Apple has posted instructions for removing the MAC Defender scareware, even as new variants are appearing.
MAC Defender is a piece of fake antivirus software (or 'scareware') that pretends to scan for viruses, when in fact it redirects the user's browser to pornographic web sites (to convince a user that the computer is infected). It then asks for credit card information to buy a license to use the software. It is not clear yet to whom the credit card information is sent.
To get rid of the malware once it is installed one has to launch the Activity Monitor utility. After stopping the MAC Defender process (it often has names such as MacDefender, MacSecurity or MacProtector) the malware can be taken out of the Applications folder and moved to the trash. Apple says it will also publish a software update that will automatically remove MAC Defender in the coming days.
MAC Defender first appeared on May 2, and was flagged by the security firm Intego on its blog. Through creative seeding of search engines, many users were directed to compromised sites that looked like a Windows machine performing a virus scan. The site then downloaded the software onto the target machine. If the user had the Open 'Safe' files after downloading option checked in their browser, MAC Defender would launch its installation screen.
Intego's latest note details a new variant of the malware. The first version asked for an administrator password before installing itself on the user's Mac. The new one doesn't need that, making it that much easier to get onto the system.
The simplest way to prevent it from getting installed on your computer is to make sure that the browser-whichever one you use - does not automatically open files on downloading them.
MAC Defender has gotten a lot of attention in part because malware and viruses for Macintoshes are rare. While Windows users have had to deal with them often, the very fact that Macs are a smaller part of the operating system market means that hackers have historically not bothered to write malware or viruses. That could be changing.