Apple Delivers MacDefender Removal Tool

Apple has delivered its MacDefender removal tool in its latest security update, so that Apple users can now detect and remove fake antivirus from Mac OS X based systems.

The OSX.MacDefender.A definition was added to the quarantine list in Apple’s Security Update 2011-003, released 31 May. Once the update has been installed, the system will search for and remove known variants for the MacDefender malware, including MacDefender, MacProtector, MacSecurity and MacGuard. If a known variant was found and deleted, the user will be notified via an alert after the update finishes installation.

After almost three weeks of near-silence as fake antivirus programs targeting Mac OS X first emerged in early May, Apple acknowledged the problem and provided instructions on how to manually remove scareware in a support note on 24 May.

Removal Tool

The company also promised an automatic malicious software removal tool, which was included in this security update.

Beginning with Snow Leopard, Apple included a way to block “unsafe file types” and malicious software via its File Quarantine feature. When the user opens or downloads a file, the system quickly checks the list of known malicious software to determine if it the file contains known malicious software, according to a support note. Up until now, the list was stored locally and updated infrequently.

With the latest update, Apple has added an auto-update capability that runs in the background. The system will check daily for updates to the File Quarantine malware definition list. Users can opt-out of the scan by un-checking the “Automatically update safe downloads list” option in Security Preferences.

Even if the user didn’t have MacDefender installed initially, File Quarantine will kick in and block the program from being downloaded if the user happens to come across it at a later time. Considering that fake AV scams tend to change their names and user interface almost continuously, Apple will have to regularly update File Quarantine to ensure it stays ahead of future MacDefender variants.

Virus Scareware

The scam has been pretty widespread, with poisoned links appearing on Google image searches and other legitimate pages, although it appears that Google has been able to track down and remove a number of malicious links. ZDNet’s Ed Bott estimated that the total number of customers affected could be between 60,000 and 125,000, “and growing.”

When users the stumble upon MacDefender rogue sites, their computers display a window that resembles a Finder window that claims to be “scanning” their system. Then the site warns users that their Macs have been infected and they should download an antivirus scanner to clean the infection. The scareware also launches pop-up windows with adult content ads every few minutes to perpetuate the impression that the user has been infected. Users are scammed into providing a credit card number to purchase the antivirus software.

There are several variants currently in circulation, with names such as MacDefender, MacProtector, MacSecurity and Apple Security Center. MacGuard was a late addition and was able to install itself onto the Mac without requiring the user to enter an administrator password. MacGuard exploited the “Open ‘safe’ files after downloading” option in Safari, which allowed the program to run automatically without any user interaction.

Apple made a “poor decision” by enabling this option by default and should consider turning it off in future versions, said Graham Cluley, senior technology consultant at Sophos. Apple did not address Safari in this Security Update.

The 2.1 MB update is available via Software Update or from Apple Downloads. FileQuarantine is available for  the most recent versions of OS X 10.6.7 (Snow Leopard). Earlier versions of Mac OS X are not included in this update.