A massive SEO poisoning attack has hit Google, targeting Windows and Mac users alike. From rather innocuous terms related to global warming, to hot topics like Osama bin Laden’s death, users are being hit with fake anti-virus programs, this time delivering payloads to users of Apple’s Mac OS X.
Strangely when surfing to the compromised URLs you are first prompted with a JavaScript-based fake scanner that appears to show an infected Windows XP computer, even when surfing from a Mac.
When you click or close the fake scanner page you are prompted to download a .zip file onto your Mac with a filename like “BestMacAntivirus2011.mpkg.zip”.
Some of the downloads are a package installer that installs the fake software; others simply a contain ready-to-run Mac application.
In a similar social engineering trick as we have seen in Windows fake scanners it borrows it’s name from a legitimate website, MacDefender.
The scanner doesn’t actually touch the hard disk while “scanning”, although on a Mac it can be hard to know without a hard disk light.
It pretends to find some very important things that may have been compromised, such as the Terminal application and the standard Unix utility test, also known to Unix shell programmers as [.
It uses a lot of social engineering including redirecting your browser to rather offensive porn sites, although it does not appear they are doing this to make money, simply to imply that you are infected.
It also uses scare tactics like your credit card data being at risk. The reality is that your credit card is only at risk if you actually try to purchase the fake software.
Sophos customers using the Sophos Web Security Appliance and Sophos Live protection are protected against these threats.
Mac users with Sophos Anti-Virus for Mac are protected by the identities OSX/FakeAVZp-B and OSX/FakeAV-DMP. Windows users are protected against the Windows version known as Mal/FakeAV-FS.
Are you a Mac user? Why not download our free anti-virus for Mac OS X?
Great info. Thanks for posting this!
Just curious what would happen if you actually BUY the software? Will it remove the detections and delete those applications?
No
It will likely remain resident on your PC and occasionally require further paid updates. In addition it will probably start (invisibly) using your computer as a spam zombie.
One more thing – once you have divulged your credit card data for the purchase there is a good chance of this data being abused in the future.
Best not to buy therefore…
Was just curious. I don't have this virus and obviously I'm not going to buy it if it did installed ;). But I was just curious what will actually happen if you paid for it.
Will I prevent infection if I turn off my PC during the JS fake scan?
Most often yes. It is possible for attacks that resemble these to infect your PC using vulnerabilities first, but more often they rely on the user to run the fake program.
Just as with Windows users, Mac users are infected by this trojan by installing this application. Mac users don't run as root so you'd have to authorize the install with a password. How does anti-malware software protect against social engineering? Answer: It doesn't. I'm a long time user of Windows, Mac and Linux systems and I've never had a virus or trojan, and I don't use AV. If you use your head, you really don't need anti-malware software, provided you don't routinely run with root privileges.
Many Apple users don't run as admin (none of my users do), but some do. I even had a couple on the Adobe forums who proudly proclaimed this fact.
You might need something to scan files such as Zips for malicious files contained within though. Users who boast about being AV-free make me laugh.
WAKE UP APPLE USERS!!!! there is no such thing as air tight……
So with Sophos for Mac Home Edition it will be detected and blocked?
Yes, we detect both the fake JavaScript scanner and the payloads for Windows and Mac on all support Sophos Anti-Virus platforms.
I was using Google Images and a tab opened in Firefox that looked like an anti-virus program. I exited out of the tab (an a pop-up came up asking me if I wanted to exit, and I said yes to get out of it). Sophos came up saying that there was a virus detected. I clicked clean up and it appears that the virus is gone. Is Sophos able to completely get rid of it or is there a chance the Mac I'm using is still infected?
It should be completely gone. What was detected was the website javascript; all it does is prompts you to download their Fake Antivirus program. After that step, you would have had to actually download and install the software, then run it, then panic as it starts opening questionable websites, and finally click its link to pay them to clean up the mess. This version relies almost completely on social engineering to accomplish its task, which is to get you to give them your credit card information.
How do I get rid of it once it is on my computer? I haven't paid anything – realized it was fake right away but it keeps popping up?
Help, I'm infected!! How on earth do I get it to go away?!
this helped ..thanks…i was worried and blocked my cards..never thought my mac wud be hacked…guess its "MACKED"…
My daughter goofed and did an install on her Mac Laptop. How do I unintall it? It will not let me move the app to the trash because it is "running". Also when I open up the box to force quit, it does not appear as a running program to select.
I have just removed Mac Defender.
Go to the system setting. Open account. Choose Start Objects. The Mac Defender is vissible. Press – in the bottom corner. Save and restart your mac. Go to application folder and delete the "f.. Mac Defender from Finder"
Hope this will help
THANK YOU THANK YOU THANK YOU. I did this and I'm pretty sure it worked. My question now is 'how do I not get this in the future?' I can never go on google images again?
Ok just read this after being scammed. Is there any way to reverse the installation of MacDefender? FM
Downloaded the free sophos tool anti-virus tool. Finally picked up all the bad javascript in the java cache. It doesn't remove but you can manually delete is. Pulled up the System analyzer utility. Gives you a similar display as Windows Task Manager. Did the force quick from there. Then was able to delete the Mac Defender. I think it is OK.
We think we have just got rid of it by doing the following;
Go to preferences, users, log in apps then on this final screen delete the mac defender.
Then re-start the computer, put the mac defender in the trash and then empty the trash.
So far so good, all seems to have disappeared and no further porn sites have popped up in google.
Good luck.
My trend smart anti virus on macbook pro has quarantined around 40 of these OSXFake files – can I just delete them as it cant clean the files – this has never happened to me before – and I have no idea
Found another one called Best Mac Antivirus. I moved it to teh trash from the downloads folder but it won't empty from the trash.
OMG i was like just on google images and from all of the sudden something pups up i quikly click it away and suddenly it's downloading something. Luckily i pressed stop downloading fast enough, is it gone now? i put it in the trash and I like cleaned the trashban, so how do I know i really deleted it and it's not on my macbook anymore?
i did the same thing but i didnt do it fast enough, it just downloads but it isnt able to install so its ok.
i have no trace of the attack on mi pc
btw, mine was called anti-malware or something
As usual, the weakest link of the Apple system is the user itself. Windows, on the other hand, gets viruses through vulnerabilities in the OS itself without user interaction.
I hate to say that I'm happy to see MAC users getting malware… but.. in a way.. it makes me all giddy inside knowing that at least some of these people bought a MAC because they fell for the "you don't have to worry about antivirus/malware" line. Anyone want to buy oceanfront property in Arizona? 🙂
Ooh, yes please, as long as it is near the ski resorts too.
Mac owners seem to have an opinion that His holiness Steve Jobs is some form of deity, and there Macs are a spiritual gift from him. How many windows phones or Blackberries need to have free issue condoms so you can use them?
Their products are over-rated and over priced. (a bit like ocean front property in Arizona).
So you take pleasure in other people's pain? You are an idiot.
So you like it when people have pain. What does that tell me about Windows users?
OK, so how do I get rid of OSX/Fake AV – DPU and Troj/JavBz – N and O??? More than 30 of them downloaded in an instant while I was on Google Mail today. Please help!!!
If you're using the free Mac anti-virus product from Sophos, please visit our support community at http://openforum.sophos.com/macav for assistance.
Thanks !!!
I appear to have Troj/Bredo-OF on my Mac. I have manually deleted the cause, but SOPHOS still detects it, even though the files have gone. IS this real?
Bredo is usually an email attachment threat. It is possible we are detecting it in your mail file in the original email that you received it from. If you need help, visit the Sophos Mac Forum at http://openforum.sophos.com/t5/Sophos-Anti-Virus-…
I am new to Apple (1st notebook & iPhone) tho plenty of PC & windows experience (from beginning); never got any viruses etc other than the generic junk a routine scan clears up though it could be time consuming especially when running lots of apps & responsible for a large dept network. Somehow – while idiot ISP’s tried to integrate my time capsule (this was early 2011), something got in; not a virus as always have had Norton, but a bot that was interested in my pristine Mac, loaded with RAM & memory. Started noticing traffic OUT, ever increasing. Eventually took over root (bought extended warranty & was wiped clean & reloaded once I got to the supervisor at Genius Bar). Before I picked it up, iPhone started acting odd & SIMM card was disabled (there is very little protection for iPhones & Pads – Norton JUST came out with home versions.) No credit card or bank compromises, but between note book & then cloud on iPhone has been very unpleasant experience. Will buy my own routers from now on. Both Comcast & AT&T (& Apple) are trying to ignore. But there are an increasing number of articles, several replaying my scenario. 2013 may be an unpleasant year for Apple as the bots are out there, are nasty & increasing rapidly as so many users think they are immune. Home users are really at risk if relying on their ISP & Apple.
Remember, Firewalls are configured to keep threats out…
There are several varieties of botnet that currently avoid detection by loading before the OS by modifying firmware and programmable controllers. If you can flash it, so can a rootkit. The modified firmware owns your network adapter before your bios is loaded… even MBR is accessed.
Removal is virtually impossible, containment IS difficult but possible…
If your virus / malware software is always coming up with 0 threats…. you have a problem.
Drives MUST be scanned from machines that are clean with working Antivirus Software… which poses the possibility of infection to the clean machine…
What is even more frightening is when your pc, linux box and router all fall because a bluetooth device or a usb stick… or a CF card from… or because someone connects to your wifi router because you didn't change the default password…