Mac malware authors release a new, more dangerous version

Published on 05-25-2011 10:24 PM

Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, “How to avoid or remove Mac Defender malware,” the company posted instructions for users to follow if they’ve encountered this malware specimen in the wild. It also promised a security update to remove infections automatically.

File that memo under, “Too little, too late.”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.
A security researcher for Intego, the Mac-centric security company that identified the original Mac Defender, found the first example of this new code via a poisoned Google search very early this morning.

Several factors make this specimen different. For starters, it has a new name: MacGuard. That’s not surprising, given that the original program already had at least three names. But this one is divided into two separate parts.

The first part, a downloader program, installs in the user’s Applications folder. If you’re an administrator on your Mac (and most people are, given that the overwhelming majority of Macs have only one user and the default account in that scenario is an administrator), the installer will open automatically. All you have to do is click Continue to begin the installation.

Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

The downloader portion then installs the second part, which is similar to the original Mac Defender.
The new architecture seems to be a specific response to Apple’s instructions in the Mac Defender security note: “In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password.”

In this new variation, no password is required as long as you’re logged in using an administrator account. That might lull a potential victim into thinking they’re safe.
I know a lot of Apple users who breathed a sigh of relief yesterday, thinking that Apple’s belated response finally means that the problem is over. As any computer security researcher will tell you, this arms war is just getting started.
Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots. Peter James, an Intego spokeperson, told me his company’s analysts were “impressed by the quality of the original version.” The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.

If Apple plans to play Whack-a-Mole with these guys, they’re in for months of misery. Just ask any Windows security expert who was around in 2003 and 2004 when Microsoft was learning a similar painful lesson. If each reaction from Apple takes two or three weeks, the bad guys will make a small fortune and Mac users can count on significant pain and anguish.

Source: ZDnet

Categories:
Software,
Internet

8 Comments

lavino - 05-26-2011, 04:02 AM
- Reply
Why the hell would I ever enter my credit card for some 3rd party program that I didn't even wanna download in the first place?

usr - 05-26-2011, 06:27 AM
- Reply
I think it is funny.. Most all the mac users I know lack a great deal of understanding about security. They believe they are safe from getting a virus and do not understand that today all we see are trojans, worms and malware, which work perfectly fine on any OS. The last time I saw a real virus was windows 95 maybe 98 days.

I am not really bashing apple, I am bashing the people I know who bought apple and their lack of understanding, which really is most computer users nothing special about the mac users other than they paid 2.5 times as much for their system. Okay I am bashing apple some on their price.

I did learn something from this article though. Most everyone running a mac is running as administrator? Wow.. that seems like a good default setting for every day people.

duke0102 - 05-26-2011, 09:08 AM
- Reply
I am not really bashing apple, I am bashing the people I know who bought apple and their lack of understanding,

Dude, you beat me to that one m8. Although I don't own a Mac I still thing there pretty good but most Mac owners are smug about there 'invincible' machine and ignorant to the risks that demand an AV nowadays

godofhell - 05-26-2011, 01:15 PM
- Reply
the only reason for no viruses on macs is because 80% of the worlds computers are PCs!!! Mac is a fucking toy, PC is an enterprise device.

Xbox_360 - 05-26-2011, 06:12 PM
- Reply
A mac is a PC it just has the ability to run Apples OS, that's why I don't get apple fanboys saying there computer is better then a PC. They better do some checking before saying that and looking completely stupid. I agree that a lot of people who own Mac don't know much, and that has to do a lot with Apple and there anyone can use this computer and not have to know much more then click click attitude.

brilman - 05-26-2011, 10:05 PM
- Reply
ok stop with the "mac or pc" game thats been going on and on for years

I do find it interesting that apple's os seems to be getting targeted more, maybe because of the popularity of the iphone/pad?