MacDefender variant MacGuard installs without user's authentication

New MacDefender variant MacGuard doesn’t need administrative authentication, and is out in the wild — latest entrant to the growing Apple malware family

A new variant of MacDefender, the phishing malware aimed at Mac users, does not require users to authenticate the install process. Known as MacGuard, this variant poses as an antivirus program that offers to clean out supposedly infected Macintosh systems and tricks users into providing credit card numbers. The products affected are Mac OS X 10.4 (Tiger), 10.5 (Leopard) and 10.6 (Snow Leopard).

MacGuard was reported by Intego, a Mac malware solutions provider, which reports that the malware is being propagated through effective SEO poisoning — leading unsuspecting Mac users to malicious Websites, which show up as top search results. The added risk from MacGuard is that it does not require administrative authentication during the install process, since OS X has administrator level access as the default account type.

The new OS X threat operates a little differently from previous MacDefender variants, and comes in two parts. The first part is an installation package (‘avSetup.pkg’) that downloads automatically when opening a specially crafted Website. If Apple’s Safari browser is used to access the Website, and the ‘open safe packages after downloading’ option is checked, MacGuard proceeds to an installation screen that requires user interaction.

Unlike previous MacDefender variants, MacGuard does not ask for an administrator password. After installation, the package deletes itself to avoid detection. MacDefender then proceeds to download the main payload from a Web server using the ‘avRunner’ application. The destination IP address is hidden using a simple form of stenography.

More details about this variant can be found on Intego’s Website. A detailed report about the MacDefender malware can be found on Intego’s Mac Security blog. Intego advises users to leave any page that looks like a finder window that appears to be scanning your Mac. In case of inadvertent downloading of a package, it can be located in the ‘downloads’ folder for deletion. Users should also uncheck the ‘Open safe files’ option in Safari.

Apple has announced that it is working on an OS X software update that will find and remove MacDefender and its known variants, while also providing users with an explicit warning in case of the malware’s download. Until then, Apple has provided a step by step resolution to remove the malware on this support document.

Read more on Hackers and cybercrime prevention