Intego has reported a new rouge Anti-Malware program targeting Mac OSX and Mac products. There are several things that can be done to mitigate the risk of this rouge product. Do not attempt to purchase this application via PayPal or Credit Card. If you have purchased it then report your credit card or PayPal account compromised immediately.
Currently the risk from this product is low but users in various discussion forums are reporting that they already have downloaded and installed it.
To remove the rouge Anti-Malware software if you downloaded it:
- If you have purchased this product call your credit card company or contact PayPal and report your account compromised immediately.
- Boot your Mac into "Safe Mode" by holding the shift key at startup.
- Clear out your "Downloads" folder or the folder you download files to. (Do this for all users.)
- Clear out you "Web History." (Do this for all users.)
- Go into System Preferences>Accounts>Login Items and remove MacDefender from the Startup list for any users. (Check every user including the local administrator account.)
- In Finder>File> Select search "This Mac." Enter Filename Contains "MacDefend."
- Select the "+" button and scroll down to Other and add "System files."
- Select "System Files are Included"
- Delete the Application by moving to the trash along with items in the Startup folder or files associated with MACDefender. This includes web pages in the cache /Library/StartupItems or ~/Library/StartupItems.
- Securely Empty Trash.
- Change all passwords for administrators and users on your Mac.
- Change your keyChain Password, make it different from the login password.
- As a precaution we also higly recommend that you change your passwords saved in browsers from Web Sites, especially iTunes and mail providers. (This is a good monthly or bi-monthly practice depending on your organization.)
How to Protect yourself:
- Do not install any program called MacDefender.
- Make sure "Open Safe Files" is deselected in Safari.
- Select "Clear Auto-Opening" settings in chrome://settings/advanced.
- Download files only to the Download folder that is in each users home directory.
- Set Remove Downloads to "When Safari Quits." Manually clear this folder for other Browsers.
- Make sure that "Block Pop-Up Windows" is on.
- Never do Web Surfing as the Administrator, carry out daily task as a user that does not have administrator privileges.
- Never use Safari on a Mac OSX Server.
- Download and confirm the hash before installing any files on assets in your control. (Recommended for enterprise customers.)
- Make sure "Auto Fill" is de-selected for all.
- Install a full featured anti-virus software, XProtect does not scan Meta Package File (.MPKG). (See references below.)
We continue to evaluate the risk created by rouge installers and malware related to Apple products. The "Human Interface Guidelines" which are key for any successful Apple developer to follow also creates risk skewed by users expectations of the Apple experience. We expect this to only increase in the future.
In our independent testing, using XCode and very little effort, we created various rouge installers which successfully convinced many Mac OSX users and Administrators they were safe to install. Far more Mac users were convinced by the Malware's ability to conform with the Apple operating system experience and never considered the source.
In our view the most threatening form of malware for Apple Productions is one that focuses on the MacOSX or iOS experience for the user. (This is very true for all GUI based computing devices, just more so on a platform that is experience driven.) Windows administrators and users have had to deal with this threat for sometime, whose experiences can beneficial as this threat continues to grow.
If you have not done so already we recommend installation of a complete Anti-Virus and Internet security package. Our favorite in Intego's Internet Barrier and we are very excited about F-Secure's beta offering. (Beta is not recommended for production critical systems.)
Sean OConnell Public