MAC Defender anti-virus is a “Trojan Horse”

Intego is reporting details about a new Trojan Horse software designed to attack the Mac. A “Trojan Horse”, or trojan, is a piece of malicious software that is designed to fool the user into thinking it is something else. In this case, the MAC Defender trojan is designed to look like anti-virus software.

> Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results). When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (“Open ‘safe’ files after downloading” in Safari, for example), will open.

## Do you need to be concerned?
Yes, and no. Trojan Horse software can only affect the security of your Mac if you install it.  Installing any kind of software on the Mac requires an Administrator account which is why I alway advise not using an Administrator account for regular activities.  By default, a new Mac setup creates an Administrator account for the user when the machine is first setup.  Apple needs to do a better job here and provide guidance so that the user can create a secure first time setup.

## What can I do?
Disable the Open “safe” files after downloading check-box.  This will prevent OS X from automatically opening files downloaded from the Web.  The MAC Defender Trojan uses this convenience feature to trick you into installing the software.

Disable the 'Open "safe" files after downloading' checkbox.

Use the Administrator account only for installing software or making system changes — which is something I do only once in a while.  Use a “Standard” account for your daily activities.  Convenience is the enemy of security.

Only use an Admin account to make system changes.

Safari and other browsers have privacy and other security controls. Learn to use them.

Use the security features of your browser

## Do I need Mac anti-virus software

Maybe. If your daily computer usage involves clicking random links in emails from strangers and hanging out on the seedier places on the Web, then yes. If you follow the tips in this article and use a common sense approach to computing then you can go without. I don’t use anti-virus on any of my Macs and have never had a trojan or virus attack my Mac. Maybe one day we’ll have to worry about more frequent attacks on the Mac. But I don’t see that as the case now. Your mileage may vary.

Khürt Williams

Khürt Williams is Principal for Monkey Hill, LLC, a Skillman, New Jersey based information security governance, risk and compliance consultancy. He's also an avid landscape photographer, and *nix geek.

4 thoughts on “MAC Defender anti-virus is a “Trojan Horse”

  • May 15, 2011 at 5:21 am

    I just got it yesterday and downloaded the mac defender. I, then, have removed it using the utilities but wondering whether my mac still get affected. Been waiting to read it on your post about how the post injected trojan act, but you only describe the pre one. So, any advice on how i can tell that my mac is still got some virus/spyware on it? Big thanks.

    • May 15, 2011 at 11:56 am

      The first sentence in the first paragraph of the article provides a link to the Intego web site where you can find more information about the trojan and how to remove it.

    • May 15, 2011 at 11:57 am

      Mari Anne,
      The first sentence in the first paragraph of the article provides a link to the Intego web site where you can find more information about the trojan and how to remove it.

Comments are closed.