Move over Mac Defender—there's a new malware variant in town, and it doesn't require the administrator password for installation. Security research firm Intego issued a new warning to Mac users on Wednesday, heavily cautioning users that a new variant on Mac Defender, called Mac Guard, is making the rounds via SEO poisoning online.
Intego initially warned users about a fake antivirus program called MAC Defender (it has since gone through several name and capitalization changes) earlier this month. The Mac-like app posed as an antivirus program and asked users for their credit card numbers in order to purge viruses on their machines or protect them from new ones. Although Intego initially gave Mac Defender a low risk rating because of its admin password requirement, it soon became apparent that Mac Defender was indeed beginning to make the rounds among the Mac-using community. We spoke with a number of third-party support reps, as well as several Apple Store Geniuses, who vouched for an apparent increase in Mac Defender malware reports.
When we spoke with Intego spokesperson Peter James last week, he pointed out that he initially saw a new Mac Defender variant every 12 to 24 hours, but eventually stopped seeing new versions. He warned that the creators could be revamping the malware to stay under the radar of legit antivirus software or to find new ways to poison users' machines. Now with the availability of Mac Guard, that indeed seems to be the case.
"Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user can install software in the Applications folder, a password is not needed," Intego wrote on its blog. "This package installs an application—the downloader—named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind."
Once again, the company advises users to turn off "Open 'safe' files after downloading" in their Safari preferences, since this malware (and others like it) are making their way onto users' computers via maliciously crafted URLs.
Apple itself acknowledged Mac Defender yesterday in a support document. The company promised to issue a software update that would automatically remove the malware and its variants, but also listed out instructions for how to remove it. We can only assume (or hope, at least) that Apple will include Mac Guard when it gets around to issuing that update, but in the meantime, Intego also offers its own VirusBarrier X6 tool to help remove it.
reader comments
284