Dealing with the Mac malware 'scourge'

By Jonny Evans

Apple [AAPL] is likely prepping some form of security update double-quick. That's because there's a security problem in Mac town, and if one report is to be believed, Mac Defender (aka MacSecurity and MacProtector) attacks attacks are spreading fast -- fortunately, if you're a Mac user worried about this, those nice people over at Sophos have a free anti-virus solution for you.

The problem (as shown in the video above).

These Trojan horses attempt to trick Mac OS X users into downloading malware-laden software that attempts to trick you into providing personal information.(MacMost has a nice video guide also.)

What happens is that the fake applications target Mac users via SEO poisoning attacks (sites which trick search engines in order to be visible at the top of search results).

They do this by posing as virus scanners, telling you you have a security problem and downloading what purports to be anti-virus software.

[This story is from Computerworld's Apple Holic blog. Follow on Twitter or subscribe via RSS to make sure you don't miss a beat.]

Be cautious, be aware

Intego (who offer protection against this, but charge for the software) explains it thus:

"Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results). When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked ("Open 'safe' files after downloading" in Safari, for example), will open. The file is decompressed, and the installer it contains launches presenting a user with the following screen."

The software also attempts to trick users into inputting your personal information into the software, don't do this: you chance identity theft and charges to your credit cards.

I tend to remain calm when it comes to Mac security, but it is important to note that this is a malware attack that poses as an application. In other words, if you choose to install the application then the malware will have its way.

User-installed software remains the biggest problem facing most users on the Mac.

Apple let-down

A little common sense usually helps, but these attacks are intelligently-crafted.

Symantec tells us the malware may then open your Web browser in order to visit a range of URLs:

    •    [http://]gay.porn.com
    •    [http://]buy-viagra-now.net
    •    [http://]fitish.com
    •    [http://]www.gay.com
    •    [http://]www.porn.com
    •    [http://]www.freebdsmgalleries.com

It may also access the following URL to confirm installation:
[http://]69.50.214.54/[REMOVED]

This morning, Ed Bott at ZDNet spoke to an AppleCare representative who said these attacks are turning into a scourge.

His single anonymous source is alleged to have said, "Our call volume here at AppleCare is 4-5x higher than normal and [the overwhelming majority] of our calls are about this Mac Defender and its aliases."

The report proceeds to explain that parents are seeing these disturbing sites pop-up on their kid's Macs, with similar problems being seen in schools.

The report further claims that AppleCare workers are being instructed not to help customers remove the malware. This is because the company apparently wants to avoid setting a precedent by which it takes responsibility for addressing such problems in future.

"We have a team of people who go though all case notes and find new issues that are popping up a lot and send notices to all of AppleCare. Our notice for Mac Defender is that we're not supposed to help customers remove malware from their computer."

This will inevitably create negative publicity for Apple, but given that almost every other platform leaves users to deal with similar problems on their own, there is an industry precedent. In any case, help is at hand.

What to do

If you have been impacted by these problems, then CNet has an extensive account of how you can fix it yourself. Meanwhile, Sophos has a free and reputable anti-virus app you can download today, which should help boost protection.

The main point I need to make is to avoid complacency. Mac users do have an eminently secure, Unix-based platform, but it isn't an ivory tower. This wave of attacks should prove any computer user should follow this simple advice:

• On a Mac, immediately uncheck Safari's 'Open 'safe' files after downloading' option in the General pane of its Preferences.
• Never click on a link an an email from an unknown party
• Never download software unless you're sure of where it is from
• Never install/double-click on an unknown/unrequested or otherwise unverified installation file
• Never click in an image if you don't know where it came from
• And never, ever hand over your personal details into any application, website, or in response to any email unless you are completely and utterly certain you know and tust where it is from.
• Trust, but verify.

Most of all, don't panic. The Mac is a highly secure platform, but tricks like these are the biggest threat to happy computer use on any platform, not just Apple's.

Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when these items are published here first on Computerworld.