New MACDefender variant, MacGuard, doesn’t require password prior to standard installation

On May 2, 2011, Intego discovered the MACDefender fake antivirus torjan, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results). Since then, several variants have appeared: MacDefender, MacProtector and MacSecurity, all of which are the same application using different names. The goal of this fake antivirus trojan software is to trick users into providing their credit card numbers to supposedly clean out infected files on their Macs.

Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts. The first part is a downloader, a tool that, after installation, downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.

If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.

MacDailyNews Note: Users would then have to follow the standard Mac OS X installation prompts to actually install the malware.

Unlike the previous variants of this fake antivirus,no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application’s Resources folder. (The IP address is hidden using a simple form of steganography.)

Intego considers that the risk for this new variant to be medium, in part because the SEO poisoning has been very efficient in leading Mac users to booby-trapped pages, but also because no password is required to install this variant.

Means of protection: the first thing to do is make sure that when seeing a web page that looks like a Finder window, and purports to be scanning your Mac, you know that this is bogus. Leave the page, and quit your web browser. If anything has downloaded, and the Installer application has opened, quit it right away; look in your Downloads folder for the file, then delete it. Next, users should uncheck the “Open ‘safe’ files after downloading” option in Safari’s General preferences.

More info Intego’s full memo here.

Source: Intego

MacDailyNews Note: As Apple clearly states in their Mac OS X Security Configuration Guides, most recently for Mac OS X 10.6 Snow Leopard:

Administrator accounts should only be used for administration. Users should use standard user accounts for day-to-day computer use.

In addition, here’s our usual oft-repeated reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their Macs, should not be surprised to find their Macs are compromised.

Related articles:
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011


  1. Mac’s are the most secure OS environment on the planet. Just turn off automatically open safe files after download in Safari preferences. That’ all there is to it!

  2. “Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed.”

    Huh? Am I missing something? I thought that Admin has to enter a password to install apps, too. Am I wrong?

    1. As i stated earlier, i run as Admin.
      I dont think i have ever installed any app without inputting my password.

      well… not true.
      Mac App Store stuff only needs my Apple ID password.

    2. An administrator’s password is most definitely needed to install software in the Applications folder. Even if a malicious installer managed to circumvent this safeguard, it would trigger an OS X alert the first time it tried to launch. OS X automatically warns the user when an app downloaded from the internet tries to open for the first time. The bottom line is that you have to be paying absolutely no attention to what you’re doing in order to install malware on a Mac. There is no foolproof safeguard against stupidity.

      1. “There is no foolproof safeguard against stupidity.”

        no matter how many times you say it, no matter how many times you explain it…. people don’t understand it, it’s always somebody else’s fault.


    Even when I go offline and restart my computer, Skype won’t start up as usual with me still offline. Has every client been infected? !!!

  4. What I want to know is, why would a .pkg file be considered by Safari “safe” to open automatically? If application package installers are not on the list of potentially unsafe files then wtf is?

  5. “The first part is a downloader, a tool that, **after installation** [requires admin password], downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is **downloaded** [but not executed] automatically when a user visits a specially crafted web site.”

    Very cleverly worded. Corrections added.

  6. I have been trying to find out this hidden “IP address” from which the software is downloaded. It would be nice if someone would let us know that, so that I might block access to it from my network of 350 Macs to further nip this in the bud. For that matter, ISPs could block such IPs, as well, if there were a reliable clearing house to track bad IPs and issue automated alerts to regional/national ISPs to enable them to block access. It seems to me to be the only way to stop this for Mac and PC users alike. If two or more IPs from the same ISP show up, an ISP’s entire IP range could be blocked. Most of these exploits come from former eastern bloc countries and a few asian countries whose ISPs have no personal stake in tracking this stuff down. If their entire IP range got blocked by Comcast in the U.S., for example, they would sit up and take notice.
    Anyway, if any knows the IP or IP range this exploit phones home to, please post it. Thanks

  7. Just how does anything get downloaded, let alone installed, without one’s permission?

    That seems like a bigger security issue than requiring an installation password.

      1. It’s a trivial matter to set up a website to automatically send something to a user who accesses the site. Think of it like invoking a download – usually you click on something to invoke the download … A malicious web programmer can make accessing the website automatically send the download. It’s all in the coding. A legitimate coder will not code that way, but someone who is trying to infect your machine will.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.