There is a new variant of the Mac Defender rogue AV out there, and this one doesn’t require users to enter the administrator password in order to install the program, warns security firm Intego.
It’s named MacGuard, and as the previous versions, it is distributed via poisoned search links. The payload consists is an installation package – avSetup.pkg.
The researchers warn that if Safari’s “Open “safe’ files after downloading” option is checked, the installation package will open Apple’s Installer, and the user will be presented with the standard installation screen. It the option isn’t checked, the installation will be started only if the user himself double-clicks on the package.
“This package installs an application – the downloader – named avRunner, which then launches automatically,” explain the researchers. “At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.”
Once installed, the avRunner attempts to connect to an IP address hardcoded into an image file in avRunner’s Resources folder and hidden from view by using steganography:
If it succeeds, it downloads the actual rogue AV application – MacGuard.
Intego advises users to ignore Finder windows that pop-up and seemingly scan their Mac, telling them their system is infected, and to quit their browser if they are faced with them. They should also quit the Installer application if it’s open, and to delete anything that might have been downloaded by it. Finally, they should uncheck the “Open “safe’ files after downloading” option in Safari, to prevent the automatic download of similar files.
Hopefully Apple will be taking in consideration this last version as it works on the security update it has announced yesterday.