Wednesday, May 11, 2011

May 2 MAC Defender + May 11 Mac Protector Fake Antivirus Programs

MAC Defender Fake Antivirus Program

INTEGO SECURITY MEMO – May 2, 2011 MAC Defender Fake Antivirus Program Targets Mac Users

Quote from Intego: Description: Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results).
When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (“Open ‘safe’ files after downloading” in Safari, for example), will open. The file is decompressed, and the installer it contains launches presenting a user with the following screen:

  General File Information

 Added Mac Protector - May 11, Thanks to anonymous donation

Malware: OSX/MacDefender.Aand Mac protector.A
Distribution: Web browsing  Low; in the wild, but not very widespread for now


 File name:MacProtector
Submission date:2011-05-09 19:49:55 (UTC)
Result:14 /43 (32.6%)
ClamAV     2011.05.09     Trojan.OSX.MacDefender.C
Emsisoft     2011.05.09     Hoax.Mac.MacProtector!IK
F-Secure     9.0.16440.0     2011.05.09     Rogue:OSX/FakeMacDef.F
Fortinet     2011.05.09     OSX/MacProtector.A
Ikarus     T3.     2011.05.09     Hoax.Mac.MacProtector
Kaspersky     2011.05.09     Hoax.Mac.MacProtector.a
Microsoft     1.6802     2011.05.09     Rogue:MacOS_X/FakeMacdef
NOD32     6107     2011.05.09     OSX/AdWare.MacDefender.E
PCTools     2011.05.09     RogueAntiSpyware.MacProtector
Sophos     4.65.0     2011.05.09     OSX/FakeAV-A
Symantec     20101.3.2.89     2011.05.09     MacProtector
TrendMicro     2011.05.09     OSX_FAKEAV.A
TrendMicro-HouseCall     2011.05.09     OSX_FAKEAV.A

VirusBuster     13.6.345.0     2011.05.09     FraudTool.OSX.Defma.G
Additional information
Show all
MD5   : 1f8e9cd3f0717a85b96f350e4f4a539a

Current status:
9 /41 (22.0%)
AntiVir     2011.05.04     MACOS/FakeAV.A
BitDefender     7.2     2011.05.04     MAC.OSX.Trojan.FakeAlert.A
ClamAV     2011.05.04     Trojan.OSX.MacDefender
DrWeb     2011.05.05     Trojan.Fakealert.20856
F-Secure     9.0.16440.0     2011.05.04     Rogue:OSX/FakeMacDef.A
GData     22     2011.05.05     MAC.OSX.Trojan.FakeAlert.A
Kaspersky     2011.05.05     not-a-virus:FraudTool.OSX.Defma.a
Microsoft     1.6802     2011.05.04     Rogue:MacOS_X/FakeMacdef
Sophos     4.64.0     2011.05.05     OSX/FakeAV-DMP
MD5   : c0c866fde6336764da0def483f635dc9
SHA1  : a61f2cb78bbb0472d95d2b967e3eda5f786e07ac
Submission date:
2011-05-03 21:14:44 (UTC)
Result:6 /41 (14.6%)
DrWeb     2011.05.03     Trojan.Fakealert.20856
Kaspersky     2011.05.03     not-a-virus:FraudTool.OSX.Defma.a
Microsoft     1.6802     2011.05.03     Rogue:MacOS_X/FakeMacdef
PCTools     2011.05.03     MACDefender
Sophos     4.64.0     2011.05.03     OSX/FakeAV-DMP
Symantec     20101.3.2.89     2011.05.03     MACDefender
MD5   : 2f357b6037a957be9fbd35a49fb3ab72
SHA1  : fb6f092624d48fe9a496c50f615b424b27cf3515


  1. Good post. My friends referred me your blog. Looks like everyone knows about it, just not me, until now. Going to read your other posts. Thank you for sharing with us. Take care.

  2. How do you get rid of it?? Is it a virus then??

    “In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants,” Apple stated on its support page. “The update will also help protect users by providing an explicit warning if they download this malware.”

    Apple also posted instructions on how to avoid installing the Mac Defender malware as well as how to remove it from an affected computer.

  4. Hello, thanks for posting this information, I was trying to find information on this topic –this was very helpful.