Reply
Security Expert
LoPhatPhuud
Posts: 2,829
Registered: ‎11-01-2005

Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

Bleeping Compjuter updated the Mac rogue removal guides to include instructions for the new tool he released today.  The tool/removal guides currently include Mac Security, Mac Defender, Mac Protecto and  Mac Guard.

 

You'll find information and links here:

http://www.bleepingcomputer.com/forums/topic399803.html




"Once I talked to the inmates of an insane asylum in Hartford. I have talked to idiots a thousand times, but only once to the insane..."
Mark Twain

Microsoft MVP, Consumer Security, 2005-2014
Networking Expert
Weil
Posts: 3,567
Registered: ‎07-04-2003

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

I question whether anyone should install a software package from an unknown site even if recommended by a security guru.  (And I do not wish to lose my Eyeballs being logged in on startup.)

sam

 

Connection Expert
EG
Posts: 43,261
Registered: ‎12-24-2003

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

Surely you jest Sam ?

Networking Expert
Weil
Posts: 3,567
Registered: ‎07-04-2003

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

 


EG wrote:

Surely you jest Sam ?


Only my second sentence about Eyeballs was in jest.  As the malware can be easily removed manually by using a keyboard Force Quit and then editing Login Items, I recommend not installing any removal software.

sam

 

Mac Expert
Joel
Posts: 5,829
Registered: ‎12-01-2003

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

To answer Sam's concerns: Bleepingcomputer is hardly an "unknown site." Rather, they are known among security gurus as one of the top sources for security-related info and legit software on the intertubes. Secondly, I took a look at this tool, and as I suspected all it is is a compiled Applescript that looks for specific items in specific places, Force Quits the rogue if found running, deletes any crud, and Quits itself. BC should be commended adding Apple's customers to their list of thousands helped using their advice. If only Apple took security as seriously.

Regular Contributor
Posts: 69
Registered: ‎12-01-2008

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

Because it is the company's responsibility for incompetent users?

Mac Expert
Joel
Posts: 5,829
Registered: ‎12-01-2003

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

It's the company's responsibility to secure its OS. How often MS has been bashed over the years for the very thing. I saw something posted somewhere the other day that said something like, Windows malware - OS bad; Mac malware - user bad. This is the mentality of most many Mac users, and this arrogance will be the cause of an eventual serious security breach.

 

FWIW, Apple did release a Security Update today to deal with the latest malware issue. 

Web Page Expert
BethKatz
Posts: 6,191
Registered: ‎11-14-2006

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

Installing the security update was simple. Read more about how Snow Leopard and malware at http://support.apple.com/kb/HT4651

Regular Contributor
Posts: 69
Registered: ‎12-01-2008

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

Joel, just curious if you understand how these cases of malware get installed. They get installed by the user, you can download them and never run the installer to put them on your computer and you will be just fine. The end user has to run an installer and give an administrative password for it to infect the system. This is NOT a security flaw, this is a user flaw. This is not a mentality of the Mac users, it is not arrogance, it is a FACT about how these cases work. Should users be more careful? Yes absolutely, but it is incorrect to say that apple could have prevented it or should be responsible for what the end user does. 

Networking Expert
Weil
Posts: 3,567
Registered: ‎07-04-2003

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

http://www.zdnet.com/blog/bott/new-apple-antivirus-signatures-bypassed-within-hours-by-malware-autho...

 

Also, the password is not required.  The first solution is to disable auto download of "safe files" in Safari or use Firefox.  Secondly, one should know the keyboard combination for Force-Quit and know the penultimate solution which is to hold the "power-on" button down for a few seconds which shuts the computer down.  (The ultimate solution of course is to pull the plug (and remove battery from a laptop).   The computer can then be booted in target disk mode or from an external DVD allowing the editing of files.

 

sam

Mac Expert
Joel
Posts: 5,829
Registered: ‎12-01-2003

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

[ Edited ]

Thank you Weil. And to add, a new variant of MAC Guard is already in the wild that defeats measures put into place with the latest Security Update. I'm well versed in social engineering methods; in fact, these are the same methods used by much of the current Windows malware that exists. To add, I've held various positions on my local MUG for the past ten years, have done presentations on numerous Mac-related topics over that time, have helped many local Mac users with software and hardware-related issues, and have volunteered my time in these forums for the past eight years helping Comcast users with their Mac-related service issues when they couldn't find information anywhere else, so if you want to question my knowledge that's your right I suppose, but I'm not some dummy who reads the tech blogs and simply copy/pastes what I read here. We've known this day was coming and if you go back in my posting history you'll find that I've warned of its coming. Keep your head in the sand all you like, but I guarantee you, this is just the beginning.

 

That being said, no OS will ever be entirely secure. Windows made steps a while back in regards to the ActiveX issues. MS has also tightened up security in other areas to substantially restrict the damage a user can inflict on himself. However, people still can be fooled. Mac OS, on the other hand, for years has been quite lax on their attitude towards security. However, every year at events like Black Hat, the first OS to fall is usually Mac OSX. Rather quickly I might add. This latest security update is a good first step at protecting users against themselves. However, it also shows how quickly the bad guys are at work exploiting vulnerabilities in the OS and finding new ones. It also shows why the days of flying without some type of protection (I recommend at least Little Snitch and one of the free AVs) are over.

Regular Contributor
OriginalMacRat
Posts: 65
Registered: ‎03-08-2011

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard


Joel wrote:

Thank you Weil. And to add, a new variant of MAC Guard is already in the wild that defeats measures put into place with the latest Security Update.



That Security Update checks with Apple daily. Apple has already posted a new scan definition for the new malware version which has already been downloaded by the daily check.

Mac Expert
Joel
Posts: 5,829
Registered: ‎12-01-2003

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

[ Edited ]

This is a good thing. These daily checks are the most important security mechanism to come out of the latest update (they work in the background regardless of your Software Update settings). The problem is, only Snow Leopard users got the update, so that leaves many Mac users without this important protection. It's easy to say, "upgrade," but all those PPC machines that are still functional will never be compatible with the latest OS. These users need to rely on 3rd-party means for protection, and for that it means programs like Little Snitch (to monitor outgoing data traffic), and some sort of malware/AV software like ClamXav or Sophos Free for Mac.

Mac Expert
Joel
Posts: 5,829
Registered: ‎12-01-2003

Re: Removal Instructions for Mac Security, Mac Defender, Mac Protecto and Mac Guard

MacWorld has posted an article showing how to ensure your your database is updated with the latest defintions. When I checked mine just a few minutes ago, I still had the database dated May 26. In other words, I was not protected against the "C" variant of MACGuard currently in the wild. A MacWorld user reported a malware download being triggered on a Google search results page. The database appears to have been updated again just minutes ago:

 

<key>LastModification</key>
        <string>Fri, 03 Jun 2011 00:13:07 GMT</string>
        <key>Version</key>
        <integer>3</integer>