Fake Antiviruses and Fake Security Software

I made a small mention of this in my last blog post, but with MacDefender getting a lot of attention lately, I thought I'd write up a bit about this stuff.

To start off, these fake antiviruses aren't necessarily viruses because they don't install by themselves. They still require you to click on something, so they're malware.

From what I understand since I've never gotten any of these, and because I use a Mac which only has a few known malware, is that they generally show up in the browser window mimicking the file manager.

This image is from http://sunbeltblog.blogspot.com/2010/10/all-in-rogue-family.html which I found from a Google search.

If you look at the above screenshot, you'll see it tries to look like the Windows XP file manager. It does a decent job, but there's a few things that don't normally appear in the file manager. Everything from the "security" category downward is not in the Windows file manager. The "Windows Security Alert" is pretty clever though. I don't think it matters what you click in there, as long as you click something in that image, the malware will install. For those who don't know, the Windows or Mac file browser should NOT be appearing in your web browser. That's how you should know that this is fake.

For the Windows-based fake AVs, what generally happens is once you click ANY option in that image (or maybe clicking the whole thing itself. I'm not sure.) it'll download and install the malware. Then it does a whole bunch of crap, such as modifying the Windows registry so that when you try to run any executable application (any application that you can run on your computer), it'll give you an error and tell you it's infected and not let you run it. Actually, before I go on, if any of you reading don't know what the Windows registry is, then all the better for the developers of this fake crap, it's just they way they like it. The software will constantly nag you that your computer is infected with tons of "threats" (which are actually important files) and ask you to buy the "software". The fake security software can go by many names, but they're usually really generic. MS Antivirus 2011, MS Security Centre, XP/Vista/Win 7 Total Security, XP/Vista/Win 7 Anti-Spyware, etc. . So they ask for a whole bunch of info including your credit card number. It's not like you'll get anything good if you pay for it since it's fake. But you might find money coming off of your credit card account.

Image taken from http://www.howtogeek.com/57837/how-to-remove-win-7-anti-spyware-2011-fake-anti-malware-infections/

For the Mac-based MacDefender and variants of it (whatever name it wants to use this week), it's a little harder to get on your system. For MacDefender, it appears as an image in your web browser, just like for the Windows-based ones. Once you click it, it'll download and run the installer. Then you have to go through the installer and enter your administrator password (or your own if you are an administrator). And at that point, it's installed and nags you to pay them. It doesn't block you from running any applications like the fake AVs do on Windows.

Image taken from http://www.howtogeek.com/63735/mac-os-x-viruses-how-to-remove-and-prevent-the-mac-protector-malware/

Image taken from http://www.howtogeek.com/63735/mac-os-x-viruses-how-to-remove-and-prevent-the-mac-protector-malware/

For the newer MacGuard, I think it's pretty similar except that you aren't required to enter your administrator password.

If you use Safari, I'd now (now meaning when you read this) recommend turning off the option to open "safe" files after downloading. In Safari for Mac, make sure Safari is the currently selected application (you'll see Safari in the Application Menu) and click Safari (Application Menu) -> Preferences... -> General, and uncheck "Open "safe" files after downloading. I think Safari for Windows has a similar option. It's probably best to disable that option just incase worse things come along later.

I'm not going to explain how to get rid of the windows malware because How-To Geek wrote an article on that. In fact, that article and another How-To Geek article is where I got a bit of my info.

To remove the MacProtector malware, it's pretty simple. The instructions I'm giving here are pretty much right out of this How-To Geek article, and it's short enough to post here, so I will.
1) Quit all running applications by pressing the Command-Q key combo, clicking the red x at the top left of each window, or clicking on the application menu and choosing exit.
2) Run Activity Monitor which can be found in the Applications -> Utilities folder, or just search for it using spotlight. Spotlight is the magnifying glass icon at the right of the Menu Bar at the top of the screen.
3) Find the MacProtector process and click "Quit Process". Click "Quit" to confirm.
4) Click on the Apple Menu at the left side of the Menu Bar, and click System Preferences.
5) Click Accounts. You might need to click on the lock at the bottom if it's locked, then enter your administrator password. Click on your account, and then select the Login Items tab. Select MacProtector and click on the minus button to remove it from startup.
6) Go to your Applications folder and drag MacProtector to the Trash.

You can protect yourself from these things by:
1) Don't click on every little (or big) thing you see.
2) Use (real, not fake) Anti-Virus or Security Software that might be able to catch stuff like this.
3) Know what Anti-Virus or Security Software is on your computer and what it looks like. That way it'll be easier to know whether you're being tricked or not.