Watch CBSN Live

Malware scare: Should Mac users worry?

Macintosh users are being targeted with malware that poses as an antivirus warning and tries to trick people into paying for software they don't need.

This ruse isn't new. So-called rogue antivirus has been hitting Windows machines for years. But this is the first time this type of malware has been written to target the much smaller Mac market.

This FAQ sorts through the facts to help determine how serious the issue really is.

What is the malware?
Mac Defender, also known as Mac Security and Mac Protector, is a fake antivirus program that is designed to scare people into thinking that their computers are infected with malware and that they have to pay with a credit card to clean the machine up. People get infected with the rogue antivirus programs when they happen to stumble upon Web sites hosting the malware. The malicious sites are created solely to distribute malware and they are search engine optimized so they will appear high up in search results. They use an image related to a popular news topic as bait to lure people to the site, according to Mac antivirus firm Intego, which warned about Mac Defender earlier this month. For instance, one of the sites was in the top five spots this week for searches on "DSK," or Dominique Strauss-Kahn, the French official on the International Monetary Fund who was arrested on sexual assault charges last weekend, according to Intego spokesman Peter James. The malicious sites are taken down and changed from day to day so blocking them is difficult.

How widespread is the malware?
While it's definitely not an epidemic, it does seem to be hitting the radar more than other Mac malware has in the past. Ed Bott at ZDNet reports that an AppleCare support rep told him call volume on the support line was four to five times higher than normal and most of the calls were about the malware. "It started with one call a day two weeks ago, now it's every other call. It's getting worse. And quick," the unnamed source is quoted as saying."

Bott also published what appeared to be an internal Apple document with guidance for support reps when they get calls about Mac Defender. It advises reps to not confirm or deny that the software has been installed and not attempt to remove or uninstall any malware software. Meanwhile, Bott reports that he found more than 200 separate discussion threads on about the matter, including comments from many who had been tricked into installing the malware. He offers juicy tidbits from those discussions here.

Intego said it had been contacted by a "huge number" of customers worried about the malware, and that it had collected dozens of samples of the code. "The news stories were making it worse because it makes Mac users worried and they are more convinced that the fake antivirus warning is real," Intego spokesman James said in an interview today. "It's a self perpetuating process."

Apple declined to provide comment for this story.

How does it work?
The malware has gone through several changes so depending on the version, the screens and wording may be different. An early version displayed some fake Windows screens, but later versions changed that to use an Apple-type interface. Typically, when you click on one of the malicious images you are directed to a site where JavaScript starts running and automatically downloads the program. A warning pops up saying something like, suspicious activity has been detected on the machine, or Apple Web Security has detected malware on the machine and is offering to remove it. Clicking "ok" launches what looks like a scan of the machine and then you are told that the machine is infected and clicking "ok" launches what looks like a Mac OS installer that then asks you to type in your administrator password for the computer. Doing so installs the malware and displays a process that looks like another scan of the computer and provides alerts on supposed infections. In order to clean up the infections, you are required to provide register your machine and it asks for credit card information, according to Intego.

In other versions, just visiting the site downloads a zip file to the hard drive with a name like "MacDefender" or "MacSecurity" and an extension of .mpkg. If your Mac is set up to automatically open "safe" files, a screen will offer to guide you through the installation process. Clicking "continue" will display another screen that asks for your administrative password and the application is launched. A window will display saying your machine is infected, offering the option of cleaning up the computer if you register and provide credit card information.

After installation, a menu item is added to the Mac OS X menubar. The icon looks like a small orange shield that turns red and flashes when it "finds" viruses. If you fail to "register" and provide your credit card information the malware will start to open up porn pages in your browser in an attempt to spur you to pay. The malware will re-launch every time you log into your Mac thereafter until it is removed. It also does not install a dock icon so it is not easy to close the program and you will need to end the process through the Activity Monitor before removing the malware. Intego created a video demonstration showing how the malware works.

What can I do to protect myself?
Don't visit untrusted Web sites, especially ones that could be preying on a hot news topic. Don't install programs unless they come from a reputable source. Don't supply your administrative password except when you are intentionally installing software from a trusted source. Consider changing your settings so you have two accounts, an administrative account and a regular account for regular surfing. If an installer appears mysteriously, block it from installing. Quit out of odd warnings and pop ups, particularly if the "back" or "cancel" option is not highlighted, by clicking the red dot in the upper corner of the pop-up window. Move any suspicious looking files that appear related to MacDefender from your downloads folder into trash. In Safari under "preferences" uncheck the "open safe files after downloading" box. Consider using antivirus software such as ClamX AV. Avoid providing your credit card number through an application. If you have provided your credit card information, call your financial institution immediately and have the card canceled. My colleague Seth Rosenblatt explains how to remove the malware in a blog post. And there is more information on how to protect against Mac Defender on the TUAW site and

Does this mean the Mac is not secure?
No. It means that criminals who used to focus on Windows machines to reach the most potential victims are now targeting Mac too. Around the same time Mac Defender first appeared, a new crimeware kit showed up on criminal underground sites that makes it easy to write botnet malware for Mac OSX, according to security blogger Brian Krebs. And yesterday, security researcher Joshua Long argued in a blog post that the Mac App Store is putting users at risk after he found outdated versions of software there, including at least one with a critical security hole.

But others, like blogger John Gruber, insist that the reports that Mac security is taking a hit are mere hype. Ars Technica's Jacqui Cheng talked to a bunch of third-party Mac support specialists who said they had not seen a noticeable spike. She also talked to some Apple Store support staffers who said the opposite, including one who said he had never had to remove a virus or malware from a Mac until this month.

Macs are not inherently more secure than Windows, says security expert Charlie Miller, who has successfully attacked Safari on the Mac in three Pwn2Own contests over the past few years. In the instance of Mac Defender, the malware requires user action and does not exploit a vulnerability in the Mac OS. In addition, Macs have built-in antivirus, although that does not appear to be protecting against Mac Defender, he added.

"There are about 10 pieces of malware that have been written for the Mac, while Microsoft says that one in 14 downloads (on PCs) is malicious," he said. "So, it's big news because it's rare."

View CBS News In
CBS News App Open
Chrome browser logo Chrome Safari browser logo Safari Continue