Latest 'MAC Defender' malware attacks Mac OS X without password
A new, more dangerous variant of "MAC Defender," dubbed "Mac Guard," has been discovered, and the new malware does not require an administrator password to install.
The discovery was announced on Wednesday by security firm Intego. Unlike previous versions of the software, which required users to enter an administrator password to install the fake antivirus, the latest variant uses a different install method.
"The first part is a downloader, a tool that, after installation, downloads a payload from a web server," the security firm said. "As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site."
No administrator's password is required to install the application, and if users have Safari's "Open 'safe' files after downloading option checked, the package will open Apple's Mac OS X installer, and users will see a standard installation screen. However, at this point users must still agree to install the "MAC Defender" malware.
The second part of the malware is a new version called "MacGuard." The avRunner application automatically downloads "MacGuard," which, like its predecessor, aims to trick users into providing credit card numbers in exchange for supposedly ridding a users' systems of "infected" files.
This week, Apple posted instructions on its website explaining how to remove the "MAC Defender" malware. The company also revealed it will release an update to its Mac OS X operating system that will automatically find and remove the malware.
Some reports have suggested that the "MAC Defender" malware has spread quickly, with one anonymous AppleCare representative claiming that the "overwhelming majority" of recent calls to Apple were related to the malware. The software was first discovered early this month, also by Intego.
While the original variant was categorized as a "low" threat because it requires users to type in an administrator password, the latest version is considered more dangerous, and was ranked with a "medium" risk.
The malware has spread through search engines like Google via a method known as "SEO poisoning." Using this technique, phony sites are designed to game search engine algorithms and show up when users search for certain topics.
The discovery was announced on Wednesday by security firm Intego. Unlike previous versions of the software, which required users to enter an administrator password to install the fake antivirus, the latest variant uses a different install method.
"The first part is a downloader, a tool that, after installation, downloads a payload from a web server," the security firm said. "As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site."
No administrator's password is required to install the application, and if users have Safari's "Open 'safe' files after downloading option checked, the package will open Apple's Mac OS X installer, and users will see a standard installation screen. However, at this point users must still agree to install the "MAC Defender" malware.
The second part of the malware is a new version called "MacGuard." The avRunner application automatically downloads "MacGuard," which, like its predecessor, aims to trick users into providing credit card numbers in exchange for supposedly ridding a users' systems of "infected" files.
This week, Apple posted instructions on its website explaining how to remove the "MAC Defender" malware. The company also revealed it will release an update to its Mac OS X operating system that will automatically find and remove the malware.
Some reports have suggested that the "MAC Defender" malware has spread quickly, with one anonymous AppleCare representative claiming that the "overwhelming majority" of recent calls to Apple were related to the malware. The software was first discovered early this month, also by Intego.
While the original variant was categorized as a "low" threat because it requires users to type in an administrator password, the latest version is considered more dangerous, and was ranked with a "medium" risk.
The malware has spread through search engines like Google via a method known as "SEO poisoning." Using this technique, phony sites are designed to game search engine algorithms and show up when users search for certain topics.
Comments
This is an irresponsible headline and lead for AI to be printing.
Inaccurate, misleading, sensationalist.
OTH, they who made this nuisances wouldn't go far with OSX with this kind of approach especially when it is now a well publicised issue of which Apple already post a solution.
It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.
and it makes me wonder why people click "OK" to begin with. I mean seriously. I've seen macdefender ads all over. It's a classic scam, why would anyone think it is in fact ok?
When this type of nonsense happens to Windows users...many Apple people I know (I use both OS X and Windows computers) use this as a reason to switch from PC to Mac.
Great post...and bang goes Apple's marketing...
Win PC user installs trojan = Win PC bad
OSX user installs trojan = User bad
????
and it makes me wonder why people click "OK" to begin with. I mean seriously. I've seen macdefender ads all over. It's a classic scam, why would anyone think it is in fact ok?
Because users trust their Apple products. They have been told that no matter what, there is no malware written for their computers. So, clicking "Okay" can't harm them, right? Because that's what Apple said.
(What I don't get, is why people are downloading an AV program for an OS that touts it not needing one. Ironic.)
Viruses Ad
Spyware Ad
Of course, you do need AV for Windows. Sadly, most people get bamboozled into buying something like Norton or McAfee or some other resource hog... so maybe that's part of it too.
Great post...and bang goes Apple's marketing...
Win PC user installs trojan = Win PC bad
OSX user installs trojan = User bad
????
Forgetting the viruses on PC?
http://www.youtube.com/watch?v=GQb_Q...eature=related
hive mind thinking, perpetuated by some advocates of Apple products, that Mac OS X doesn't suffer from malicious software is dangerous. the ignorance and arrogance, on the part of the advocates, is also unfortunate.
I wish the press would stop using words like "virus" and "attack". The software doesn't attack anything (other then the intelligence of those who install it) and it is not a virus nor is it a trojan. It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.
I wish some people would stop using the word attack to describe this too.
Sorry, could not resist.
As for Apple cleaning up after malware with OS updates, this approach seems destined to fail when the variety of malware explodes.
How about Google cleaning up its act? Oh, right, why should Google do anything to help a competitor? Perhaps we should switch to Bing in protest.
As for Apple cleaning up after malware with OS updates, this approach seems destined to fail when the variety of malware explodes.
What have to clean Google, or Bing, or Yahoo. All of three can be cheated by SEO techniques.
I wish the press would stop using words like "virus" and "attack". The software doesn't attack anything (other then the intelligence of those who install it) and it is not a virus nor is it a trojan. It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.
Um, see anything ironic about the parts I highlighted? And you are simply mincing words anyway. It's a threat. And the people who are most like to be victims don't know or care about the technical distinction you are trying to make. In my book, if someone lays out landmines hoping I'll step on one, I'd call that an attack.
The article left out one critical piece of info...the no password version only works if you are logged in as an admin account. From the Intego article:
Since any user with an administrator?s account ? the default if there is just one user on a Mac ? can install software in the Applications folder, a password is not needed.
This is an area I think Apple would do well to better educate their customers. The difference between admin and non-admin accounts. And they should encourage users to not use admin accounts for anything other than administering their computers. And use non-Admin accounts for regular, daily use. It's not fool-proof, but it ensures that the user will be asked for a password, and one that's different from their normal daily login password (hopefully). And that will be one more chance for the person to stop and think about what they are doing.
Would anyone download an unknown, untested, un-vouched-for "defender" or "guard" or anything else for that matter, but especially something that claims to be a defender, guard, etc....?
Because 99% of typical users are completely naive. They are not stupid people but they are ignorant of the risks and will click on just about anything. It's a reflex action almost. This, unfortunately, is more typical of Mac users because they have been duped into believing nothing can touch OS X. I have finally convinced other family members to not respond to any emails requesting personal information or asking them to "verify" their account.
Would anyone download an unknown, untested, un-vouched-for "defender" or "guard" or anything else for that matter, but especially something that claims to be a defender, guard, etc....?
Because 99% of users are not the type of people to frequent special-interest Apple forums.