Mac users hit with fake anti-virus when using Google image search

Filed Under: Apple, Malware, OS X

A massive SEO poisoning attack has hit Google, targeting Windows and Mac users alike. From rather innocuous terms related to global warming, to hot topics like Osama bin Laden's death, users are being hit with fake anti-virus programs, this time delivering payloads to users of Apple's Mac OS X.

JavaScript Fake AV scannerStrangely when surfing to the compromised URLs you are first prompted with a JavaScript-based fake scanner that appears to show an infected Windows XP computer, even when surfing from a Mac.

When you click or close the fake scanner page you are prompted to download a .zip file onto your Mac with a filename like "BestMacAntivirus2011.mpkg.zip".

Some of the downloads are a package installer that installs the fake software; others simply a contain ready-to-run Mac application.

Fake AV for Mac installer/download

In a similar social engineering trick as we have seen in Windows fake scanners it borrows it's name from a legitimate website, MacDefender.

The scanner doesn't actually touch the hard disk while "scanning", although on a Mac it can be hard to know without a hard disk light.

It pretends to find some very important things that may have been compromised, such as the Terminal application and the standard Unix utility test, also known to Unix shell programmers as [.

Mac fake scan results

Credit card at risk warningIt uses a lot of social engineering including redirecting your browser to rather offensive porn sites, although it does not appear they are doing this to make money, simply to imply that you are infected.

It also uses scare tactics like your credit card data being at risk. The reality is that your credit card is only at risk if you actually try to purchase the fake software.

Buy fake Mac AV

Sophos customers using the Sophos Web Security Appliance and Sophos Live protection are protected against these threats.

Mac users with Sophos Anti-Virus for Mac are protected by the identities OSX/FakeAVZp-B and OSX/FakeAV-DMP. Windows users are protected against the Windows version known as Mal/FakeAV-FS.

Are you a Mac user? Why not download our free anti-virus for Mac OS X?

, , , , , , , , ,

You might like

40 Responses to Mac users hit with fake anti-virus when using Google image search

  1. EducatedMacUser · 1271 days ago

    Great info. Thanks for posting this!

  2. Tyw7 · 1271 days ago

    Just curious what would happen if you actually BUY the software? Will it remove the detections and delete those applications?

    • DontBuyIt · 1269 days ago

      No

      It will likely remain resident on your PC and occasionally require further paid updates. In addition it will probably start (invisibly) using your computer as a spam zombie.

      One more thing - once you have divulged your credit card data for the purchase there is a good chance of this data being abused in the future.

      Best not to buy therefore...

      • Was just curious. I don't have this virus and obviously I'm not going to buy it if it did installed ;). But I was just curious what will actually happen if you paid for it.

  3. Jerry · 1271 days ago

    Will I prevent infection if I turn off my PC during the JS fake scan?

    • Chester Wisniewski · 1271 days ago

      Most often yes. It is possible for attacks that resemble these to infect your PC using vulnerabilities first, but more often they rely on the user to run the fake program.

  4. spookie · 1271 days ago

    Just as with Windows users, Mac users are infected by this trojan by installing this application. Mac users don't run as root so you'd have to authorize the install with a password. How does anti-malware software protect against social engineering? Answer: It doesn't. I'm a long time user of Windows, Mac and Linux systems and I've never had a virus or trojan, and I don't use AV. If you use your head, you really don't need anti-malware software, provided you don't routinely run with root privileges.

    • truffy · 1248 days ago

      Many Apple users don't run as admin (none of my users do), but some do. I even had a couple on the Adobe forums who proudly proclaimed this fact.

    • user · 1245 days ago

      You might need something to scan files such as Zips for malicious files contained within though. Users who boast about being AV-free make me laugh.

  5. Agent 20904 · 1271 days ago

    WAKE UP APPLE USERS!!!! there is no such thing as air tight......

  6. desertfool · 1271 days ago

    So with Sophos for Mac Home Edition it will be detected and blocked?

    • Chester Wisniewski · 1271 days ago

      Yes, we detect both the fake JavaScript scanner and the payloads for Windows and Mac on all support Sophos Anti-Virus platforms.

  7. Confused · 1270 days ago

    I was using Google Images and a tab opened in Firefox that looked like an anti-virus program. I exited out of the tab (an a pop-up came up asking me if I wanted to exit, and I said yes to get out of it). Sophos came up saying that there was a virus detected. I clicked clean up and it appears that the virus is gone. Is Sophos able to completely get rid of it or is there a chance the Mac I'm using is still infected?

    • Andrew Ludgate · 1270 days ago

      It should be completely gone. What was detected was the website javascript; all it does is prompts you to download their Fake Antivirus program. After that step, you would have had to actually download and install the software, then run it, then panic as it starts opening questionable websites, and finally click its link to pay them to clean up the mess. This version relies almost completely on social engineering to accomplish its task, which is to get you to give them your credit card information.

  8. Carla Williams · 1270 days ago

    How do I get rid of it once it is on my computer? I haven't paid anything - realized it was fake right away but it keeps popping up?

  9. Beth · 1270 days ago

    Help, I'm infected!! How on earth do I get it to go away?!

    • VIKRAM ARAB · 1254 days ago

      this helped ..thanks...i was worried and blocked my cards..never thought my mac wud be hacked...guess its "MACKED"...

  10. Don · 1270 days ago

    My daughter goofed and did an install on her Mac Laptop. How do I unintall it? It will not let me move the app to the trash because it is "running". Also when I open up the box to force quit, it does not appear as a running program to select.

    • Harald · 1270 days ago

      I have just removed Mac Defender.

      Go to the system setting. Open account. Choose Start Objects. The Mac Defender is vissible. Press - in the bottom corner. Save and restart your mac. Go to application folder and delete the "f.. Mac Defender from Finder"

      Hope this will help

      • Elizebeth · 1253 days ago

        THANK YOU THANK YOU THANK YOU. I did this and I'm pretty sure it worked. My question now is 'how do I not get this in the future?' I can never go on google images again?

  11. FM1 · 1270 days ago

    Ok just read this after being scammed. Is there any way to reverse the installation of MacDefender? FM

  12. Attila · 1270 days ago

    Downloaded the free sophos tool anti-virus tool. Finally picked up all the bad javascript in the java cache. It doesn't remove but you can manually delete is. Pulled up the System analyzer utility. Gives you a similar display as Windows Task Manager. Did the force quick from there. Then was able to delete the Mac Defender. I think it is OK.

  13. Martin · 1270 days ago

    We think we have just got rid of it by doing the following;
    Go to preferences, users, log in apps then on this final screen delete the mac defender.
    Then re-start the computer, put the mac defender in the trash and then empty the trash.
    So far so good, all seems to have disappeared and no further porn sites have popped up in google.
    Good luck.

  14. Ellen · 1252 days ago

    My trend smart anti virus on macbook pro has quarantined around 40 of these OSXFake files - can I just delete them as it cant clean the files - this has never happened to me before - and I have no idea

  15. Gordon · 1249 days ago

    Found another one called Best Mac Antivirus. I moved it to teh trash from the downloads folder but it won't empty from the trash.

  16. OMG i was like just on google images and from all of the sudden something pups up i quikly click it away and suddenly it's downloading something. Luckily i pressed stop downloading fast enough, is it gone now? i put it in the trash and I like cleaned the trashban, so how do I know i really deleted it and it's not on my macbook anymore?

    • i did the same thing but i didnt do it fast enough, it just downloads but it isnt able to install so its ok.

      i have no trace of the attack on mi pc

  17. btw, mine was called anti-malware or something

  18. mt50f1 · 1248 days ago

    As usual, the weakest link of the Apple system is the user itself. Windows, on the other hand, gets viruses through vulnerabilities in the OS itself without user interaction.

  19. Danny · 1248 days ago

    I hate to say that I'm happy to see MAC users getting malware... but.. in a way.. it makes me all giddy inside knowing that at least some of these people bought a MAC because they fell for the "you don't have to worry about antivirus/malware" line. Anyone want to buy oceanfront property in Arizona? :)

    • daz · 1245 days ago

      Ooh, yes please, as long as it is near the ski resorts too.
      Mac owners seem to have an opinion that His holiness Steve Jobs is some form of deity, and there Macs are a spiritual gift from him. How many windows phones or Blackberries need to have free issue condoms so you can use them?
      Their products are over-rated and over priced. (a bit like ocean front property in Arizona).

    • Danny Dumper · 1233 days ago

      So you take pleasure in other people's pain? You are an idiot.

    • WinMacLinuxUser · 1057 days ago

      So you like it when people have pain. What does that tell me about Windows users?

  20. Dick · 1246 days ago

    OK, so how do I get rid of OSX/Fake AV - DPU and Troj/JavBz - N and O??? More than 30 of them downloaded in an instant while I was on Google Mail today. Please help!!!

  21. Leo · 1092 days ago

    Thanks !!!

  22. Ron · 885 days ago

    I appear to have Troj/Bredo-OF on my Mac. I have manually deleted the cause, but SOPHOS still detects it, even though the files have gone. IS this real?

  23. LindaClaudine · 673 days ago

    I am new to Apple (1st notebook & iPhone) tho plenty of PC & windows experience (from beginning); never got any viruses etc other than the generic junk a routine scan clears up though it could be time consuming especially when running lots of apps & responsible for a large dept network. Somehow - while idiot ISP's tried to integrate my time capsule (this was early 2011), something got in; not a virus as always have had Norton, but a bot that was interested in my pristine Mac, loaded with RAM & memory. Started noticing traffic OUT, ever increasing. Eventually took over root (bought extended warranty & was wiped clean & reloaded once I got to the supervisor at Genius Bar). Before I picked it up, iPhone started acting odd & SIMM card was disabled (there is very little protection for iPhones & Pads - Norton JUST came out with home versions.) No credit card or bank compromises, but between note book & then cloud on iPhone has been very unpleasant experience. Will buy my own routers from now on. Both Comcast & AT&T (& Apple) are trying to ignore. But there are an increasing number of articles, several replaying my scenario. 2013 may be an unpleasant year for Apple as the bots are out there, are nasty & increasing rapidly as so many users think they are immune. Home users are really at risk if relying on their ISP & Apple.

    • NoamSain · 603 days ago

      Remember, Firewalls are configured to keep threats out...

      There are several varieties of botnet that currently avoid detection by loading before the OS by modifying firmware and programmable controllers. If you can flash it, so can a rootkit. The modified firmware owns your network adapter before your bios is loaded... even MBR is accessed.

      Removal is virtually impossible, containment IS difficult but possible...

      If your virus / malware software is always coming up with 0 threats.... you have a problem.

      Drives MUST be scanned from machines that are clean with working Antivirus Software... which poses the possibility of infection to the clean machine...

      What is even more frightening is when your pc, linux box and router all fall because a bluetooth device or a usb stick... or a CF card from... or because someone connects to your wifi router because you didn't change the default password...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.