, the malware will start displaying pornographic websites at random on the infected system. MAC Defender uses Javascript to display the fake scan webpage and download the installer file.

To avoid infection, SecureMac suggests sticking with safe, well-known websites, download files on from trusted sources and use the security features in OS X.

Surfers can disable web browsers from automatically opening safe files. In Safari, surfers can disable this feature by clicking the Safari menu, then clicking Preferences, then uncheck the Open safe files after downloading checkbox.