New variant of MAC Defender - MacGuard - installs without admin privileges

It might have been a bit of an easy victory for Apple if the string of rogue antiviruses targeting Mac OS X with names such as "MAC Defender," "MAC Protector," and "MAC Security" stopped on the news of Apple releasing an update to remove them. The scamware has been in the wild since the beginning of this month, and created a larger than normal volume of support calls to AppleCare from confused customers seeking help with removing MAC Defender.

Vigilant Mac users might have taken comfort in knowing the software required users to provide administrator credentials for MAC Defender to install on a user's computer. The good news is that this latest variant, "MacGuard," which was also discovered by Intego, still requires users to launch an executable before the install can proceed. The bad news is the requirement for administrator credentials has been dropped. The scamware now runs in the user space, but it is no less threatening in its demands for users to fork over money in removing false threats.

The payload method is still similar to MAC Defender, with a webpage crafted to look like a fake but convincing Finder window and a window popup:

Upon accepting the prompt, a .pkg installer is downloaded to the user's computer, which may or may not run automatically depending on the preferences set in Safari. Upon the installer's completion, a downloader "avRunner" fetches the main MacGuard app. Once MacGuard is installed, the installer deletes itself.

Prevention of this latest variant is simple: users should always be wary of any executables they launch, regardless of which platform it's written for. Executables and installers should never be set to automatically launch without your consent. And finally, it never hurts to have even basic antivirus protection for those unexpected scenarios.

Image Credit: Intego

Report a problem with article
Previous Story

Study claims to find link between playing violent games and aggression

Next Story

Facebook still has no plans to allow people under 13 to use service

38 Comments

Commenting is disabled on this article.

3rd impact said,
dear dennis wong,

string of rogue antiviruses targeting Mac OS X? it was put there to test out faith!!!

sincerely, mac users

Interesting way of summarizing the situation, I guess...

IMHO this has nothing to do with OS security, but with user stupidity User have to launch it, therefore is not fair to blame OSX. It's still safer OS, because after installation you don't have root privilegies. In Windows 7 is default user still administrator so you are more vunerable..

Reap what you sew, I just hope one of the Neowin guys created it! You know if little old me is starting to get calls for it, they finally got the foot far in the door...
JF

You know, it's strange... Fake antivirus programs like this normally infuriate me. But seeing them come to the Mac... makes me chuckle.

News reports like this make me laugh inside...

I think ill head down to the local electronic store today and run some installs

The irony! If it wasn't for the late scare campaign persuading Mac users to get an AV, this wouldn't be happening now.

LordBattleBeard said,
Yawn. All platforms get crapware like this, we get it, only mactards thought otherwise.

You forgot the Linux users.. always forgotten...

It's amusing how they still can't replicate something that remotely looks like Finder. I also enjoy a few things here:
- One "window" says Apple Web Security while the other says Apple security center
- "Apple security center" isn't capitalized properly

Seriously, the fact that people fall for these things on either OS X or Windows is depressing. At least this one uses a Finder replica since the last one used an XP replica from what I saw.

Tanshin said,
It's amusing how they still can't replicate something that remotely looks like Finder. I also enjoy a few things here:
- One "window" says Apple Web Security while the other says Apple security center
- "Apple security center" isn't capitalized properly

Seriously, the fact that people fall for these things on either OS X or Windows is depressing. At least this one uses a Finder replica since the last one used an XP replica from what I saw.

And the notification box says "Apple security alert"

And if I'd just bought Granny a Mac, set it up, and left...she'd have been infected that same evening. Neowin wannabe tech-gods aren't the only Mac users k?

Tanshin said,
It's amusing how they still can't replicate something that remotely looks like Finder.

It looks very much like Finder.

Hmmm Macs with viruses????? OMG!!! that's a lie, I refuse to believe it, it's just fake story telling by those Windows fanboys!

Ely said,
Hmmm Macs with viruses????? OMG!!! that's a lie, I refuse to believe it, it's just fake story telling by those Windows fanboys!

Sad thing is that this will happen. lmao.

I'm surprised it's taken this long. It can't be that difficult to make a malicious program that requires user intervention to install. The phishing part is the most difficult bit.

what said,
I'm surprised it's taken this long. It can't be that difficult to make a malicious program that requires user intervention to install. The phishing part is the most difficult bit.

Same here. I always thought it would be extremely easy for whoever wanted to do it. Modern Windows malware also requires the user to run and grant admin privileges and they fall for it all the time. I even know someone who put their credit card in to the Windows version of this fake anti virus crap.

So...........Macs get viruses too now. Well they have for a while. But one thing not to include in the mac ads are they wont get viruses. So who wants to pay 2000 dollars for a mac that a pc can do and then some. ?

Xypro said,
So...........Macs get viruses too now. Well they have for a while. But one thing not to include in the mac ads are they wont get viruses. So who wants to pay 2000 dollars for a mac that a pc can do and then some. ?

This is NOT a virus! It's called malware. And most of the Mac users are VERY smart, so they won't install it. /sarcasm

The Stark said,

This is NOT a virus! It's called malware. And most of the Mac users are VERY smart, so they won't install it. /sarcasm

Haha, you almost got me then.........

Xypro said,
So...........Macs get viruses too now. Well they have for a while. But one thing not to include in the mac ads are they wont get viruses. So who wants to pay 2000 dollars for a mac that a pc can do and then some. ?

As I said in the other thread about MAC Defender, if we'd get so much press for each virus released on Windows, we wouldn't be done with it. Mac Guard news would be on page 4 already.

One virus isn't the end of the world, especially if it doesn't propagate by itself, and because there's a built-in antivirus in Snow Leopard and Apple has an update waiting for us.

PyX said,

As I said in the other thread about MAC Defender, if we'd get so much press for each virus released on Windows, we wouldn't be done with it. Mac Guard news would be on page 4 already.

One virus isn't the end of the world, especially if it doesn't propagate by itself, and because there's a built-in antivirus in Snow Leopard and Apple has an update waiting for us.

So you dont see this as the start of a rocky road? ummm ok then.......

And if AV came pre installed with windows, the DOJ or EU would ask for another few billion, you know, for competitions sake.

Xypro said,
So...........Macs get viruses too now. Well they have for a while. But one thing not to include in the mac ads are they wont get viruses. So who wants to pay 2000 dollars for a mac that a pc can do and then some. ?

The simple fix for this is to remote the option to "automatically open safe files" as it was a gaping security hole to being with.

Mr Nom Nom's said,
People buy a Mac for more reasons than what you claim.

That was true years ago, now more non-techsavvy people are buying a Mac because of that, even Apple have used that argument for marketting.

dagamer34 said,

And if AV came pre installed with windows, the DOJ or EU would ask for another few billion, you know, for competitions sake.

HAHA

ppl will still buy Macs but Apple won't use it as a sale argument anymore !