Brandon Davenport May 27, 2011 Follow Me Follow Me Follow Me Follow Me Follow Me Follow Me Follow Me Follow Us Apple, How to, Industry News, breaking

You’ve heard it a million times “Macs don’t get viruses” and as geeks we know that isn’t entirely true. There aren’t any “real” viruses praying on Mac users, but there is an exploit here and there and sometimes they can be quite threataning. Recently, a new piece of software called MacGuard has creeped into the Mac universe and in short, this could be one of the biggest security threats on the Mac in history.

Recently, an older piece of software called Mac Defender was leaked into the masses posing as an Anti-Virus suit for the Mac. The end goal of the software was to obtain credit card info and suck some money out of your credit account. If enough people installed the software, the Mac Defender team would amass a large amount of cash (and they did) and be able to fund a new project to further improve their software’s ability to manipulate your Mac, and more efficiently take your money.

What is MacGuard?

MacGuard is the latest and greatest Malware and fake Anti-Virus App from the creators of Mac Defender that performs most of the same operations to obtain your credit card info, but it has a few more tricks up it’s sleeve. When you install a piece of software on your Mac, it requires you to enter a password to access the system and install — MacGuard does not. Instead, MacGuard places itself in the Applications folder where installers don’t need the password to execute. Malware on the Mac has become a serious problem.

How to protect yourself and others from MacGuard and other threats

• Know that a Mac requires no anti-virus. The number one vulntability on the Mac is the user’s fear of viruses and the near obesssive need to be “protected” even though no traditional viruses exsist for the Mac.
• Know that the only real threats are fake Anti-Virus suites that try to protect you from non-exsistant viruses and attempt to take your credit card info.
• Aviod anything involving “Anti-Virus” for the Mac, especially Mac Defender and MacGuard.
• Always perform update checks and keep your system up-to-date, including your browser.
• Tell others about this article, and share any info you have.

How to remove and prevent MacGuard

Automatically remove

• Download and run - the MacGuard removal script
• Make sure once you have completed the auto-removal to double check and make sure you have removed any files associated with MacGuard (full list can be found here).

Remove Manually (reccomended)

• Look for “MacGuard” in both in your downloads and Applications folder (and elsewhere using spotlight) and drag and drop into the Trash. After, you need to empty the trash.
• Click the Apple menu (top left) and open System preferences > accounts > login items. For anything activated that you’re not using, deactivate it.
• Reset all of your browsers, reboot the computer.

Update on May 27, 2011 by Brandon Davenport

Justin Mrkva in our comments has more advice for everyone

I’ll reiterate something I mentioned in another comment elsewhere:
“The security of any machine is limited by the factor that resides between the keyboard and the chair.”

Here are a few crucial tips for future reference for preventing/removing any future iterations of pretty much any type of malware that could possibly get thrown at your Mac:

1. Run as a non-Administrator. This is important for these very reasons. As a non-Admin user, trojans can’t break outside your user account, so in the worst case you can just reboot into another account and they’re contained until you can do something about them.

2. NEVER go through an installer that you don’t explicitly know is something you want to install. And similarly, NEVER give your admin password to anything you don’t know. Giving something your admin password is a free key to the entire system.

3. If you’ve followed 1 and the second part of 3 but have been ignorant enough to install something malicious, there are only a handful of places to look to remove it, even without specific instructions. First, the user accounts login items. Second, ~/Library/Launch Agents/. Third, the Applications folder. Fourth, the ~/Library/Application Support/ and ~/Library/Preferences/ folders for residual files (although by themselves files left here won’t do a thing). Finally, check Activity Monitor and filter by processes belonging to you, and Google anything you don’t recognize to see what it is. IIRC those are the only places you should have to look to find anything. Also, if you remove things like this, reboot and make sure they remain gone. If any of them return, log out and into another account and remove them, and they’ll be gone for good. If you don’t run as a non-Administrator or if you give one of these installers your admin password, it’s a little trickier but still relatively straightforward.

TL;DR: Run as a non-Administrator. Use common sense and don’t install things you don’t recognize. Treat your Administrator password like a key to a safe - only give it to those you trust.