NEWS FROM THE LAB - Thursday, May 26, 2011

Mac OS X Malware is Here For Real Posted by Mikko @ 13:31 GMT

In 1990s, we used to have a Mac product. It eventually got discontinued due to lack of threats.

Then, in October 2007, we saw something unusual: a DNS Changer Trojan for OS X.

We estimated the risk level of new Mac malware and as a result, we started developing F-Secure Anti-Virus for Mac.

While we have seen new Mac malware every now and then, many experts have been downplaying the malware risk on Mac OS X systems. But the fact is that we are seeing more and more activity.

Just during the last week, we've seen a significant rise of infections with Mac scareware trojans. These trojans are distributed via poisoned Google Images Search links.

The trojans attempt to trick the user into believing their Mac is infected — when it's actually clean. Once the user is convinced he has a problem, he will purchase a license for the fake security product called MacDefender, MacSecurity, MacProtector or MacGuard.

The trick is actually quite convincing. The user is redirected to a web page which doesn't look like a web page at all. Instead it resembles Mac's Finder:

Mac OS X fake
While this looks bad, it's just a webpage which has been designed to look like Finder.

Here's a short video showing how Google Images search will take the user to a page that tries to scare him.

The user still has to install the fake security product offered to him. The latest versions of the malware use a separate downloader which is able to install the trojan without ever prompting for the root password:

Mac Guard installer

Mac Guard installer

Here's what the rogue application looks like when it has been installed:

Mac Security

Once the user has installed the rogue product, it will further try to convince the user he's infected with something. This is done by randomly opening porn websites.

Mac Porn

Even a stubborn user will be convinced he has a problem when random porn sites will pop up every few minutes on his system.

It's important to notice that these are fake security products. They don't protect the system in any way. They simply try to scam the user into purchasing them for no reason.

This is a widespread scam and we have lots of reports of real-world infections.

How can Mac users protect themselves?

So far, our Mac product has only been available via our operator (ISP) partners.

But today, we are releasing a direct to consumer version of F-Secure Anti-Virus for Mac.

F-Secure Anti-Virus for Mac

For a limited time, you can try it for free!. Use promotional code AVMAGL. More information on the product is available here.

F-Secure Anti-Virus detects and blocks these Mac trojans as variants of Rogue:OSX/FakeMacDef and Trojan-Downloader: OSX/FakeMacDef.