03 Aug How to Recover from “Redirect-AVScanner.com” or Other Malware Highjacking Safari on Mac OS X
Over the weekend I was troubleshooting a machine in which Safari was being highjacked by a visual pop up and audible voice indicating the machine had a MAC iOS Alert.
The malware was completely taking over Safari and wouldn’t allow any other tab to open. The message on the screen essentially said there was a security update to fix an SSL connection and said I just had to call the “Apple Support” number. Even if you hit the OK button, you were stuck. The only thing that could be done was a Force Quit on Safari.
Red flag alert! Don’t call the number.
I know those of you who are LANDESK admins won’t do it, but for anyone else that may stumble upon this article, DO NOT call the number on the screen and DO NOT pay them any money.
For information on how to remove Mac Defender, I looked at Apple’s article on removing Mac Defender but it was for 10.6 and earlier and didn’t help much. My machine was on 10.10 so I kept searching and ended up using this article on StackExchange.
Basically, I deleted the following files:
- ~/Library/Saved\ Application\ State/com.apple.Safari.savedState
- ~/Library/Cookies (all cookies in the folder)
I then relaunched Safari and all was well, Safari was back to normal.
If you’re a LANDESK customer and want to deploy a script to remediate more than one machine, copy the code below into a shell script. Just set the execute permissions on it and copy it to your distribution repository.
#<span class=”Apple-converted-space”> </span>Redirect-AVScanner Malware Removal.sh
#August 3, 2015
rm -rf ~/Library/Saved\ Application\ State/com.apple.Safari.savedState
rm -rf ~/Library/Safari/LastSession.plist
rm -rfv ~/Library/Cookies/*
Since these folder locations are inside the user’s profile, creating a deploy package may be a bit more difficult if multiple profiles exist on a single machine. It may be best to create an optional package and publish into Workspaces.
To create your Workspace package, use the following steps:
- Open the LANDESK Console
- Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
- In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
- On the Distribution menubar, press the New Package button and select New Macintosh Package.
- Give the package a name, I used #1 MacDefender Removal
- Provide a description if desired
- Set the primary file to the zip file you previously transferred to your software distribution folder
- Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
- Save the package
With the malware removal package created, just schedule a task for deployment.
- Right click on the malware removal package created and select Create Scheduled Task
- From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
- Now, right click on the task and select properties
- Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push.
- Set the radio button in the Portal Settings to either Recommended or Optional. You’ll also want to check the box for “Allow users to run as desired (keep in portal after selected) so they can execute the script multiple times if need be.
- Change the Reboot Settings or Distribution and Patch settings if desired
- Set the schedule task settings with the appropriate start time