June 3, 2011 at 2:46 PM ET
With a fake version of "MacDefender" anti-virus software pitches hitting some Mac users in recent weeks, and Apple's delayed but helpful instructions on how to deal with it, some of us hoped calm had returned to what has been a largely malware-free existence with Macs. But no.
Security software firm ESET reports that its research team has detected a new fake MacDefender variant, "MacShield." Dan Clark, an ESET vice-president, writes Friday on the company's blog that "As in the case of its oldest sibling MacDefender, the MacShield variant has taken the name of a legitimate Mac OS X software product with small distribution, doubtless causing the real developer significant heartache."
The user interface for this malware is "essentially unchanged, but as usual all of the dialogs and alerts have been updated with the new naming," he says, adding:
The UI contains the typical reassuring gibberish bragging about 250 "specialists" working in "more than 10 countries," and a database that includes "almost all known dangerous software." With all that expertise on-hand, it's rather surprising that doesn't detect itself as malware.
To lure MacShield follows the same scareware tactics as the MacDefender malware. The risk of infection can be reduced per the comments in my earlier blog, and removal of the malware follows the exisitng guidelines published by Apple or in our KB (Knowledge Base) article here.
How would you get this malware? Clark said in a previous posting that "the infection is spread via poisoned search engine results on image searches. When a bad link is followed in a search, the user is presented with an alert that Trojans or other threats have been detected on the system. At the start of the attack, either a simple dialog box over your browser window, or a fake Finder window with a warning" about "Apple Web Security" detecting Trojans, being ready to remove them and just waiting for you to click on the "remove" button.
What do you do? For starters, DO NOT click on that remove button. Check out Apple's support site. And do be careful of what links you click on when you are surfing the Web.
Apple seems to be on top of it. Sophos noted Thursday on its blog, under the headline: "Apple to malware authors: Tag you're It!":
Last night the malware authors behind the Mac Guard fake anti-virus changed their methods again to bypass the updates Apple released yesterday afternoon to protect OS X Snow Leopard users.
Apple fired back shortly after 2 p.m. Pacific Daylight Time today with a new update to XProtect. Computers that have Apple update 2011-003 for Snow Leopard now check for updates every 24 hours.