[Jonty30]

If I come across any Mac viruses on my virus-free Windows computer, I’ll let you know.

[Jonty30]

I think the virus writer’s have been studying the Apple’s software for a long time and know many hole’s that Apple isn’t aware of .

It’s going to be interesting.

[Swordmaker]

The key to avoiding this malware in its more dangerous form is to

• Uncheck the 'Open "safe" files after downloading" box in the GENERAL tab in the Safari Preferences
• Run as a Standard User instead of the Administrator User that is the default user that you may have started with when you set up your Mac.

If you are not now running as a Standard User, here is how to set up a new Administrator user (you will always need one in OSX) and change your current user to a Standard User, which is much safer:

1. Under the Apple Menu, select "System Preferences..."
2. Click the "Accounts" on the fourth line to open the Accounts Preference Pane.
3. If the Accounts Pane is "locked," i.e. the padlock icon at the lower left is closed, click on it, provide your current Administrator Name and password to unlock it.
4. Create a New User by clicking on the "+" button directly above the padlock icon.
5. Give the New User a name that is NOT "Admin" but is something specific to YOUR computer... non-generic... so that a malware writer cannot anticipate your administrator name by knowing something about you. "Aunt FLossy" might be a good administrator name, if you DON'T have an Aunt FLossy.
6. Give this New User a password that is NOT a word in a dictionary... combine numbers, upper and lower case letters, and some non alphanumeric characters... make it a HARD password... but one you won't forget. Free$23Republic would be a good example of a hard, memorable password for a freeper, and would also remind him to make a donation from time to time.
7. Write down this New Administrator name and password and lock it away somewhere... just in case.
8. Check the box "Allow user to administer this computer"
9. At the bottom of the list of users at the left of the pane, click on "Login Options."
10. Check the box next to "Show fast user switching menu as:" and select "Name" in the drop down menu box. This will create a user switching menu on the upper right of your Mac menu bar.
11. If there are multiple users other than yourself on this Mac, turn off the automatic login at the top of the pane. If it is just yourself, don't do this step unless you want to increase your computer's physical security so that you have to login every time you start up. That IS the best practice, but it is your personal preference.
12. Select an appropriate picture for your New Administrator User.
13. Click on the padlock icon to RELOCK the Accounts Pane.
14. Under the Apple Menu, LOG OUT of your current account.
15. Log in as your NEW ADMINISTRATOR.
16. Repeat steps 1 through 3 above, except use the New Administrator name and password to authenticate the unlocking of the Accounts Pane in step 3. This both unlocks the pane AND confirms that this newly created account is an administrator account.
17. Click on your ORIGINAL account name, the one you usually use to operate the computer, to select it.
18. Uncheck the box next the "Allow user to administer this computer."
19. Click on the padlock icon to relock the Accounts pane.
20. Close the System Preference window.
21. Under the Apple Menu, Log Off the Administrator Account.
22. Log back in to your normal account.

You are now safe from this exploit.

Use your new administrator's name and password to install any software or to do system maintenance. You can install software from your Standard User account by providing that name and password for each instance. You will not be able to make changes to your system files, Libraries, Applications folders, or the HD root directory unless you provide that Administrator name and password.

Note, the administrator name and password will STILL not allow you to make changes to ROOT UNIX files or to alter any of the core files as the ROOT is not activated on the default OSX install... That requires one level higher user level even yet. However that administrator IS capable of activating ROOT by creating a ROOT superuser and creating a ROOT superuser password.

[Swordmaker]

The MacDefender authors have stepped up the game a bit... it's a bit more dangerous now. For some Mac users it can self install!!!—PING!

For information on how, who is at risk, and for SWORDMAKER'S INSTRUCTIONS on how to NOT TO NOT BE VULNERABLE TO THIS PROBLEM... This is a must read thread!

Please, No Flame Wars, Discuss technical issues, software, and hardware.
Don't attack people!

Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!

Apple Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

From what I can find out from other sources other than the biased author of this article, Ed Bott, who writes only negative articles about Apple, the malware DOES still need to be installed... following the download. The only thing that gets opened automatically is the downloader which is in an auto-executing zip file. The primary difference is that it no longer is requiring the administrator password for those who are running as administrator level users who have "Open 'safe' files after downloading" checked in Safari. ALL OTHERS who are running as Standard Users are not at risk from this malware!

Apple's online instructions on how to dispose of this malware are still effective... contrary to Bott's negative comment of "too little, too late!"

---

Summary

A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender "anti-virus" software to solve the issue.

This “anti-virus” software is malware (i.e. malicious software).  Its ultimate goal is to get the user's credit card information which may be used for fraudulent purposes.

The most common names for this malware are MacDefender, MacProtector and MacSecurity. 

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants.  The update will also help protect users by providing an explicit warning if they download this malware. 

In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.

Products Affected

Mac OS X 10.4, Mac OS X 10.6, Mac OS X 10.5

Resolution

How to avoid installing this malware

If any notifications about viruses or security software appear, quit Safari or any other browser that you are using. If a normal attempt at quitting the browser doesn’t work, then Force Quit the browser.

In some cases, your browser may automatically download and launch the installer for this malicious software.  If this happens, cancel the installation process; do not enter your administrator password.  Delete the installer immediately using the steps below.

1. Go into the Downloads folder or your preferred download location.
2. Drag the installer to the Trash. 
3. Empty the Trash.

How to remove this malware

If the malware has been installed, we recommend the following actions:

• Do not provide your credit card information under any circumstances.
• Use the Removal Steps below.

Removal steps

• Move or close the Scan Window
• Go to the Utilities folder in the Applications folder and launch Activity Monitor  
• Choose All Processes from the pop up menu in the upper right corner of the window
• Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector
• Click the Quit Process button in the upper left corner of the window and select Quit
• Quit Activity Monitor application
• Open the Applications folder
• Locate the app ex. MacDefender, MacSecurity, MacProtector or other name
• Drag to Trash, and empty Trash

Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.

• Open System Preferences, select Accounts, then Login Items
• Select the name of the app you removed in the steps above ex. MacDefender, MacSecurity, MacProtector
• Click the minus button

Use the steps in the “How to avoid installing this malware” section above to remove the installer from the download location.

Note: Apple provides security updates for the Mac exclusively through Software Update and the Apple Support Downloads site. User should exercise caution any time they are asked to enter sensitive personal information online.
 

[GOP Poet]

bookmark

[Ben Hecks]

Bump for later. Thanks for the post.

[StrictTime]

Thanks, Sword. I'm a mainly a lurker, but I read everything you ping. I already have my Admin account as an account that no one uses, so I guess I did something right there! :) WooHoo! I do like the extra security of unchecking the "Open Safe Files" option, however, so thanks for that, too.

And I'm sorry to hear of your loss. God's blessings.

[TexasRepublic]

Anyone that accesses the Internet as administrator instead of regular user is asking to be hosed, regardless of the type of operating system.