New 'MACDefender' Variant Installs Without Admin Password Requirement
Antivirus firm Intego today reported that it has discovered a new variant of the "MACDefender" malware that ups the ante by not requiring an administrator password for installation. The step is accomplished by installing the application only for the current user.
Unlike the previous variants of this fake antivirus, no administrator's password is required to install this program. Since any user with an administrator's account - the default if there is just one user on a Mac - can install software in the Applications folder, a password is not needed. This package installs an application - the downloader - named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original installer are left behind.
The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application's Resources folder.
Late yesterday, Apple issued its first public notice on the MACDefender malware, providing users with steps for avoiding or removing the software, as well as reporting that a Mac OS X software update to be released in the "coming days" will automatically find and remove MACDefender and its known variants. The update will also alert users if they are about to download one of the malware applications.
It is unknown whether protection against the new "MacGuard" variant will be included in the software update from Apple, but the company will almost certainly have to keep on its toes to address the quickly evolving threat.