Macintosh Malware

Dear Macintosh-using friends,


Historically, Macintosh has seemed to be less vulnerable to malware than Windows; this remains true, although perhaps very, very, slightly less true than in the past. (Note that this is about the OS [the operating system], not about the hardware; Windows running on an Apple computer is real Windows, with all that is implied.)


To help us sleep at night, however, we do pay attention to the issue, so that we can understand what's being said to us if the situation were to change, or so we'll know how to react if we were to see anything strange on our own machines.


This Lifehacker article on anti-malware measures contains useful information. I have (but seldom bother using) ClamXav, and I will download (but infrequently use) the other free one mentioned, Sophos. (Both linked from the article.) (Note that the Lifehacker article will remain available indefinitely, even if it should have changed its URL.)

Anti-malware works in two general ways:

1. Watching for and preventing suspect activity.
2. Searching for suspect code. Sometimes removal is an option.

- Number 2 depends upon actual examples, downloaded from the developer. If not recently updated, this system breaks down.

- Number 1 can interfere with legitimate activity; it's why such software--which must be in place and running at all times--can cause problems where none would have occurred otherwise. Keeping it current is fairly important as well. 

(To be clear: The worst of misbehavior by this type of anti-malware can seem virtually indistinguishable from actual malware, and this situation is apparently not so uncommon.)

A couple of other things are going on, too.

Some of the cheesier "entertainment" sites will cause pop-ups that contain warnings about how your machine has been found to be infected, and you should [download, purchase, whatever]. For years, Macintosh users laughed at these for their attempts to look like Windows system alerts. And we dismissed them without a thought.

Now, however, there is a new push by a company "offering" Macintosh anti-malware: MacKeeper. (The web site seems safe.) It uses somewhat similar scare tactics; several of our friends have reported alerts popping up while browsing the Web; I just saw it a couple of days ago.

This appears to be fairly legitimate software that has a positive review by one (and perhaps only one) accepted source. However, look down that review page for reader comments. (Not so good.) For two reasons, then, one might have to be desperate in the extreme to consider paying for this--especially considering that at least some of what it offers is out there without charge. (Ref. the Lifehacker piece.)

This is what I think I understand about what happens: 

• The user is prompted to download an installer, which does require your permission to complete. 
• The actual software will [appear to] scan the disk
• It claims to have found problems.
• It requests a credit-card number. 
• After a working CC# has been supplied it will [do whatever] and report the disk clean. There is question about whether what it reports having found was ever real.

Dealing with the the MacKeeper alert: 

This could change, but at present it seems to open its own browser window _and_ to pop up what looks like a system alert. It does seems perfectly safe to dismiss these and not look back. It also seems safe to download--and even to launch--the installer, so long as it is not permitted to perform the installation. (Delete the installer from the Downloads folder, or from wherever you are having downloads sent.)

Deleting the installed software itself:

May be more problematic. 
• Quit, Trash, and Empty the software (probably in /Applications). (_Empty Trash_ may fail.)
• Open System Preferences > Accounts > Login Items. (These are applications and background processes that will be launched every time Macintosh starts. Some is esoteric and shouldn't be touched, and some is safe to remove/add as you desire. It's nice to have Mail, iChat, and Skype available immediately, for example. If you access your mail in Safari, put that on the list. 

I cannot check because I don't have access to an installation of MacKeeper, but if something of it is in the Login Items list, remove it: Make a note of its name, click it once, and click the _minus_ beneath the list. This won't actually _stop_ that process; it only tells it not to run automatically at startup.

• Stop that background process--two methods: 

- Use the Macintosh utility _Activity Watcher_ to locate and kill the process (may be in either /Utilities or /Applications; this is powerful magic). 
- Merely restart.

If _empty trash_ had failed before because something was "in use", it should proceed normally now. If it doesn't, more _Login Items_ is needed. Perhaps MacKeep sets _two_ pieces there.

• The last step would be to use Spotlight to search your hard drive for files that contain "mackeeper" in their filenames. If you find anything obvious, Trash it. If it's not so obvious, it may be best (and safer) to leave it.

Looking around on the Web just now, I found many complaints, quite a bit of suspicion, and oddly many "testimonials" insisting that this software is not a scam--it's great protection, and _download here_. 

It walks and quacks like Marketing, and it smells like something that has spent some time standing next to a scam, so I'm staying away.

This is all based upon friends' reports, the online reports of disgruntled "users", and other materials from the Web. Any outright errors come from those sources; the simplifications, omissions, and caution are all mine.

The Google machine can help, but call me if you like.

Mark_
11:55 11 May 2011