Latest 'MAC Defender' malware attacks Mac OS X without password

BrianLachoreVPI · May 25, 2011

Mac Guard - New Mac Defender malware variant drops admin password requirement

Figured I'd give this its own thread - just so folks who don't read the nerd sites that I do will see it.

New Mac Defender malware variant drops admin password requirement

When we spoke with Intego spokesperson Peter James last week, he pointed out that he initially saw a new Mac Defender variant every 12 to 24 hours, but eventually stopped seeing new versions. He warned that the creators could be revamping the malware to stay under the radar of legit antivirus software or to find new ways to poison users' machines. Now with the availability of Mac Guard, that indeed seems to be the case.

"Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user can install software in the Applications folder, a password is not needed," Intego wrote on its blog. "This package installs an application—the downloader—named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind."

Once again, the company advises users to turn off "Open 'safe' files after downloading" in their Safari preferences, since this malware (and others like it) are making their way onto users' computers via maliciously crafted URLs.

Chris H. · May 25, 2011

*facepalm*

I'm hoping there's more in the upcoming security update than simply removing the old program...

OneMoreThing... · May 25, 2011

Latest 'MAC Defender' malware attacks Mac OS X without password

A new, more dangerous variant of "MAC Defender," dubbed "Mac Guard," has been discovered, and the new malware does not require an administrator password to install.

iWhat · May 25, 2011

Going to merge these real quick, posting to the Twitters soon.

bobtomay · May 25, 2011

And if anyone finds a link for this new variant, PM me with it and I'll go grab it.

andymac2210 · May 25, 2011

What are the people who claim this can't happen going to say now?

harryb2448 · May 25, 2011

Who says what can't happen? Malware is always a threat this one is just a little more professional looking.

CrimsonRequiem · May 25, 2011

harryb2448 said:
Who says what can't happen? Malware is always a threat this one is just a little more professional looking.

It's not just professional looking it's also pretty convincing as legit.

McYukon · May 25, 2011

I'm still waiting for this to install itself on my machine, so I can look at it's inner workings

Lifeisabeach · May 26, 2011

I recall reading a few weeks ago that an AV vendor said there was evidence that malware writers had finished constructing a development kit for writing malware for OS X and a major assault was imminent. After all these years of crying wolf, it looks like they were actually right. This stuff is here, it's real, and it's here to stay.

Randy B. Singer · May 26, 2011

Some feedback from someone within the Mac security industry:

"First let me say that the only information I have is based on the Intego analysis that was published. Neither I nor any of the Mac forensic analysts I know have been able to get our hands on this version.
...

"If you are not running as Admin then it won't install without a password. If you are an Admin then you must click on the installer's "Continue..." button once it launches and probably the "Install" button after that, but no password is required."

So, it may be that this version of Mac Defender isn't currently out in the wild.

It also appears that, even though it doesn't require a password to install, some volitional human involvement is still required for it to install.

robduckyworth · May 26, 2011

McYukon said:
I'm still waiting for this to install itself on my machine, so I can look at it's inner workings

just do a google image search for "Osama bin Laden", im sure you will get it soon enough

dtravis7 · May 26, 2011

robduckyworth said:
just do a google image search for "Osama bin Laden", im sure you will get it soon enough

Is that for real? Search for that and you will find that new malware?

bobtomay · May 26, 2011

Well, I just went through about 100 of them, clicking at random. Found nothing.

(I think it would be great if Intego was caught in a hoax. Not sayin' it is, but... I want to see what will install without user input myself.)

dtravis7 · May 26, 2011

bobtomay said:
Well, I just went through about 100 of them, clicking at random. Found nothing.

(I think it would be great if Intego was caught in a hoax. Not sayin' it is, but... I want to see what will install without user input myself.)

That was why I asked Robert before I wasted time with it!

Not feeling well tonight. Inner Ear acting up for the first time in over 3 months.

kind of wanted to see what it does.

robduckyworth · May 26, 2011

dtravis7 said:
Is that for real? Search for that and you will find that new malware?

well, the youtube video i watched where the guy was looking at mac defender (i think i linked it earlier in this post, or a similar one) and that was how he managed to get it anyway. maybe google has refined the search now.

http://www.youtube.com/watch?v=L6cvUY4CGp0

schweb · May 26, 2011

Cue the fanboys...3...2...1.

MYmacROX · May 26, 2011

Ok, so it self-installs without your password.
Then what happens? It doesn't do anything malicious to your Mac, does it? I thought the purpose was to solicit your credit card info when it scares you into purchasing. Or did things change with this new version?
I was going to warn my wife (not the most tech-savvy person) if it pops up to just close the window with command+W or quit Safari with command+Q, then come tell me so I can delete it. I wonder if that strategy is still sufficient...

baggss · May 26, 2011

That's my question. If it installs it would likely have to show some sort of an installation dialoge as indicated in a previouse post in this thread. So if one cancels the install process, assuming one can, then it shouldn't install. Even if it does, what does it do once it's there?

McBie · May 26, 2011

It will launch an installer and wait for the user to click " Continue ".
The next step usually is to ask for your password .... that step will be skipped.
So if you quit the installer and not click " continue " on the first dialogue you are good.
Go into the download folder and delete the bloody thing.

After that, cancel your internet subscription

Cheers ... McBie