There’s a newer version of the MacDefender scareware program that’s now showing up on various Web sites, and this one no longer requires a user to enter her administrator password during the installation process in order to complete the infection routine.
The first variants of MacDefender began appearing in early May and Mac users were seeing the pop-up dialog boxes on sites that they might have visited through a link from a poisoned search results page. The rogue application, once installed, would attempt to entice the user into entering her credit card information in order to pay the license fee for the software.
On Wednesday researchers at Intego discovered a new version of MacDefender, now called Mac Guard, that runs through the same basic infection routine, with the main difference being that the user no longer has to enter the admin password as part of the download and installation process. Because most Mac machines only have a single user, and that user is running on an admin account, the password isn’t a necessity and removing the requirement to enter it takes away one more hurdle to infection.
The installation process is a two-part operation in which the malware first automatically installs a downloader that reaches out to a remote server and pulls down a malicious payload. That package, called “avRunner”, which completes the rest of the routine.
“Unlike the previous variants of this fake antivirus,no administrator’s password is required to install this program.
Since any user with an administrator’s account – the default if there
is just one user on a Mac – can install software in the Applications
folder, a password is not needed. This package installs an application –
the downloader – named avRunner, which then launches automatically. At
the same time, the installation package deletes itself from the user’s
Mac, so no traces of the original installer are left behind,” Intego said in its blog post on the new variant.
Mac Guard of course doesn’t provide any actual security services and is just there in order to relieve users of their credit card data for use in later fraud campaigns.