Apple forums light up as Mac Defender malware spreads

Apple user forums are showing a marked increase in reports of the Mac Defender malware spreading among Mac OS systems, and security vendors have also noticed a recent surge in reports.

A discussion in the Mac Pro forums on Apple's web site on removing Mac Defender is now the second most popular topic with over 4,000 views. Readers are complaining of fake anti-virus software infections and appealing for help to get rid of them.

The Mac Defender software, discovered earlier this month by Mac security software house Intego, is a scareware package of the type increasingly affecting Windows systems.

The malware spreads via web pages that are search engine optimised to appear near the top of search rankings. The software is injected onto the target system as a JavaScript download, and then informs the user that they are infected with a virus, which can be removed for a fee.

"The Trojan package downloaded from the web contains two more packages: macprotector.pkg and macProtectorInstallerProgramPostflight.pkg," said McAfee's security team in a blog post.

"The former is the application, and the latter contains a bash script that will launch Mac Protector once the installation is finished. The installation is the same as we are used to seeing, and it requires root privileges."

As an added annoyance the software randomly displays pornography on the user's desktop in pop-up windows, in order to give the appearance of malware at work and encourage the purchase of the fake anti-virus software.

Although initially thought to be rare, the malware appears to be proliferating and several new variants have been found in the wild, according to Intego spokesman Peter James.

"It's clearly a serious problem, and one that's spreading. People are confronted by this when doing Google searches, as well as through ads on some well-known web sites, so it's very new to them," he told V3.co.uk.

"While it requires a user to enter a password, hence via social engineering, it seems that many people don't know not to enter their password."

AppleCare staff have reportedly been told not to remove the software, although this has not been confirmed by Apple, which declined to comment on this story.

Security experts have long warned that Apple users have become complacent about malware infections, and have predicted that malware writers will target the Apple platform as it grows in popularity.

There have been increasing reports of Mac malware, although nothing on the scale suffered by Windows users.

Earlier this month, however, the first automated malware toolkit for the Apple platform was discovered, and it seems that Apple users are in for more attacks in the future.