Wednesday, May 4, 2011

MacDefender Spyware appears via Website Attacks

I had read about a more sophisticated Malware named MacDefender that was using Safari to attack and infect some Mac machines.  What was interesting was the method that is typically applied to Windows OS.  Typically what would happen is if you used a search engine like Google, Yahoo, or Bing, to name just a few, there are tricks that hackers can use to infect websites without the web sites owner knowing that it has happened.

The way search engines work, is when you type in a search, the most popular and relevant responses are listed first in the order.  In these malicious attacks, hackers can use search engine optimization (SEO) to their advantage to trick search engines into listing the infected sitess at the top of the list.  How they do this is beyond me but serves as a reminder that even if the site is at the top of the list, doesn't mean its the best choice.

What happens next is the user will click on a link to a website and they will be taken to the website.  Typically what will happen is you will see a screen that looks similar to this 
If you notice on this picture, it is the screen that you would typically see if you are taken to a compromised website.  First off, its a web browser, look at the top and we can clearly see its Safar, so this is like a really really sophisticated PopUp Ad.  Typically you can stop the attack here by simply closing the window.  However, in Safari there is a setting that will allow files to be downloaded and run automatically.  If that happens, the installer will run and you can simply quit the installer, delete the installer files, empty the trash and you should be ok.


So what if you installed MacDefender?  Follow the following steps to get rid of the software

1. Open Activity Monitor from the Utilities folder. Set the drop-down too "all processes."

2. Use the search field in Activity Monitor to search for MacDefender.

3. Click on the MacDefender process. Click the "Quit Process" button. Click "Force Quit."

4. Drag the MacDefender program (installed in the Applications folder by default) to the Trash. Empty the Trash.

5. Remove MacDefender from the Login Items for your Account in the OS X System Preferences (if it exists).



That's it for removing the spyware MacDefender from your system.  


They key to all of this is paying attention to the websites you are viewing.  There are 2 things that you should do to help prevent this from happening agains.  
  1. Do not allow downloads to run automatically.
  2. If you are searching the web and come across a similar popup.  Simply close the window and cancel any downloads.
If you follow these two steps along with running up to date anti-virus, you should be alright

No comments:

Post a Comment