New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

New 'MACDefender' Variant Installs Without Admin Password Requirement

Wednesday May 25, 2011 11:17 am PDT by Eric Slivka

Antivirus firm Intego today reported that it has discovered a new variant of the "MACDefender" malware that ups the ante by not requiring an administrator password for installation. The step is accomplished by installing the application only for the current user.
Unlike the previous variants of this fake antivirus, no administrator's password is required to install this program. Since any user with an administrator's account - the default if there is just one user on a Mac - can install software in the Applications folder, a password is not needed. This package installs an application - the downloader - named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original installer are left behind.

The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application's Resources folder.
Late yesterday, Apple issued its first public notice on the MACDefender malware, providing users with steps for avoiding or removing the software, as well as reporting that a Mac OS X software update to be released in the "coming days" will automatically find and remove MACDefender and its known variants. The update will also alert users if they are about to download one of the malware applications.

It is unknown whether protection against the new "MacGuard" variant will be included in the software update from Apple, but the company will almost certainly have to keep on its toes to address the quickly evolving threat.

[ 452 comments ]


Top Rated Comments

(View all)

Avatar
stridemat
107 months ago
Perhaps Apple should issue an 'update' the makes Safari not open downloaded files automatically?
Rating: 31 Votes
Avatar
Jolly Jimmy
107 months ago

One Word:

MACDEFENDER

;)


Not a virus. Honestly there should be a sticky thread or something explaining what a virus is.
Rating: 14 Votes
Avatar
longofest
107 months ago

the days of malware free macs are over! No surprise that Apple initially failed to acknowledge the problem.


The days of malware-free macs have BEEN over (https://www.macrumors.com/2006/02/16/mac-os-x-virus-trojan-summary/). This appears to be the first malware that is actually getting decent press coverage.
Rating: 13 Votes
Avatar
KnightWRX
107 months ago

Do you like contradicting yourself? We can go back and forth between "virus"/malware argument but what's the point.


I have not contradicted myself. Go back and forth on what ? Virus is a type of malware. Spyware is another. Trojans are yet another.

There are Mac malware out in the wild.
There aren't any Mac viruses out in the wild.

Both statements are true.
Rating: 13 Votes
Avatar
Rodimus Prime
107 months ago
my guess is it is only going to get a lot worse from here. It is pretty common trick of the "virus" writing to use one that worked and slightly modify it to work another way or do something else and it gets counted as a different virus using the same hole or same trick.

I am willing to bet in the future some of theses things like MACDefender are going to install and not do anything real to get themselves noticed for weeks on end and leave a huge hole to allow other stuff to get installed. You can kill off the other stuff installed but because the hole is never plugged new things will keep coming in.
Rating: 12 Votes
Avatar
*LTD*
107 months ago

apple should start catering to real mac users again, and not to the lowest common demonator = pc users!


Most Mac users used to be Windows users at one time or another. Including yours truly.

WTF is a "demonator"?
Rating: 12 Votes
Avatar
griz
107 months ago
Uncheck "Open 'safe' files after downloading" in Safari Prefs.
Downloaded apps will not launch automatically if you uncheck this option in Safari. Not sure about other Browsers. So as long as you don't launch the installer, you are fine.
Rating: 12 Votes
Avatar
nwcs
107 months ago

Perhaps Apple should issue an 'update' the makes Safari not open downloaded files automatically?


Yeah, that should be the default option.
Rating: 11 Votes
Avatar
Yamcha
107 months ago

I may be misreading things, but you still have to execute the installer correct?


It launches by itself, I actually encountered this just an hour ago, I was surfing google images, and the application downloaded and launched it self, although of course I cancelled and deleted it..

But if you disabled "Open Safe Files" on Safari then it doesn't launch automatically..

Anyway it's not really a problem for computer savvy people, but I think my parents would easily install this without knowing that it's actually malware..

So It's still an issue I think, obviously this is something that Windows has had in the past, still It should be no surprise, as more people begin to use Mac OS, viruses, trojan, malware/spyware will be a part of Mac OS, it'll be interesting to see how Apple handles this problem..
Rating: 11 Votes
Avatar
DeaconGraves
107 months ago
I may be misreading things, but you still have to execute the installer correct?
Rating: 10 Votes

[ Read All Comments ]