You are here

T-634: Apple Mac OS X MacDefender Fake Antivirus Malicious Software

June 1, 2011 - 3:35pm

Addthis

PROBLEM:

Apple Mac OS X versions 10.4, 10.5, and 10.6 are the targets of a new campaign of phishing attacks that aim to infect systems with a fake antivirus application called MacDefender.

PLATFORM:

Mac OS X 10.4, Mac OS X 10.6, Mac OS X 10.5

ABSTRACT:

Apple Mac OS X users could infect their systems after visiting a malicious web page. Reports suggest that the Apple Safari web browser could allow automatic download and execution of the JavaScript-based malware because of an incorrectly set security option in Safari.

reference LINKS:

Security Article: HT4650
IntelliShield ID: 23239
Apple Insider Article
Info Security News

IMPACT ASSESSMENT:

Medium

Discussion:

Apple Mac OS X users could infect their systems after visiting a malicious web page. Reports suggest that the Apple Safari web browser could allow automatic download and execution of the JavaScript-based malware because of an incorrectly set security option in Safari. The Open Safe files after downloading directive, if enabled, could allow malicious web pages to install the MacDefender malicious software. In a typical exploit, the attacker may provide a link to a user that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link. The user could also arrive at a malicious web page through search results or links from a third-party site.

The MacDefender application, also known as MacProtector and MacSecurity, is designed to be dowloaded as a compressed ZIP file that contains malicious JavaScript. Upon installation, the MacDefender application could add itself to the user's Login Items, allowing it to be executed on each user login or system restart. It also avoids being easily terminated from the system memory because it does not have a Dock icon. However, reports suggest that the malware could easily be uninstalled from the installed applications list. In addition to masquerading as antivirus software and requesting money from the user in the form of an antivirus subscription, the application may periodically open pornographic websites, making the user believe that the system is infected with malware.

Impact:

Malware also installs a login item in your account in System Preferences.

Solution:

Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats. Users are advised not to open unsolicited e-mail attachments. Users should verify that attachments are safe before opening them.
Apple provides security updates for the Mac exclusively through Software Update and the Apple Support Downloads site. User should exercise caution any time they are asked to enter sensitive personal information online..

Apple Support Downloads
 

Addthis