Here’s why Apple Support shouldn’t be helping people clear their Mac Defender Malware off their system
ZDNet’s Ed Bott (of the Microsoft Report) appears to be really pushing this Mac Defender Malware thing – doing his best to make sure the press goes nuts and blows the story out of proportion. His latest article, “Apple to support Reps: “Do Not attempt to remove malware“, aside from being link bait, appears to be missing the point. According to a recently leaked memo (below), Apple has told its AppleCare employees to not assist in removing the newly released Mac Defender/ Mac Security Malware if customers call or show up with an infected system.
Click to enlarge
Bott seems incredulous, and makes the point that Microsoft has a page set up with helpful links on their site to aid users in removing viruses and spyware, as well as links to buying Anit-virus software. So do Dell and HP, who have Anti-virus service plans service plans ranging in price from $10 per month, to $229 per incident. In fact, despite Dell’s computers barely costing $229 for the entire computer, Bott applauds all three companies for the serious way they are handling this virus/spyware/malware situation on the Windows side of things, and he just can’t understand how Apple support can be so callous when it comes to security.
Well, here’s what Mr. Bott is choosing to ignore in order to make his article sound reasonable. As of 2008, Symantec estimated that there were over ONE MILLION malicious pieces of code (Viruses, malware, spyware) able to attack a Windows machine. Right now we have only one and a half pieces of malware on the Mac. I say “one and a half” in that Mac Defender is apparently just a slight variation on the Mac Security piece of Malware found a week earlier. But let’s round up and say there are TWO pieces of Malware in the wild able to harm the average Mac user, and 1 million for the PC user (and that’s using 3 yr old estimates on the PC side of things).
The problem here is, this malware is NOT a virus, and is NOT a threat to most people. In order for it to do any damage, you first must search for Mac anti-virus software (something you don’t yet need to do), visit a “malicious website” claiming to have a no-name brand of virus protection called Mac Defender, download that fake virus protection software that you do not need (oh the irony), then run the installer, then give it your admin password. There are also reports of the Malware “auto downloading” and auto opening an installer while a user simply browses the web. In this case the installer STILL prompts you for your password, and honestly, if you are browsing the web and suddenly see a file download and an anti virus installer pop up asking you for your password, if you go ahead and give it your password, then you are so tech UNsavvy that it was only a matter of time before you got infected with SOMETHING. Better to get it over with now and hopefully learn a lesson. In other words, you almost have to WANT this Malware to infect your system in order to get it to do so. While it would be nice if Apple felt like creating a 24-hour Mac virus support center somewhere in India to handle the “flood” of Mac virus support calls that must be coming in, somehow I think the MayTag repair man would be busier than the poor sole who had to man that phone.
While given the Mac’s recent marketshare growth, I have no doubts we will see an eventual rise in malware on the Mac. However, this is hardly a case of a scared-shitless Mac community being nonchalantly dismissed by Apple. And for the 5 people who might actually HAVE the Mac Defender Malware, since you obviously know how to use the internet, try visiting a site called “Google.com” and typing in “How to remove the Mac Defender Malware”. I think you’ll find that, like all things on the Mac, even removing Malware is easier than on the PC.
(snip)
In order for it to do any damage, you first must search for Mac anti-virus software (something you don’t yet need to do), visit a “malicious website” claiming to have a no-name brand of virus protection called Mac Defender, download that fake virus protection software that you do not need (oh the irony), then run the installer, then give it your admin password.
(end snip)
Actually, Doc, no. You have to visit a site that’s been poisoned, in which case a JavaScript runs and automatically downloads the payload to your Mac. Assuming you have JavaScript enabled in your browser, which it is by default. Then, the payload (a .zip file) must be unzipped – but Safari will do that for you, automatically, if you kept the “Open Safe Files” option which again is on by default. Then the .mpkg file runs from the payload and offers to install on your Mac.
But that’s where the Mac variant differs from the PC – as, in truth, this is a Mac spin on a PC attack vector that’s been in the wild for at least a year now. See, the Mac version, even if you’re in an Admin-priveleged account when it hits, asks for your Admin credentials before it installs. This is where Windows fails – I’ve removed the PC variant from more WinXP and WinVista PCs than I care to think on (and by “removed”, I mean “wiped the hard drive and re-iamged the PC” as removal is a real crap-shot). I work as tech support in a university, and our staff PCs have been picking the PC variant off of Google searches. XP and Vista have no resistance to this, it seems – just by the browser going to a poisoned site, the PCs get infected and the user is none the wiser until the “You’ve got fifty thousand viruses on your computer!” alerts start popping up. We’ve been using AppLocker on our Win7 PCs, which is set to shut down any user-generated install attempt, and that’s been keeping those machines clean; I’m not sure if Win7 on its own is enough or if AppLocker is saving us.
But the Mac version? It has to get permission to install, and hopefully the Mac users are smart enough to see an install request pop up and stop to ask themselves, did I just start an install of anything? And once they realize they hadn’t, and cancel the process, all’s good. Score 1 for the Macs…
use your brain people! and you wont get this crap
Couldn’t have said it better myself! Great post, sir!
It is pretty easy to pick this thing up. We had a customer come in and she was able to show me exactly how she got it: Google image search (for a flower, nothing naughty), click the picture to see larger, here comes the payload.
The only thing about this trojan that is different than most is that it includes an installer that actually works on a Mac. Most malware that includes an installer is so poorly written it does not even work on a Mac. They are typically exe files from my experience.
Some day apple will need to change the default Safari preference to disallow the automatic opening of “safe” files. I do not personally know any Mac user that leave it that way but my friends seem to have a clue. I do not allow any automatic updates from any company, any automatic opening of “safe” files or open file attachments from unknown sources. I research new software before I download and try it and research software updates before installing them. Simple precautions are necessary on any OS to avoid problems.
Maybe that $229 price entry point is why so many people I talk to that use that type of equipment just throw them away and get a new one whenever they get infected and their computer starts acting strangely. They refuse to use common sense when online or handling email. It is easier to just replace it every year or so with that great new $229 piece of computer workmanship from Dell, Acer etc.
Casey you are dead wrong. Do some research. It will take all of 30 seconds to find out you have to put in your password and install this. There is no way “the payload” automatically downloads to your Mac. Ed Bott is a Windows shill and a tool as you would expect from someone who writes for ZDNet.
“poor sole”. s.b. “poor soul”.
Actually, on the subject of bored call center reps: the call volume has recently gone from ca. 12 mins between calls to almost no pauses in between. About half of all calls have been about this malware over the last few days, according to one apple rep. Having myself provided customer service/tech support for the most miserable year and a half of my working life, I can vouch for one thing: there are MANY people out there that own technology that they probably shouldn’t be allowed anywhere near! “Push the home button” – “which one is that?” There’s only ONE BUTTON on the dang iPhone!!! I think I lost more hair at that job…
Funny enough my mom got this on her imac… it took me 5 minutes and google search to remove it. It’s more or less a 2-5 step process.