Hi Mac Users!
This weekend, I was doing a Google image search looking for butterfly icons (don’t ask). I found an image I liked on Google image search and clicked on it. With just this one simple click, I was able to experience how this new Mac malware tried to infect my computer. I documented it just for you, my loyal readers.
Here is my initial Google image search for “Butterfly”. I found the icon I wanted and clicked on it.
I also noticed that a file called “anti-malware.zip” downloaded to my Downloads folders without any action from me besides clicking on that butterfly icon. After the “virus scan” on my Mac, the web page looked like this.
Notice how the web page is designed to look like a Finder window, complete with the sidebar. Clicking anywhere on this web page downloaded the “anti-malware.zip” file. After I was done playing with this page by clicking around it, I had downloaded the zip file ten times.
So, pretty interesting, huh? In Safari, I don’t have it opening “Safe” files after download, so the infected web page just kept downloading the “anti-malware.zip” file whenever I visited this web page. That is all I needed to do to keep me safe. I went ahead and clicked on the file and instead of MACDefender, the software it wanted to install was “Mac Protector”. I found another piece of malware!
Even though I happened across this trickery, I just deleted the malware and moved on. Here is the thinking that stopped this malware in it’s tracks.
- Turn off “Open safe files after downloading”. You can do this by going to your Safari preferences and unchecking that box in the General preferences. After you turn it off, items you download from the Internet will go into your “Downloads” folder (or whatever folder you told Safari to download files to) and you will have to manually double-click on them to open them. Firefox users are always asked what to do when a file is going to be downloaded from a web page.
- Don’t trust the Internet! It doesn’t matter what you do, the Internet is not safe and it is not private. As soon as the web page started “scanning” my computer, I knew it was a hoax. First off, it was a web page and it started accessing my computer without any warning. A legitimate website would at least ask my permission.
- Be mindful of what you are downloading and what is being installed on your Mac. The Mac will not just install software without you initiating it or confirming it. If I had Safari opening safe files, the malware “Mac Protector” would have tried to install. I would have been presented with the first step and just quit the installation.
Hopefully, these screenshots and my words will increase your knowledge and help you recognize these kinds of threats. We may be seeing more.
– Jason
Thank you, sir!
Jason comes through again. Thank you so much for your help and concern.
Thanks Jason, I unchecked.
Always good advise from Jason. This is also the best place to have your Mac serviced in Reno.
So if I already made the mistake of opening that Mac Protector program, how do I get rid of it? when I tried to drag it to the trash from my applications folder i get the message that the program cannot be trashed because it is still running…..ugh
Hi Paul,
Take a look at the bottom of this web page, it has a good step by step on manually removing the malware:
http://www.bleepingcomputer.com/virus-removal/remove-mac-protector
Thanks, jason. I’ll check it out when I get back.
Jim
My mom got sucked into this and called me all frantic that her iMac had a “virus” and was flashing all these warnings and bringing up pr0n in Safari…Googled myself right to this page. Thanks for the detailed description.
So clearly a bogus malware scam but obviously preys on the naivete and fear of everyday people like my mom to just go clicking on everything. She was one step away from giving up her CC info to buy the disinfector before she called me. **sheesh**
Well, I wish I had known about you Jason, because exactly what you described has happened to me. In fact for the past 2 wks I’ve been downloading google pics for a college class, and that’s where I went wrong. I called tech support while it was happening b/c although I’m not as tech savvy as others, I didn’t believe this is how Apple would inform me of a virus. Very deceptive way to infect, the screen used “Apple Security” and other familiar Apple terms to make me think it was Apple. I don’t know if anything actually downloaded, but I did catch the “Mac Protection” just starting to download and it let me stop it. Then I moved it to my trash and deleted it. Do you think that’s it? Or should I check somewhere else. I was advised by tech support to maybe purchase another security package. I need some advice!!! This is my first laptop. Thanking you in advance.
Hello…
You would know if it was installed. It would constantly be popping up warnings and Safari would be going to porn sites instead of the sites you are trying to go to. Since you were able to stop the download, it wasn’t installed. If you did install it, there would be a MacProtector or MacDefender application in your Applications folder, and again, Safari would be going to some hardcore porn sites and there would be a lot of windows telling you to register MacProtector or MacDefender. Intego was the first to post about this and they do offer their VirusBarrier software that would catch this malware. If you use any security software, make sure you keep it up to date.
Keith, I wholeheartedly agree with you about preying on the naiveté and fear of everyday users, especially Mac users that haven’t been exposed to this kind of thing. The people behind this are criminals trying to steal money.
Thanks Jason for the warning!!! You always take care of your customers.
Jason –
The same exact thing happened to me (minus the whole butterfly thing) except that I wasn’t on google but a sports site. Luckily, I was able to stop the download and close the pop-up window that appeared. I moved the attempted download to my Trash and emptied it, but is there anything else I need to do to ensure that this malware has not infected my mac?
Hi Sara. As long as you didn’t go through installing the program, you are ok. If you had installed it, you would be seeing pop-ups telling you to register the software and Safari would be bringing up porn websites.
JASON: Thanks for all your help. My MacBook Pro got infected while I was doing some work in safari. I followed your suggested link and removed the mac protector like a charm. Thanks for job well done.
It just happened to my while checking a plane fare at Travelocity! The computer (Mac Mini) seems to be okay.
Hi Jason: This is really interesting! I’ve learned too that viruses can come from any website! AVG is about the best protection anyone can use. I’m thinking of getting a mac at some point. I enjoy my computer but it does not have alot of drive left. I still have a Gateway that works after all these years as a backup 😉 pretty cool! Computers can be awesome just you really have to watch what you download, lol!! Thanks for the info really helps. Have a great Memorial Day weekend looks like we are in for nice weather 🙂