The Techy

Sophos's Naked Security blog post have recently broght to my attention that Apple has issued a knowledge base article about a step by step guide of removing the infamous Mac Defender virus. Note: If you have no idea what is Mac Defender, take a look at the screenshot at the left taken from Intego blog post. Mac Defender is a malware that is spreading like wild and it has certainly brought down the notion that Mac cannot have malware.

This is certainly the first post made by Apple talking malware. However, This is certainly a good sign upon Apple's part and a step in the right direction. However, as Chester Wisniewski points out in his post, there are a couple of errors in the article. First of, the Mac Defender is not a phishing scam but a fake AV, a type of trojan. Apple states in its article: ""A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus." I beg to differ. Sophos states that "The fraudulent practice of sending e-mails purporting to be from legitimate companies in order to induce individuals to reveal personal information, such as credit-card numbers, online." However, phishing extends beyond emails. Phishing is a type of fraud where criminals try to steal a person’s personal information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity. Phishers often create websites that looks and feels almost identical to the legitimate one to try to lull the victim into giving up their details. They may also employee other methods such as pressuring the user to “verify” the password and other personal information in order to prevent their services from being terminated. For example, a common type of phishing scandal is where a criminal sends an email to unsuspecting victim that their email account would be closed if they do not verify it through a given link. In addition, scammers may send emails that the victim has won a “lottery.” Then they demand the victim to verify that they are the right person by confirming their personal details. Unlike what people think, phishing can happen anywhere not just online. Phishing can also occur offline. For instance, a scammer may call a victim and pretend that they are a bank. The scammer may then demand personal details such as a person’s date of birth, social security number, etc to “verify” their identity.


Although Mac Defender employ phishing pages to lure the victim into handing over their details, the software itself is a fake anti virus, a type trojan horse software. As I explained in my previous blog post, a trojan horse or trojan as it is commonly known, comes from the Greek mythical trojan horse employed by Odysseus to defeat the trojans. just like the mythical Trojan horse, Trojan horse pretends to be something useful masquarading their true destructive purpose. These trojans are used by hackers hackers to gain access to a PC. Once they are installed, trojans can do a variety of things including but not limited to spying on the victim, stealing passwords, popup annoying ads, and install more malware. Essentially a trojan is a malware that disguises its true purpose in order to gain the user's trust. A type of trojan horse disguse commonly used by hackers is the anti virus costume. The hackers "disguise" their malware as potientially useful anti virus or other system utility softwares. To pressure the user into installing it, they often employ fake antivirus scans that actually recides within the browser themselves (as shown on the right). As you can see, the "fake scan" is actually a web page that pretends to "scan the computer." While that itself is not harmful (unless they use a browser exploit to inject malware), they often push softwares into the user's face to "install" to fix the "virus" or problems found.

In summary, Mac Defender is one of the many fake antivirus softwares out there. While Mac users might be new at this (since there is very little Fake AV/malware for Macs), they must realize that all those fake scan pages reside inside the browser and all they are doing is showing pretty graphics that "pretend" to scan your page. Just close the browser window or tab. That's all there is to it! If you install the program, well that's another story. Googling the removal solution may be helpful but some of those "removal" softwares could actually be additional malware preying on those who desperately want to get the installed malware out. Therefore, just visit a virus removal forum like Bleeping computer and major geeks (I personally recommend bleeping computers as I have used it before). Also it wouldn't hurt to actually install an antivirus software for your mac. The About.com page lists some of the best, trustworty mac antivirus software out there. I personally haven't actually tried them out myself as I'm a Windows user.

Just remember, an Apple a day won't keep the malware away. Stay safe!