Wednesday, May 25, 2011

Newer Nastier Version Of MacDefender Malware Found

Just days after Apple posted a fix for the recently discovered MacDefender malware a new even nastier version new version called MacGuard has reared its ugly head!

Intego has issued a new warning for Mac users that a new variant of the Mac Defender malware has been found. Much like the old version it uses an infected site to act like scareware. Users see a prompt that tells them their system is infected and they need to download the "security tools" to remove the infections.

The so called fake tools come in several variants: MacDefender, MacProtector, MacSecurity and now MacGuard, all of which are the same application using different names. The goal of this fake antivirus software is to trick users into providing their credit card numbers to supposedly clean out infected files on their Macs.

The difference with this new variant is that unlike previous versions it doesn’t require that you provide an administrator password during the installation process.

The new malware comes in two parts. The first part is a downloader, called avSetup.pkg. Should you happen upon one of the afflicted sites this package may be downloaded automatically. If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.

This package installs a secondary downloader application named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

The second part of the malware is the new fake anti-virus software MacGuard. This is downloaded by the avRunner application from an unknown IP address that is hidden within an image file in the avRunner application’s resources folder.

Precautions from Apple and Intego, as well as general Mac-using common-sense precautions, include disabling Safari’s “Open ‘safe’ files after downloading” option (under Safari -> Preferences -> General), and immediately quitting (or force-quitting) your browser if you see a Web page that attempts to disguise itself as an OS X window.

Apple provides detailed instructions on removing the older variants from your system. The company also promises a software update that will remove the infection. At this time its unclear if the update will address this new variant or not or if there are any nastier variants out there. So Mac users should use caution and common sense when they see anything suspicious.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you