or Connect
AppleInsider › Forums › Software › Mac OS X › Latest 'MAC Defender' malware attacks Mac OS X without password
New Posts  All Forums:Forum Nav:

Latest 'MAC Defender' malware attacks Mac OS X without password

post #1 of 94
Thread Starter 
A new, more dangerous variant of "MAC Defender," dubbed "Mac Guard," has been discovered, and the new malware does not require an administrator password to install.

The discovery was announced on Wednesday by security firm Intego. Unlike previous versions of the software, which required users to enter an administrator password to install the fake antivirus, the latest variant uses a different install method.

"The first part is a downloader, a tool that, after installation, downloads a payload from a web server," the security firm said. "As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site."

No administrator's password is required to install the application, and if users have Safari's "Open 'safe' files after downloading option checked, the package will open Apple's Mac OS X installer, and users will see a standard installation screen. However, at this point users must still agree to install the "MAC Defender" malware.

The second part of the malware is a new version called "MacGuard." The avRunner application automatically downloads "MacGuard," which, like its predecessor, aims to trick users into providing credit card numbers in exchange for supposedly ridding a users' systems of "infected" files.

This week, Apple posted instructions on its website explaining how to remove the "MAC Defender" malware. The company also revealed it will release an update to its Mac OS X operating system that will automatically find and remove the malware.



Some reports have suggested that the "MAC Defender" malware has spread quickly, with one anonymous AppleCare representative claiming that the "overwhelming majority" of recent calls to Apple were related to the malware. The software was first discovered early this month, also by Intego.

While the original variant was categorized as a "low" threat because it requires users to type in an administrator password, the latest version is considered more dangerous, and was ranked with a "medium" risk.

The malware has spread through search engines like Google via a method known as "SEO poisoning." Using this technique, phony sites are designed to game search engine algorithms and show up when users search for certain topics.
post #2 of 94
I wish the press would stop using words like "virus" and "attack". The software doesn't attack anything (other then the intelligence of those who install it) and it is not a virus nor is it a trojan. It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.
post #3 of 94
the fact that you are intentionally installing a program, regardless of entering a password, should mean the risk is still low.
post #4 of 94
Yeah, installing a trojan horse bit of nagware is only an "attack" in the mind of Ed Bott. The ability to load software limited to the current admin user is also not a "dangerous" new development. The user has to be an ADMIN who is PURPOSELY INSTALLING SCARE-WARE from an unknown source.

This is an irresponsible headline and lead for AI to be printing.

Inaccurate, misleading, sensationalist.
post #5 of 94
True, attacking the intelligence of the end user, the weaklings amongst them will provide the card details too. Press nowadays all about click, the loudest and fastest but little is paid for reputation, accuracy and responsibility.

OTH, they who made this nuisances wouldn't go far with OSX with this kind of approach especially when it is now a well publicised issue of which Apple already post a solution.
post #6 of 94
When this type of nonsense happens to Windows users...many Apple people I know (I use both OS X and Windows computers) use this as a reason to switch from PC to Mac.
post #7 of 94
Would anyone download an unknown, untested, un-vouched-for "defender" or "guard" or anything else for that matter, but especially something that claims to be a defender, guard, etc....?
post #8 of 94
Quote:
Originally Posted by bitWrangler View Post

It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.

and it makes me wonder why people click "OK" to begin with. I mean seriously. I've seen macdefender ads all over. It's a classic scam, why would anyone think it is in fact ok?
turtles all the way up and turtles all the way down... infinite context means infinite possibility
Reply
turtles all the way up and turtles all the way down... infinite context means infinite possibility
Reply
post #9 of 94
Quote:
Originally Posted by lamewing View Post

When this type of nonsense happens to Windows users...many Apple people I know (I use both OS X and Windows computers) use this as a reason to switch from PC to Mac.

Great post...and bang goes Apple's marketing...


Win PC user installs trojan = Win PC bad
OSX user installs trojan = User bad

????
post #10 of 94
Quote:
Originally Posted by spliff monkey View Post

and it makes me wonder why people click "OK" to begin with. I mean seriously. I've seen macdefender ads all over. It's a classic scam, why would anyone think it is in fact ok?

Because users trust their Apple products. They have been told that no matter what, there is no malware written for their computers. So, clicking "Okay" can't harm them, right? Because that's what Apple said.

(What I don't get, is why people are downloading an AV program for an OS that touts it not needing one. Ironic.)

Viruses Ad

Spyware Ad

Of course, you do need AV for Windows. Sadly, most people get bamboozled into buying something like Norton or McAfee or some other resource hog... so maybe that's part of it too.
Go Linux, Choose a Flavor!
"I aim to misbehave"
Reply
Go Linux, Choose a Flavor!
"I aim to misbehave"
Reply
post #11 of 94
Quote:
Originally Posted by Archipellago View Post

Great post...and bang goes Apple's marketing...


Win PC user installs trojan = Win PC bad
OSX user installs trojan = User bad

????

Forgetting the viruses on PC?
post #12 of 94
I've always hated and never understood why the option existed in Safari to automatically 'Open "Safe" files after downloading'. I don't think Safari really knows what's SAFE and what's not. Bad Apple!
post #13 of 94
Quote:

hive mind thinking, perpetuated by some advocates of Apple products, that Mac OS X doesn't suffer from malicious software is dangerous. the ignorance and arrogance, on the part of the advocates, is also unfortunate.
post #14 of 94
Quote:
Originally Posted by bitWrangler View Post

I wish the press would stop using words like "virus" and "attack". The software doesn't attack anything (other then the intelligence of those who install it) and it is not a virus nor is it a trojan. It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.

I wish some people would stop using the word attack to describe this too.

Sorry, could not resist.
NoahJ
"It is unwise to be too sure of one's own wisdom. It is healthy to be reminded that the strongest might weaken and the wisest might err." - Mahatma Gandhi
Reply
NoahJ
"It is unwise to be too sure of one's own wisdom. It is healthy to be reminded that the strongest might weaken and the wisest might err." - Mahatma Gandhi
Reply
post #15 of 94
How about Google cleaning up its act? Oh, right, why should Google do anything to help a competitor? Perhaps we should switch to Bing in protest.

As for Apple cleaning up after malware with OS updates, this approach seems destined to fail when the variety of malware explodes.
post #16 of 94
Quote:
Originally Posted by Cpsro View Post

How about Google cleaning up its act? Oh, right, why should Google do anything to help a competitor? Perhaps we should switch to Bing in protest.

As for Apple cleaning up after malware with OS updates, this approach seems destined to fail when the variety of malware explodes.

What have to clean Google, or Bing, or Yahoo. All of three can be cheated by SEO techniques.
post #17 of 94
Quote:
Originally Posted by bitWrangler View Post

I wish the press would stop using words like "virus" and "attack". The software doesn't attack anything (other then the intelligence of those who install it) and it is not a virus nor is it a trojan. It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.

Um, see anything ironic about the parts I highlighted? And you are simply mincing words anyway. It's a threat. And the people who are most like to be victims don't know or care about the technical distinction you are trying to make. In my book, if someone lays out landmines hoping I'll step on one, I'd call that an attack.

The article left out one critical piece of info...the no password version only works if you are logged in as an admin account. From the Intego article:

Quote:
Since any user with an administrators account the default if there is just one user on a Mac can install software in the Applications folder, a password is not needed.

This is an area I think Apple would do well to better educate their customers. The difference between admin and non-admin accounts. And they should encourage users to not use admin accounts for anything other than administering their computers. And use non-Admin accounts for regular, daily use. It's not fool-proof, but it ensures that the user will be asked for a password, and one that's different from their normal daily login password (hopefully). And that will be one more chance for the person to stop and think about what they are doing.
post #18 of 94
deleted
post #19 of 94
Quote:
Originally Posted by jpellino View Post

Would anyone download an unknown, untested, un-vouched-for "defender" or "guard" or anything else for that matter, but especially something that claims to be a defender, guard, etc....?

Because 99% of typical users are completely naive. They are not stupid people but they are ignorant of the risks and will click on just about anything. It's a reflex action almost. This, unfortunately, is more typical of Mac users because they have been duped into believing nothing can touch OS X. I have finally convinced other family members to not respond to any emails requesting personal information or asking them to "verify" their account.
post #20 of 94
deleted
post #21 of 94
Quote:
Originally Posted by jpellino View Post

Would anyone download an unknown, untested, un-vouched-for "defender" or "guard" or anything else for that matter, but especially something that claims to be a defender, guard, etc....?

Because 99% of users are not the type of people to frequent special-interest Apple forums.

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply
post #22 of 94
Quote:
Originally Posted by Wiggin View Post


---

The article left out one critical piece of info...the no password version only works if you are logged in as an admin account.

---

... and Apple's decision is that the setup process creates a user that is an admin account.

Apple can make the setup process do anything they want but they have chosen the most dangerous option.

I want Apple to be out there showing how good IT is done, but they are not doing it.

They should be proactive, not reactive. There is a lot they can do to reduce these problems.

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply
post #23 of 94
Quote:
Originally Posted by spliff monkey View Post

and it makes me wonder why people click "OK" to begin with. I mean seriously. I've seen macdefender ads all over. It's a classic scam, why would anyone think it is in fact ok?

Scam exists because a tiny percentage buy it, and another tiny percentage is criminal.
post #24 of 94
Quote:
Originally Posted by MacRulez View Post

"virus attack" - what happens when Windows users download malware

"not even a problem, just a stupidity filter" - when the same thing happens on Mac

No, a virus attack is when you browse the web on a Windows PC and your machine becomes unusable because all this crap has installed itself and taken over your computer. The only workaround is installing and maintaining AV software, which takes a hit on performance and RAM.

Those kinds of issues are simply not there on Macs. No matter how much you try to suggest that some fake scam app is viral or dangerous or malicious (all it does is try to make you pay for it) the reality is that this thing does not damage your Mac and is trivial to remove.

Many PC users give up and buy a new machine after getting loaded down with adware/spyware and viruses, which are a plague on Windows. Trying to suggest Macs and Windows PCs are in the same boat is simply lying.

It's certainly possible that somebody could invest the efforts to target 10% of the market with virulent, damaging attacks, but that hasn't happened yet and there's not really a business model supporting that rather than targeting the low hanging fruit of the 90% installed base of Windows, most of which is unpatched and already has functional exploits written for it. And Apple can shut down attacks pretty rapidly, making all the effort of targeting the Mac that much less rewarding.

Comparing the virus situation on Windows with Macs is like comparing a meth-injecting homeless prostitute with open skin wounds to a newborn baby being raised by a Stepford housewife, and suggesting that the baby is in the same grave danger of getting lethal health problems because someday it will grow up perhaps it will begin smoking. Absolute nuttery.
post #25 of 94
Quote:
Originally Posted by Archipellago View Post

Great post...and bang goes Apple's marketing...


Win PC user installs trojan = Win PC bad
OSX user installs trojan = User bad

????

AppleInsider isn't calling the user bad. The malware authors = bad.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #26 of 94
Quote:
Originally Posted by MacRulez View Post

Ironically, it's the myth of immunity that gives so many Mac users the confidence to download anything they come across on the web - "Hey, I keep hearing that Mac has no viruses, so what could go wrong?"

This isn't classified as a virus.
Nothing will go wrong if you don't agree to install this malware.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #27 of 94
Quote:
Originally Posted by jpellino View Post

Would anyone download an unknown, untested, un-vouched-for "defender" or "guard" or anything else for that matter, but especially something that claims to be a defender, guard, etc....?

There are tons of numpties out there. They google "free Mac antivirus" and implicitly trust whatever google search throws up. They probably also click on banner ads proclaiming them a winner for being the millionth person to visit a site. Before using any web service for the first time I, at the very least, google "servicename + scam".

That's not to say it's not Apple's responsibilty. I hope this is another area they take the lead, unlike Microsoft, which allowed an entire industry of antivirus software companies to write the viruses that scared people into paying for their software. The curated app store is a good first step.

But ultimately people need to think of the Internet as the wild west, not a shopping mall.
post #28 of 94
Quote:
Originally Posted by Archipellago View Post

Great post...and bang goes Apple's marketing...


Win PC user installs trojan = Win PC bad
OSX user installs trojan = User bad

????

Horrible post

Apple NEVER said anything about trojan horses.

iPhone 4S 64GB, Black, soon to be sold in favor of a Nokia Lumia 920
Early 2010 MacBook Pro 2.4GHz, soon to be replaced with a Retina MacBook Pro, or an Asus U500

Reply

iPhone 4S 64GB, Black, soon to be sold in favor of a Nokia Lumia 920
Early 2010 MacBook Pro 2.4GHz, soon to be replaced with a Retina MacBook Pro, or an Asus U500

Reply
post #29 of 94
Quote:
Originally Posted by PXT View Post

... and Apple's decision is that the setup process creates a user that is an admin account.

Apple can make the setup process do anything they want but they have chosen the most dangerous option.

I want Apple to be out there showing how good IT is done, but they are not doing it.

They should be proactive, not reactive. There is a lot they can do to reduce these problems.

I agree with this. I think Apple has this in mind too because I think I read it somewhere as a feature of Lion. I use a admin account on my single user Mac setup. I am safe. I'm paranoid about security. I use 1Password's keychain and not Apples. It locks itself by default. You can keep it open for a period of time, if you want too. I use Little Snitch too. However 1PWD is browser wide. Apple's keychain can also be locked system wide but its not elegant. I use other security measures like sand-boxing all downloads to the DL folder where ClamXav monitors this folder on the fly. I think you'll see a much better solution for this in Lion, where no one runs in admin mode. There is really no need to run in admin mode. That said, whatever Apple does won't protect those gullible people. They will give their password and the kitchen sink too.
post #30 of 94
Quote:
No, a virus attack is when you browse the web on a Windows PC and your machine becomes unusable because all this crap has installed itself and taken over your computer. The only workaround is installing and maintaining AV software, which takes a hit on performance and RAM.

Wrong on all accounts

1. A virus doesn't come from any and every web browsing on a PC. In fact if you use any browser EXCEPT for Internet explorer, your pretty much safe.

2. A virus doesn't always render a PC useless. Quite the opposite. Many times a PC will continue to function as it always has with the only programs having trouble are programs capable of dealing with the virus in some way. Keyloggers are famous for this.

3. AV software is NOT the ONLY workaround if you think this then you sir are incredibly naive. Most of these viruses can be found via program file search or even re-booting under safe mode and locating the file there to which one can promptly delete. Is it easy? Most of the time yes. Other times it requires extensive work but EVERY virus on windows can do 2 things:

Bypass AV software and be removed without the former.
post #31 of 94
Anything that downloads itself gets trashed immediately.

Obey the previous sentence and you'll never have any trouble.

Unless YOU as a user click a download button on a website causing a related file to download, any files in your designated downloads folder should be immediately destroyed.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #32 of 94
[QUOTE=camroidv27;1869857]Because users trust their Apple products. They have been told that no matter what, there is no malware written for their computers. So, clicking "Okay" can't harm them, right? Because that's what Apple said.

Can you point us to any examples of Apple saying this?
post #33 of 94
Quote:
Originally Posted by Archipellago View Post

Great post...and bang goes Apple's marketing...


Win PC user installs trojan = Win PC bad
OSX user installs trojan = User bad

????

While Windows users are susceptible to phishing attacks such as this, they have also been historically susceptible to a legion of viruses and other malware that do not require the user to 1) allow the installation of an unknown program and 2) enter an admin password.
post #34 of 94
Quote:
Originally Posted by lamewing View Post

When this type of nonsense happens to Windows users...many Apple people I know (I use both OS X and Windows computers) use this as a reason to switch from PC to Mac.

And, if it were to happen to a Mac, what are you gonna do? Switch back to PCs?
post #35 of 94
Quote:
Originally Posted by freediverx View Post

Can you point us to any examples of Apple saying this?

No. Because Apple expressly states otherwise.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #36 of 94
Quote:
Originally Posted by freediverx View Post

Can you point us to any examples of Apple saying this?

Didn't they say in the ads that there are no viruses or spyware for macs? I distinctly heard that.
True a Trojan isn't a computer virus by definition, so I'll give you that one. But, when you are advertising to the general public, most don't know the difference between a Virus, Worm, or Trojan, or Spyware, or Malware, or any of the other kinds I didn't list. Its that general public who have been downloading the Mac Defender in the first place, not people who visit sites like this.

[EDIT] Just saw the post above with the web page. Nice find. Clearly states, its not 100%. Does it say that Macs are Secure... Yes. Are they? Not as much as the general public perceives it to be. Hence, the problem. Apple says its secure, so people trust it.
Go Linux, Choose a Flavor!
"I aim to misbehave"
Reply
Go Linux, Choose a Flavor!
"I aim to misbehave"
Reply
post #37 of 94
[QUOTE=freediverx;1869986]
Quote:
Originally Posted by camroidv27 View Post

Because users trust their Apple products. They have been told that no matter what, there is no malware written for their computers. So, clicking "Okay" can't harm them, right? Because that's what Apple said.

Can you point us to any examples of Apple saying this?

They come really close to that statement in the very first paragraph here:

http://www.apple.com/macosx/security/
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #38 of 94
deleted
post #39 of 94
deleted
post #40 of 94
Quote:
Originally Posted by Archipellago View Post

Great post...and bang goes Apple's marketing...


Win PC user installs trojan = Win PC bad

Let me fix that for you:

- Win PC user installs trojan = Win PC User error
- Win PC user does nothing much, Win PC snarfs up viruses and other
random malware just by being powered on = Win PC bad


[/QUOTE]OSX user installs trojan = User error

????[/QUOTE]

No charge for the upgrade/repair. You're welcome.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Latest 'MAC Defender' malware attacks Mac OS X without password