We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Apple releases security update for MacDefender

Posted on May 31st, 2011 at 7:22 PM EDT

Apple released Security Update 2011-003 today, addressing the MacDefender issue.  According to Apple’s documentation on this update, there are three basic additions to assist in dealing with the MacDefender outbreak.  Before reading further, it may be worthwhile to read my Mac Virus Guide, to understand some of the fundamental ideas involved, and Apple’s own document on quarantine.

Read the rest of this entry »

1 Comment

MacGuard details

Posted on May 26th, 2011 at 10:32 PM EDT

I managed to get my hands on a copy of MacGuard this evening, and ran it through some tests to try to clarify some of the rumors floating around.  The good news is that, in all, this is just another boring old variant in the MacDefender malware line.  The same old removal instructions still apply, and the application itself does not appear to have developed any new features.  However, when it comes to the installation, there are some notable differences!
Read the rest of this entry »


Yet another MacDefender variant: MacGuard

Posted on May 25th, 2011 at 7:34 PM EDT

Another new trojan has appeared in the MacDefender/MacSecurity/MacProtector line.  This time it’s called MacGuard.  From the initial reports, it does not sound like it is significantly different in most respects from the earlier versions.  However, there is one notable difference: it no longer requires an administrative password to install.  I am unclear on this point exactly why…  some sites report that it is installed in the user Applications folder rather than the global one, while others give uninstall instructions that refer to the main Applications folder.  I will report more as I learn more, but for now it appears that the same old MacProtector removal instructions will work, with minor modifications.  First, and obviously, you need to look for the name MacGuard in addition to the other three when removing.  Second, look in both the main Applications folder and the one in your user folder and remove MacGuard from wherever it is.

If anyone has additional information, please let me know, and if anyone finds a live link to the malware, please let me know so I can get a copy of it.

1 Comment

Apple responds to MacDefender

Posted on May 24th, 2011 at 9:27 PM EDT

Apple posted their own support document today, titled How to avoid or remove Mac Defender malware, in which they describe how to respond to this malware.  Their removal instructions are essentially identical to what I’ve outlined in Identifying and removing MacDefender trojans, which should be reassuring to those who have followed my guidelines.  Even more reassuring is the fact that the article refers to a soon-to-come software update to help combat MacDefender and its variants.  Whether this will come in the form of another update to Quarantine or whether they plan to develop a different response to this particular threat is something that only time will tell.  Regardless, this promise of action should ease users’ minds, especially in the wake of rumors that Apple support techs have been told not to handle MacDefender issues, though some may criticize Apple for not taking swifter action.

This post is more than 30 days old and has been locked. No further comments are allowed.

What is the Weyland-Yutani crime kit?

Posted on May 22nd, 2011 at 1:51 PM EDT

I saw the news about the Weyland-Yutani crime kit when it first appeared on May 2, discussed on blogs by Peter Kruse of CSIS and Brian Krebs of Krebs on Security.  At the time, I thought it was interesting, but it wasn’t an immediate concern.  There were bigger fish to fry, as well, since the news coincided with the first appearance of MacDefender.  However, I’ve encountered a few folks just now learning about it and becoming concerned.  The question is, is that concern warranted?
Read the rest of this entry »

This post is more than 30 days old and has been locked. No further comments are allowed.

Hiding GMail’s “All Mail” from Apple Mail

Posted on May 19th, 2011 at 3:11 PM EDT

After covering nothing but MacProtector for nearly three weeks, it’s time to move on to other topics.  Today I’ll discuss a common complaint among people trying to use Apple’s Mail program to access their GMail accounts: duplicate messages.  Or, at least, what appear to be duplicate messages, thanks to some oddities about how GMail works.
Read the rest of this entry »


Minor new MacProtector variant

Posted on May 17th, 2011 at 10:54 PM EDT

A colleague sent me a slightly different variant of MacProtector recently, with a creation date of 5/11/2011.  I haven’t had time to do any really detailed analysis of it, and I’m not sure that the trouble will be warranted anyway.  The differences appear to be minor.
Read the rest of this entry »


Further analysis of MacProtector

Posted on May 10th, 2011 at 8:53 PM EDT

There have been reports circulating that MacDefender/MacSecurity/MacProtector may be doing nasty things like scanning the hard drive and sending data home.  If this is true, it would be a more serious problem.  The behavior that has been documented to date is less dangerous because it is entirely under your control.  You choose whether to proceed with the installation, and you choose whether to give a credit card number.  Many people have accepted the installation, but balked at the credit card…  but that could be a problem if the trojan is doing other things behind the scenes.  So, are these rumors true?  Here’s what I found.
Read the rest of this entry »


Identifying and removing MacDefender trojans

Posted on May 7th, 2011 at 2:08 PM EDT

[Edited Thursday, May 26, 9:20 PM]

A lot of people are being affected by MacDefender, or one of the variants of MacDefender (MacSecurity, MacProtector and MacGuard, at this time, possibly more in the future).  As a result, I’m getting a lot of questions from people about how to tell if they’re infected, how to get rid of the trojan and what else they need to worry about.  Hopefully, I will answer all those questions and more here.  For those unfamiliar with these trojans, see my previous MacDefender news posts.
Read the rest of this entry »


MacProtector is yet another MacDefender variant

Posted on May 7th, 2011 at 7:04 AM EDT

A number of people are reporting yet another MacDefender variant this morning.  This time, it’s named MacProtector, but it sounds like the method of operation is the same.  Mac users should be on their guard against an attack of this type, regardless of the name.  (If you haven’t been following along, see all my coverage of the MacDefender trojan.)

If anyone can send me a link where MacProtect can be found, so I can verify that it behaves the same as MacDefender, please do!

Edit: Thanks to pieinoz for pointing me to just the right search terms to use on Google Images to find MacProtector.  As I suspected, it does appear to be nothing more than a variant of MacDefender.  After updating my ClamXav definitions this morning, I found that it will detect both MacSecurity and MacProtector.