New MACDefender variant, MacGuard, doesn’t require password prior to standard installation

On May 2, 2011, Intego discovered the MACDefender fake antivirus torjan, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results). Since then, several variants have appeared: MacDefender, MacProtector and MacSecurity, all of which are the same application using different names. The goal of this fake antivirus trojan software is to trick users into providing their credit card numbers to supposedly clean out infected files on their Macs.

Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts. The first part is a downloader, a tool that, after installation, downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.

If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.

MacDailyNews Note: Users would then have to follow the standard Mac OS X installation prompts to actually install the malware.

Unlike the previous variants of this fake antivirus,no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application’s Resources folder. (The IP address is hidden using a simple form of steganography.)

Intego considers that the risk for this new variant to be medium, in part because the SEO poisoning has been very efficient in leading Mac users to booby-trapped pages, but also because no password is required to install this variant.

Means of protection: the first thing to do is make sure that when seeing a web page that looks like a Finder window, and purports to be scanning your Mac, you know that this is bogus. Leave the page, and quit your web browser. If anything has downloaded, and the Installer application has opened, quit it right away; look in your Downloads folder for the file, then delete it. Next, users should uncheck the “Open ‘safe’ files after downloading” option in Safari’s General preferences.

More info Intego’s full memo here.

Source: Intego

MacDailyNews Note: As Apple clearly states in their Mac OS X Security Configuration Guides, most recently for Mac OS X 10.6 Snow Leopard:

Administrator accounts should only be used for administration. Users should use standard user accounts for day-to-day computer use.

In addition, here’s our usual oft-repeated reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their Macs, should not be surprised to find their Macs are compromised.

Related articles:
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011

60 Comments

  1. stupid question, these reports always mention Safari..

    If you run Firefox, like me, does it even try to install?
    I have yet to come across any of the MacXXX variants.

    also run NoScript/FlashBlocker/AdBlock etc in Firefox, so i rarely ever see any banners/ads either, which i assume may be part of the way the malware installs.

    1. Not to nitpick but I find Safari conforms more to the Mac doctrine from a usability standpoint and general design polish as compared to Firefox. Little details like closing your tab window by clicking the ‘x’ on the left consistent with the placement of the red close button on the browser window.

      I have FireFox as a secondary browser on mine – Safari has the bookmark menubar that I can’t do without.

      1. you can make Firefox look almost exactly like Safari if you wanted.
        I dont use the standard firefox skin. since i have zero bookmarks in safari, not sure what the menubar is you mention.
        I just run the “open with” addon, if a page is being bitchy, i have it switch to Safari.
        Maybe cause when i switched to mac, Safari was a joke at the time… it’s only recently that Safari has become better. And i’ve used firefox since…. hmmm. seems like forever.
        only used Safari here and there over the past year.

        Safari STILL has an annoyance that is a 100% deal breaker to me.
        Maybe it’s me.. i dunno. Or maybe it’s fixed..
        If i copy a link, from say a text file, email, webpage (non hyperlink) say http://www.amazon.com/blah/blah/blahblah/1/blah.htm for example.
        if i paste it in Safari’s’ address bar… If i hit enter… it REFRESHES the page i am on almost everytime.
        I have to manually remove the last letter of the url, then retype it… THEN enter. and then it will open. Bugs the ever living shit outta me.
        Maybe it was a bug, or a “feature” i need to change, or i dont care… all i know is it is frustrating.
        maybe someone is going to laugh at me and say I need to press a different key combo, or instead of enter click something.. or maybe its some setting i need to change. i dont care, i’m perfectly happy with Firefox. Safari is my backup browser, probably always will be.
        although… the changes in Firefox 4 ALMOST made me quit. Thank God for addon’s to “fix” it.

        1. Ok I think I know what your problem with Safari is. When you paste a link to Safari I assume you’ve copied it from Firefox or another offline resource. What you want to do before pasting the link in the address bar is to do command a on the existing address then do a command v having first done a command c to copy the link. That should clear out any link artefacts.

          1. I just saw a apple disscusion about having to hit space after the paste… then enter. works.

            IMO Extra step that is not needed.
            It just ticks me off enough that i won’t bother messing with it.

            although i must say.. It referred to a bug all the way up to 5.03, and of course i just tried it now with 5.05 and it didn’t happen.
            the command A is the same as the triple click i end up doing (select all) or highlight the whole url with the mouse.

            my Luck, a week from now it will do it to me again and i’ll forget about this thread lol.

            also another reason i stick with firefox, XMarks. up until recently Safari didnt work with XMarks, i had the same bookmarks on my PC, my Mac, my MBP etc. and all synced.
            my MBP is the only one with xMarks for Safari on it… and it crashes CONSTANTLY. not Safari, XMarks.

            1. You can try highlighting the whole URL by clicking the favicon, the little icon to the left of the URL in the address bar. I’ve never had a problem with Safari. Works really well for me.

        2. Never ever had that problem. No matter where I copy the URL from.

          From Firefox to Safari:
          CMD-L (selects URL in Firefox)
          CMD-C (copies URL)
          CMD-Tab (switch to Safari – if last app used)
          CMD-L (selects current URL)
          CMD-V (replaces current URL with one copied from Firefox)
          Enter (or Return)

          Works 100% of the time.

          Did the copy/paste thing from text file, email, and webpage also. Always works for me. Maybe you need to talk nicer to Safari?

          1. I found earlier it WAS a bug in safari up to 5.03, i found that on the discussion boards earlier
            you had to insert a space between the paste and return. (supposedly fixed now)

            But i’m also a mouse guy.. i’d say 90% of the time i lean back in my chair, and right click. i’m one handed while i surf. Left hand is only on the keyboard when i have to type.
            the CMD + all that… I do just as fast with mouse/trackpad. I have to look at the keyboard for those shortcuts.

            @BuffaloChuck.
            I did.
            Highlight, copy.
            switch to safari
            Highlight, Paste
            return.
            Ended up refreshing current page.

            had to edit the URL somehow, i just deleted the last letter/etc of the URL, and typed it again and then return.

            And it wasn’t just coping the URL in firefox, it was anywhere.
            and BTW, was on a Power Mac G5 when i was having to deal with it. I ended up installing Chrome as the backup browser. (hated Chrome…) I dont think Safari 5 was even out when i first started dealing with it. I tried it earlier and it didn’t reload the page, so i guess it’s fixed.

            however…. I DO notice in Safari, i left my default homepage as http://www.apple.com/startpage
            if i paste a URL on the G5 behind me…. the page refreshed without me even pasting anything or hitting return. I just selected the URL, and a few seconds later it refreshed.
            and when it stopped, the RSS tab was up there in address bar. (wasn’t before) I wonder if all i needed to do was change the home page to blank

        3. Hmm…I’ve never run into that issue on Safari in the many, many Macs I’ve owned and serviced. Love it if you’d clarify exactly what steps you took to produce the problem.

      1. … is right on target. “Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed.” Only a fool (yeah, YOU) runs user apps from an Admin account. So says MDN. So says Apple. So Say We All!

  2. In my never-to-be-humble opinion, it’s long past time that Apple changed the standard Mac OS X installation parameters.

    1) Safari should have the “open (so-called) ‘safe’ files” option turned OFF by default. They should also call it something else, like “open certain (sometimes dangerous) files automatically after download – WARNING, this can degrade your Mac’s security!”

    2) The Mac OS X installation process should create not only an administrator account, but also a user account, and it should be made clear that the admin account info should ONLY be used when installing updates that the user has requested, or known-good Apple updates. Login for that admin account should be disabled (you can install almost anything from a user account with an admin account’s into).

    Time to get serious about security, Apple – too many people are starting to pry into Mac OS X’s dark corners.

    1. Agree with both 1) and 2) – Safari should never offer to automatically open *anything* downloaded from the internet, and while I’d set up separate admin accounts for both myself and my parents before this malware surfaced, it would be much better if Apple provided that kind of setup by default.

      Have to disagree with your closing statement though – Apple have already been getting more serious about security, as evidenced by key security-related hires and the very strong security of Mac App Store installs (the app bundles require “root” to modify – much better than standard drag-from-disk-image installs).

      The main question I have, if this kind of malware attack increases, is if Apple will use it to eventually justify requiring all Mac apps to come from the Mac App Store. (Though I think their first fallback position would be to require all apps to be digitally signed, regardless of how they were downloaded – not sure if that would guard against this particular strain of malware.)

  3. A commenter made a comment here on a previous posting that AV software is a red herring for Mac users and therefore should be avoided like the plague. I’m a relative newcomer to the Mac platform and can’t claim much experience with it but the Apple retail assistant made several specific remarks to the effect that Macs don’t get viruses and you should not need to install AV software. 

    Bearing this in mind any attempts to ask me to install AV software on my Mac would be seen as suspicious although coming from a Windows environment, my brain has been conditioned to think that AV software warnings should be heeded. Perhaps new switchers should be trained to override their basic instinct.

    1. We can only assume that the majority of those infected by this, are those switching to Mac’s.

      My Uncle gets hit with virus and malware ALL the time… I keep telling him to NEVER click on popups telling him he’s infected and he needs to “buy” the fix.
      yet he calls me and laughs as he says “I clicked on something, i knew i shouldnt have but i did anyway”

      Granted the malware guys are getting pretty creative now, but still… a little brains can go a long way.

      I have a screenshot of a “warning your PC is infected” popup.. Showing me my HD and the path to the Windows dir that is infected…. Except i was using my iPhone. lol.
      It looked a lot like a vista screen, but being on iOS… something told me i was ok 😉

      1. Speaking as a long-time Windows user (Stockholm Syndrome hostage) I can tell you that AV warnings trigger a response that is below the subconscious level. Your immediate reaction is to respond to it and to allow it to scan your PC because you have been conditioned to think that viruses are a part of life as a PC user.

        Those who speak in this forum of, “Oh I haven’t had a virus infection on my PC in years,” are delusional. A simple random scan by a legitimate AV always throws up a virus. That’s the biggest reason why I switched to a Mac.

        1. I agree.
          I haven’t been hit with a virus on my PC in forever, but… I always got the AV software catching it.

          but… if you want to talk about adware and the like… i can’t count that high without a super computer.
          maybe my iMac can though 😉

        2. I’ve used PCs since DOS and as my knowledge of computers increased the amount of viruses I got decreased. I switched to Mac in 2004. I am an IT guy/web dev/bunch of other things and I must say having a windows XP machine on my mac… I haven’t had a virus in a while.. and yes it gets scanned regularly. Before I had my mac I went atleast a year virus free. The problem with most is common sense. If you go places online you shouldn’t, open emails that look suspicious, or click on popups that are sketchy.. well then you are asking for a virus. But I am not delusional by any means… I won’t say I haven’t had a virus in years but I can testify that my moms crappy XP PC has not had a virus since its existence and it does go online daily. She’s had that thing since 2007. It has AVG on it… always scans clean.

  4. “Administrator accounts should only be used for administration. Users should use standard user accounts for day-to-day computer use.”

    I don’t think this is realistic at all. I have way too many programs that automatically check for updates and download them in the background for this to make any sense. If every time Apple, Adobe, Micro$oft, GraphicConverter, NeoOffice, etc., prompted me to install an update, I had to shutdown all the programs I’m working in, restart into another user, wait for the update to download and install, then restart back into the first user and restart all the programs again, I’d never get anything done. It’s bad enough when I have do shutdown one suite of programs to do an update that downloaded in the background, much less restart the whole computer.

    For home use, it might not be a big deal, but at work, this idea is a colossal waste of time. Whatever happened to ‘use your common sense?’

    1. Agree 100% with what you say. To work in a secondary standard user account with no administrative privileges would be too delimiting for me in terms of getting actual work done.

        1. Agreed.
          I’ve run my main account as a Standard User for a number of years & find it barely inconvenient at all.
          And the minor inconvenience is greatly outweighed by the added security.

      1. Not True. Run as a standard user. When you need to install or update an app, you enter the Admin name and then the password. You do not have to restart as Admin.

        Further, when installing apps as Admin, you still have to enter Admin password, AFAIK. Unless something has changed.

      2. I’m an IT and I run my OWN computers, even at home with an Admin side and various user sides. Even an Uber Geek I work with does this. I set up ALL my client’s computers this way, trying to be ahead of what may hit us.

    2. Speaking as someone who’s been using a standard account for the past few months, you clearly have no understanding of how the process works.

      It’s a very simple process to authenticate as administrator from your standard account – when prompted to authenticate, you simply type in both the admin username and password. No need to switch to another user or interrupt your workflow.

      (And with fast user switching, there’s certainly no need to shut down everything in your standard account, if you merely wanted to switch to your admin account. I do this all the time when I just want to quick hop over to the admin account to adjust something.)

      1. If you did use the Admin Side to load things, the only time you would have to log out of the User side first, is for Apple System Updates, (or an application that asks you to restart the computer, those are rare these days).

    3. “Whatever happened to ‘use your common sense?’”

      and there’s the problem.

      I always run as Admin account myself. I just use my head and think before i just randomly accept everything.

      As a general rule, i see the point of NOT running as an admin. and I do NOT endorse every random person doing it.
      But if someone wants to run as an admin, just know that that means a little more responsibility.

    4. Suit yourselves. I do not, and will not, risk it. I run a standard account as per Apple’s recommendation, and IT IS NOT LIMITING. How often do updates come along? Not daily, not weekly. I think it should be reasonable to type in your admin password every few weeks or so.

      1. +1

        I’m not sure why “G-Man in B’ham” is making it sound like such a complicated process. It’s nothing like what he describes, and not at all limiting.

        1. honestly i dont either.
          I did run without an admin account for a while, it’s not nearly as ugly as he makes it out to be.

          but on the other hand… Running as an admin isn’t that ugly either.
          you can run with no password on an admin account and still be safe.. (not that i would…) People just get lazy and think it can’t happen to them.

          It’s a choice i made to run as admin. if i have a problem… i’m not going to blame apple or go cry to anyone else. I don’t go to questionable sites, and i know everything i download. I also run little snitch so i can keep watch on anything to connect to the outside, it don’t matter if my admin password isn’t needed if this Macdefender does get installed… Little Snitch won’t let it go out unless i explicitly tell LS it’s ok. If the box comes up and i don’t see it.. it auto blocks until i go in and reverse it.

          Not saying i’m 100% immune to it, but the odds of it happening to me are a lot lower with all the stuff i normally block anyway. (no script, adblock, flashblock, Little Snitch, Anything Google, list goes on)
          And it seems that this “only” affects Safari? every article on this talks all about Safari, not chrome, not Firefox, not Opera.. just safari.
          and besides, Apple already has a permanent fix in the works so this can’t work anymore once they release the update. (I hope soon so this gets out of the news)

          Admin or not Admin, it’s your Personal choice. Or IT department’s choice..
          And don’t think Apple is doing something “new” here by recommending a non Admin account.. I’m pretty sure that’s the norm for every OS. (which i think stems from Idiot users, always seems to be the Idiots among us that gets into trouble with any OS/Tech)

          1. Ok, maybe I don’t understand the differences between an Admin account and a User account. I’m the only one who uses my computer, so I’ve never seen the need to have more than one account. Sorry if I offended anyone.

            I thought the whole point of a User account was that it was ‘locked down’ and you couldn’t install anything when you were in it. If all you need is the Admin name and password, what’s to stop a User account who has the password from installing MacDefender or any other trojan?

    5. https://discussions.apple.com/thread/2586809?threadID=2586809&tstart=-3

      Not having any luck finding a good online tutorial about how to downgrade your current admin account to a standard account – this is the closest I could find. Obviously the “parental controls” stuff can be skipped, but the rest (creating a new admin account, using that new account to de-admin-ify your current account) applies. No need to change user IDs or anything odd like that – Apple have done a good job of making this process very painless and very doable.

      1. Have not tested this but I would think it would be:

        Current admin user – Fred
        Create new account – Admin-Fred
        Logout as Fred
        Login as Admin-Fred
        Go to System Preferences – Accounts – go to Fred account – (here’s where I get fuzzy) should be an check box for this being an admin account – unselect

        Good luck!

  5. Frankly, I don’t trust Intego. Just look at this memo: They do not inform about the built-in protections (like running a standard instead of an admin account for day-to-day use, as MDN point out), but recommend downloading/buying their software suite.

    They’re FUDsuckers. As ar as I am concerned, as long as they release shit like this, they’re only one step away from being as bad as malware authors.

    1. Agreed – Intego aren’t interested in helping users solve the problem for themselves (as they can very easily do), but are interested in scaring/pressuring users into giving up their credit card info. Not much different from MacDefender, etc. in that sense. 😉

  6. “If Safari’s “Open ‘safe’ files after downloading” option is checked, ”

    For the life of me, I don’t know why this option isn’t deleted so that users have to click the download to launch it…

    And as far as having to use the admin user name and password to load the program, I bought both my sons macs and they were able to load world of warcraft without the admin user name and password.

  7. the influx of clueless windows users has made this an issue.
    Anyone who spends any time in the Apple support forums and fields the repeated questions about antivirus for iOS devices or the cries of my computer did something therefore I must have a virus can attest to this.

    Do not go to sketchy sites, do not download stuff from sketchy sites, never automatically enter your password when it shouldn’t be asking for it.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.