How can I remove malware from my Mac? I think I picked up something nasty. Should I have installed antivirus on my Mac to stop this kind of thing?
Malware (malicious software) is the scourge of the software world, but (thankfully) it's rarely found on Mac OS X. Mac malware does exist, though, and every so often a new piece of Mac malware hits the headlines and scares Mac owners senseless.
One such headline concerns an attack known as KeRanger, widely believed to be the first ransomware attack on Mac users. (Ransomware is one specific form of malware that has historically been a problem for PC owners, not Mac owners. More on this below.) KeRanger recently affected OS X via a popular BitTorrent client called Transmission. If you're worried about the Transmission KeRanger attack, or about ransomware in general, we have specific information to help.
In this article we are going to look at the following:
- How to check your Mac for malware: learn how to spot Mac OS X malware
- Ransomware, and how to avoid the Transmission KeRanger ransomware attack
- How to remove Mac malware for free
- How to protect your Mac from malware in the future
- Should you install antivirus software on a Mac?
Apple is extremely adept at issuing security updates that remove OS X malware as it is discovered. But many people wisely learn how to spot Mac OS X malware and how to remove it for free. This is what we'll be covering in this article.
Read next: Tips for Mac OS X El Capitan
How to remove Mac malware for free: What is malware? And how to spot Mac OS X malware
The first thing to know is that malware is different from other types of malicious software, such as viruses.
Malware doesn't attempt to get into your machine without your knowledge - it is malicious software disguised as legitimate software. It tricks you into installing it as you would any other program, and then when it is installed it starts to gather information about you. In most instances it wants to get hold of your credit card or banking details and passes them on to nefarious individuals on the other end.
Where things get tricky is that most Mac malware pretends to be the very thing you want to use to get rid of it. Most Mac malware seems to masquerade as antivirus or antimalware software. While there is no definitive list of OS X malware, here are some names to watch out for:
So, to be clear: these are the names of programs you should be avoiding.
The way this scam works is that a hacker takes over a legitimate website, and this directs you to a a fake website that pretends to scan your Mac and find malicious software. It then convinces you to download the program to check for the malware, and enter your Apple ID and password to install the program: this program itself is the malware.
Over time it will pretend to scan your Mac, pretend to find problems, and try to get you to enter your credit-card details to fix the problems. If you enter your credit card details they are passed on to scammers who try to get money from your account.
How to remove Mac malware for free
This point is important. You shouldn't be paying to remove Mac OS X software - ever. You shouldn't pay to remove malware. In fact, we'd go so far as to suggest that if you don't know what you're doing, don't put your credit-card details into any program or website that claims to be able to fix your computer.
Also, while we're at it: if somebody phones you up claiming they have spotted malicious software on your computer and tries to convince you to hand over your bank details, put the phone down. It's a variation on the theme.
You don't need to pay for antivirus software on the Mac. Many trusted antivirus providers offer a free service for home users and charge businesses for an antivirus service. The important thing, though, is not to jump for your credit card when faced with a program on your Mac that claims to have found problems. The program itself could be the problem.
What to do when a website says you have malicious software on Mac? If you are browsing a website and it claims to have detected malicious software, malware, or a virus (or simply states it has "detected problems" with your Mac), then follow these steps:
- If you're in Safari (or another web browser) and get a warning about malicious software, virus, or problems detected, quit Safari by choosing Safari > Quit. If Safari refuses to quit, force-quit the app (Control-click the Safari icon and choose Force Quit).
- Go to the Downloads folder and drag any install files, or files that you don't recognise, to the Trash.
- Empty the Trash (Control-Click the Trash icon and choose Empty Trash). By doing this you will dodge the problem in the first place. You haven't installed any software, or handed over your credit-card details. We'd suggest you don't return to that website.
Unresponsive apps? Here's how to ctrl-alt-delete on a Mac, aka Force Quit on a Mac
Read next: Best free Mac Apps
How to avoid or remove the KeRanger attack, or other types of ransomware
Ransomware is a variation on malware becoming more prevalent in recent times. Until recently, OS X users were mercifully free from ransomware, but a recent OS X attack known as KeRanger has been distributed via the popular Transmission BitTorrent client. So now we have ransomware on OS X to contend with.
Like malware, ransomware infects your computer, but it's malicious with purpose. The idea behind ransomware is to encrypt the files on your computer so you can't use them, and force you to hand over money to get the files unencrypted. In the case of KeRanger, you'll be instructed to pay $400 in Bitcoins to a website in the Tor network to get your files back.
A file known as "OSX.KeRanger.A" somehow snuck itself into the Transmission 2.90 update. This appeared for download on the Transmission website between 4-5 March. Apple has revoked the GateKeeper signature and updated its XProtect system (part of File Quarantine) to block KeRanger.
So if you are using Transmission, you must upgrade to the latest version, Transmission 2.92, immediately. You'll find more information about KeyRanger on the Transmission website.
How does the Transmission KeRanger ransomware virus work?
KeRanger is a ransomware program designed to extort money from OS X users. It's called KeRanger because the file it runs from is named OSX.KeRanger.A. This file is hidden inside another program and installed alongside it.
KeRanger is the first instance of ransomware on the Mac and was installed alongside Transmission 2.90, a popular BitTorrent client. If you download and run Transmission 2.90, you will also run the KeRanger file. It waits three days and then begins to encrypt files in OS X.
Palo Alto Network's Claud Xiao and Jin Chen explain how KeRanger works:
"The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple's Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to be still under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
"Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems."
How can I check if KeRanger has infected my Mac?
If you're worried that KeRanger ransomware may have infected Mac OS X, here is how Palo Alto suggests you check for it:
1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected, and we suggest deleting this version of Transmission.
2. Using 'Activity Monitor' preinstalled in OS X, check whether any process named 'kernel_service' is running. If so, double-check the process, choose Open Files and Ports and check whether there is a file name like "/Users//Library/kernel_service". If so, the process is KeRanger's main process. We suggest terminating it with Quit > Force Quit.
3. After these steps, we also recommend users check whether the files .kernel_pid, .kernel_time, .kernel_complete or kernel_service exist in ~/Library directory. If so, you should delete them.
What to do if KeRanger has encrypted files on your Mac
It's still early days for KeRanger, so advice on how to fix an encrypted OS X computer is fairly vague. Our understanding is that you will not be able to decrypt the files, but you should be able to restore OS X from scratch from your backup.
The other option would be to pay the ransom, although we don't recommend this. There's no guarantee that you'll get your files unencrypted (or that they won't just encrypt them again at a later date).
The third choice is to wipe OS X and start again from scratch (losing all your files in the process). This isn't a good option, we know, but it's the only way to be sure you don't have KeRanger on your machine.
How to remove Mac malware (for free): How to remove malware from a Mac
Here's what to do if you suspect you've already installed malware on to your Mac - typically because a website claimed to have detected problems. Follow these steps to remove the software:
- If the app is open, check the name of the app.
- Move or close the app window.
- Open the Utilities folder (Command-Shift-U).
- Open Activity Monitor.
- Choose All Processes.
- Go to the Utilities folder in the Applications folder and launch Activity Monitor.
- Look for an app called MacDefender, MacSecurity or MacProtector. Or look for the name of the app (from Step 1).
- Click the Quit Process button (top-left) and select Quit.
- Quit Activity Monitor.
- Open the Applications folder and locate the app (called MacDefender, MacSecurity, MacProtector, or some other name).
- Drag the unwanted app to the Trash. Empty the trash.
You can find more advice on deleting malware from a Mac on the Apple Support website. If you're unsure whether you have deleted the malware from your Mac, then consider taking the Mac into an Apple Store and asking an Apple Genius to look at it. (See How to book an appointment with an Apple Genius.)
How to remove Mac malware (for free): How to protect your Mac from malware in the future
Now that you've checked and removed any malware from your Mac, you may want to ensure that your Mac doesn't get any malicious software in the future.
Here are some tips to follow to ensure you don't get any more malware:
- Ensure your Mac is up to date. Open the App Store app and click Update All.
- Turn on automatic updates. Open System Preferences and click App Store and select the option Automatically Check for Updates. Make sure both Install OS X Updates and Install System Data Files and Security Updates are also both selected.
- Make sure the Mac only allows apps from trusted developers. Click on System Preferences > Security and Privacy and General. Check that the option under Allow Apps Download From is set to either Mac App Store or Mac App Store and Identified Developers. If it is set to Anywhere, then click on the Lock icon, enter your password, and change it to either Mac App Store or Mac App Store and Identified Developers.
- Get your software from the Mac App Store or from developers you know and trust.
How to remove Mac malware (for free): Should I install antivirus software on a Mac?
If you're particularly concerned about malware, or malicious software, then you may want to install antivirus software on your Mac computer. Opinion on antivirus software amongst the Mac community is mixed.
Some people believe the current protection offered by Apple in OS X is enough protection, and that using a good strong password and installing trusted software from places like the App Store is enough protection. Others believe that while Macs are inherently safer than a PC, you should still install antivirus software as a precaution.
We've discussed this issue at some length in a separate article that you may like to read: Do Macs get viruses? Why you DO need security software for your Mac (our position may be apparent from the headline). See also: Apple removes claim that 'Macs don't get PC viruses' and Why Macs are safer than PCs.
And if you do choose to install antivirus software, please do so after reading this article to ensure you're installing software from a trusted source: Best Mac antivirus software.