Updated MacDefender Malware Appears, No Longer Needs Password

There’s a newer version of the MacDefender scareware program that’s now showing up on various Web sites, and this one no longer requires a user to enter her administrator password during the installation process in order to complete the infection routine.

Mac GuardThere’s a newer version of the MacDefender scareware program that’s now showing up on various Web sites, and this one no longer requires a user to enter her administrator password during the installation process in order to complete the infection routine.

The first variants of MacDefender began appearing in early May and Mac users were seeing the pop-up dialog boxes on sites that they might have visited through a link from a poisoned search results page. The rogue application, once installed, would attempt to entice the user into entering her credit card information in order to pay the license fee for the software.

On Wednesday researchers at Intego discovered a new version of MacDefender, now called Mac Guard, that runs through the same basic infection routine, with the main difference being that the user no longer has to enter the admin password as part of the download and installation process. Because most Mac machines only have a single user, and that user is running on an admin account, the password isn’t a necessity and removing the requirement to enter it takes away one more hurdle to infection.

The installation process is a two-part operation in which the malware first automatically installs a downloader that reaches out to a remote server and pulls down a malicious payload. That package, called “avRunner”, which completes the rest of the routine.

“Unlike the previous variants of this fake antivirus,no administrator’s password is required to install this program.
Since any user with an administrator’s account – the default if there
is just one user on a Mac – can install software in the Applications
folder, a password is not needed. This package installs an application –
the downloader – named avRunner, which then launches automatically. At
the same time, the installation package deletes itself from the user’s
Mac, so no traces of the original installer are left behind,” Intego said in its blog post on the new variant.

Mac Guard of course doesn’t provide any actual security services and is just there in order to relieve users of their credit card data for use in later fraud campaigns.

Suggested articles

Discussion

  • Rob on

    When did they stop asking for passwords for .pkg files? 

  • Anonymous on

    Sounds like Windows Pre-UAC (even if most people find it annoying).

  • Anon on

    That's not true.  I have my Mac set up so that it always asks anytime I try to download something, and a password is always required to install or make changes on my computer.  It's a very simple thing to set up in your security preferences (and involves a simple click on the "lock" icon on a number of preferences menu screens).  Can it be annoying whenever my computer updates?  Sometimes- except when I remember the reason why I have to do this; because of garbage like this on the Internet.

    These pieces of malware take advantage of old Windows users who have their Macs set up to give them the same conveniences they had on Windows, not realizing that by doing so they've made their Macs very virus friendly (i.e.- having the "download safe files" option ticked).  There is no such thing as a safe file type- the whole point of malware is that it's disguised to appear to your computer as a safe file type (such as .jpeg, .pdf, .bmp, etc., etc.).  If you don't know for certain what it is, never, ever install or download until you've verified the contents and sender.  It's very simple.

  • Anonymous on

    Above is funny, even when the malware is targeted to Macs, the blame still goes to Windows users :/

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.