It might have been a bit of an easy victory for Apple if the string of rogue antiviruses targeting Mac OS X with names such as "MAC Defender," "MAC Protector," and "MAC Security" stopped on the news of Apple releasing an update to remove them. The scamware has been in the wild since the beginning of this month, and created a larger than normal volume of support calls to AppleCare from confused customers seeking help with removing MAC Defender.
Vigilant Mac users might have taken comfort in knowing the software required users to provide administrator credentials for MAC Defender to install on a user's computer. The good news is that this latest variant, "MacGuard," which was also discovered by Intego, still requires users to launch an executable before the install can proceed. The bad news is the requirement for administrator credentials has been dropped. The scamware now runs in the user space, but it is no less threatening in its demands for users to fork over money in removing false threats.
The payload method is still similar to MAC Defender, with a webpage crafted to look like a fake but convincing Finder window and a window popup:
Upon accepting the prompt, a .pkg installer is downloaded to the user's computer, which may or may not run automatically depending on the preferences set in Safari. Upon the installer's completion, a downloader "avRunner" fetches the main MacGuard app. Once MacGuard is installed, the installer deletes itself.
Prevention of this latest variant is simple: users should always be wary of any executables they launch, regardless of which platform it's written for. Executables and installers should never be set to automatically launch without your consent. And finally, it never hurts to have even basic antivirus protection for those unexpected scenarios.
Image Credit: Intego