More Mac malware - top tips for avoiding infection

Filed Under: Apple, Malware

More Mac scareware appeared overnight, with the cybercrooks following the same sort of strategy which has worked so well on Windows: regularly change the look and feel of the fake anti-virus software; use legitimate-sounding brand names (or steal genuine product names); stick to a price-point between $50 and $100; keep the fear factor high; but keep the core programming very similar so development costs are negligible.

Scareware, or fake anti-virus, is fake security software which pretends to find dangerous security threats - such as viruses - on your computer. The initial scan is free, but if you want to clean up the fraudulently-reported "threats", you need to pay.

Once you've paid, the scareware stops lying to you about the non-existent threats, as though it really did clean them up. This means that many victims of this sort of fraud don't even realise they've been duped. Until next time.

These latest OS X scareware variants come from the MacDefender stable, though they identify themselves during startup as Mac Shield:

Once activated, the software pretends to look through your files, pretends to find malware, and invites you to clean up:

But the cleanup isn't free - you're required to register:

Registration means payment. The minimum you can get away with is $59.95. But for just $40 more, you can get a lifetime software licence and lifetime support - which would be a good deal, were it not for the fact that the software is completely fraudulent, that the "lifetime" of the software ends tomorrow when the crooks move on to the next bogus brand name, and that there's nothing to support, since there was no malware in the first place.

You even get a 30-day money back guarantee. Good luck claiming it.

Here are some top anti-scareware tips for Apple users:

* If you use Safari, turn OFF the open "safe" files after downloading option. This stops files such as the ZIP-based installers favoured by scareware authors from running automatically if you accidentally click their links.

* Don't rely on Apple's built-in XProtect malware detector. It's better than nothing, but it only detects viruses using basic techniques, and under a limited set of conditions. For example, malware on a USB key would go unnoticed, as would malware already on your Mac. And it only updates once in 24 hours, which probably isn't enough any more.

* Install genuine anti-virus software. Ironically, the Apple App Store is a bad place to look - any anti-virus sold via the App Store is required by Apple's rules to exclude the kernel-based filtering component (known as a real-time or on-access scanner) needed for reliable virus prevention.

* Religiously refuse any anti-malware software which offers a free scan but forces you to pay for cleanup. Reputable brands don't do this - an anti-virus evaluation should let you try out detection and disinfection before you buy.

Macworld's Editor's ChoiceIn a recent Sophos poll, 89% of respondents said they'd recommend their Mac-owning friends and family to use anti-virus software. Why not take their advice, and get Sophos Anti-Virus for Mac Home Edition today?

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

It's free - no registration, no signup, and no password needed. It detects, prevents and cleans up malware infections.

Note: the Mac Shield scareware described here was detected proactively by Sophos Anti-Virus as OSX/FakeAV-DWN. Apple subsequently added detection to the XProtect system, using the name "OSX.MacDefender.F".

, , , , , ,

You might like

5 Responses to More Mac malware - top tips for avoiding infection

  1. Lety F · 1183 days ago

    I downloaded Sophos antivirus... I feel safer, and made my son download it too. Thanks!

  2. Bonnryder · 1182 days ago

    I use sophos on windows machines at work and it does a great job. The only apple I own is a ipad2 which I think is a great business tool. I do feel naked without AV though. Please some one, rescue us iPad users from our vulnerable state.

    I don't even use Linux without AV.....

    • Paul Ducklin · 1182 days ago

      A proper iPad anti-virus is rather a tricky proposition. As third-party software developers, we are forced to play only inside Apple's "walled garden" - we can't even see all the files on your system, and we can't use unauthorised tricks to do so. On the other hand, the bad guys can do both, since they aren't playing by the rules.

      It's very hard to be innovative and proactive in that sort of environment. I can see why Apple doesn't want every developer fiddling in the filesystem and the kernel - and the producers of software such as games and lifestyle utliities generally don't need to. So the restrictions make sense _as a starting point_.

      But making them an ending point for all developers is Apple saying, "Trust us! We can exceed your needs in terms of the security of the underlying device and infrastructure, so you don't need help from anyone else!"

      (iOS 5 beta - jailbroken in under 24 hours , heigh ho :-)

      Here's hoping Apple opens up the kimono a little. Microsoft did so, years ago - instead of trying to keep independent software vendors out of the kernel, they set some standards and helped those who needed to do that sort of coding to do it better. That, IMO, did no harm to MS's business - indeed, it actually helped them.

      Strange irony that bad old Microsoft, with their naughty closed-source OS, is now considerably more open to developers than both Google and Apple, whose OSes are effectively open source plus a load of closed-source lock-down components :-)

  3. Glenn · 1176 days ago

    At work we pay a fortune for protection with Sophos, it is well worth it,
    I have a Mac & Sophos was offered free, It is a fantastic bit of kit,

    Thank you Sophos, I feel secure

  4. These are truly great tips in avoiding malware infection. A lot of readers are surely grateful for this informative post. Thank you for sharing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog