It’s not breaking news that fake-alert Trojans infections are growing. But it’s worrying for Mac OS X users to find themselves a target for those attacks. As my colleague Tad Heppner mentioned in his post, a scareware called MacDefender was spotted in the wild. Mac users can be fooled by those fake alerts because malware for Mac is growing. Also, fake alerts appear more and more elaborate each day.
MacDefender has adopted new names and disguises as time passes, and one of its most recent names is Mac Protector.
The Trojan package downloaded from the web contains two more packages: macprotector.pkg and macProtectorInstallerProgramPostflight.pkg. The former is the application, and the latter contains a bash script that will launch Mac Protector once the installation is finished. The installation is the same as we are used to seeing, and it requires root privileges. (Every time an installer or application asks for admin rights, we need to stop and think whether it’s the right thing to do.) The only file dropped is MacProtector.app, which is copied to the /Applications directory.
Mac Protector is very sophisticated and uses a lot of resources to appear as a real anti-virus app to the user. There are a lot of images and sounds in the package that simulate system scanning, show the alerts, etc.
Mac Protector will perform a fake scan on the system, and will show rootkits and spyware detections for real and current processes.
But don’t be fooled. Those detections are completely fake. In fact, what Mac Protector does is to find the processes running on the Mac and pick one of them.
Moreover, Mac Protector will open browser windows to pornographic sites to make users believe that they are truly infected.
During the scan and also once it is finished, the fake anti-virus will claim that to clean up the system, the user must register the app. It will load an embedded web page and ask the victims for their credit card data. As of today, the site is still alive; so be careful. Here is the page request:
Tto remove this malware, go to the Applications folder (Shift + Command + A) and delete MacProtector.App. If you can’t delete it, open Activity Monitor, kill the MacProtector process, and try again.
McAfee detects this threat as OSX/FakeAlert-MacDefender.
Stay Updated
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.
