The Ed Bott Report

Ed Bott
Home / News & Blogs / The Ed Bott Report

Mac malware authors release a new, more dangerous version

By | May 25, 2011, 12:05pm PDT

Summary: Apple finally responded to the Mac Defender outbreak, with a technical note containing removal instructions and the promise of a removal tool. Within hours, the bad guys had released a new version of their malware. This one doesn’t require that you enter an administrator’s password.

Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, “How to avoid or remove Mac Defender malware,” the company posted instructions for users to follow if they’ve encountered this malware specimen in the wild. It also promised a security update to remove infections automatically.

File that memo under, “Too little, too late.”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

A security researcher for Intego, the Mac-centric security company that identified the original Mac Defender, found the first example of this new code via a poisoned Google search very early this morning.

Several factors make this specimen different. For starters, it has a new name: MacGuard. That’s not surprising, given that the original program already had at least three names. But this one is divided into two separate parts.

The first part, a downloader program, installs in the user’s Applications folder. If you’re an administrator on your Mac (and most people are, given that the overwhelming majority of Macs have only one user and the default account in that scenario is an administrator), the installer will open automatically. All you have to do is click Continue to begin the installation.

Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

Update: The preceding scenario assumes that the user has visited the SEO-poisoned site using Safari (the default browser in OS X) and that the browser’s default settings are in use. You can block the automatic installation in Safari by clicking File, Preferences, and then clearing the Open “Safe” Files After Downloading check box.

In this release, visiting a malware distribution site using Firefox or Safari causes a Zip file to be downloaded. Running the installer in that Zip file does not require an administrator password.

The downloader portion then installs the second part, which is similar to the original Mac Defender.

The new architecture seems to be a specific response to Apple’s instructions in the Mac Defender security note: “In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password.”

In this new variation, no password is required as long as you’re logged in using an administrator account. That might lull a potential victim into thinking they’re safe.

I know a lot of Apple users who breathed a sigh of relief yesterday, thinking that Apple’s belated response finally means that the problem is over. As any computer security researcher will tell you, this arms war is just getting started.

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots. Peter James, an Intego spokeperson, told me his company’s analysts were “impressed by the quality of the original version.” The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.

If Apple plans to play Whack-a-Mole with these guys, they’re in for months of misery. Just ask any Windows security expert who was around in 2003 and 2004 when Microsoft was learning a similar painful lesson. If each reaction from Apple takes two or three weeks, the bad guys will make a small fortune and Mac users can count on significant pain and anguish.

If you’ve run across this new variation in the wild, let me know. I’ll have my eyes open and plan to report back if I find anything.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “The Ed Bott Report”

Topics

Apple Macintosh, Malware, Apple Inc., Desktops, Security, Hardware, Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications.

Disclosure

Ed Bott

Ed Bott is a freelance technical journalist and book author. All work that Ed does is on a contractual basis.

Since 1994, Ed has written more than 25 books about Microsoft Windows and Office. Along with various co-authors, Ed is completely responsible for the content of the books he writes. As a key part of his contractual relationship with publishers, he gives them permission to print and distribute the content he writes and to pay him a royalty based on the actual sales of those books. Ed's books are currently distributed by Que Publishing (a division of Pearson Education) and by Microsoft Press.

On occasion, Ed accepts consulting assignments. In recent years, he has worked as an expert witness in cases where his experience and knowledge of Microsoft and Microsoft Windows have been useful. In each such case, his compensation is on an hourly basis, and he is hired as a witness, not an advocate.

Ed does not own stock or have any other financial interest in Microsoft or any other software company. He owns 500 shares of stock in EMC Corporation, which was purchased before the company's acquisition of VMWare. In addition, he owns 350 shares of stock in Intel Corporation, purchased more than two years ago. All stocks are held in retirement accounts for long-term growth.

Ed does not accept gifts from companies he covers. All hardware products he writes about are purchased with his own funds or are review units covered under formal loan agreements and are returned after the review is complete.

Biography

Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He's served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the author of more than 25 books on Microsoft Windows and Office, including the recently released Windows 7 Inside Out.

Talkback Most Recent of 361 Talkback(s)

  • RE: Mac malware authors release a new, more dangerous version
    Lets see how long it takes for Apple to acknowledge this new variant and that's assuming they do. I need to go back and watch some of those Mac vs. PC ads and laugh about how Mac's couldn't get this stuff.
    ZDNet Gravatar
    LoverockDavidson
    25th May
  • RE: Mac malware authors release a new, more dangerous version
    @LoverockDavidson

    I wish they had built their operating system with security in mind.
    ZDNet Gravatar
    Bookmark71
    25th May
  • LOL!
    @Bookmark71

    Apple design their OS with security in mind? Oh, but Uncle Skeletor, er, Steve said they did, so it must be so.
    ZDNet Gravatar
    Joe_Raby
    25th May
    • Flagged
  • It's hard to program against uniformed users.
    @Bookmark71

    It is secure. You can't program against the user entering their password when requested by an installation routine without preventing all installations.

    Maybe John Dvorak is right - people should be required to show knowledge and skill and be issued a license before they can operate a computer, just like driving an automobile.

    (as soon as you make something idiot proof, somebody develops a better idiot)
    ZDNet Gravatar
    mseyf
    25th May
  • They did.
    @Bookmark71

    For the security environment of about 15 years ago. It was ahead of Windows' security architecture when it was released, but Apple rested on those laurels while the last couple of Windows releases have increased intrinsic security by leaps and bounds.
    ZDNet Gravatar
    Lester Young
    25th May
  • RE: Mac malware authors release a new, more dangerous version
    @mseyf

    Uh, mseyf.... read the article. The new version of this thing doesn't need you to enter your admin password to install this thing!

    So..... Apple apparently did NOT design OSX with security in mind, as the people 'in the know' have been saying for years now.
    ZDNet Gravatar
    Lerianis10
    26th May
  • re: I wish they had built their operating system with security in mind.
    Remember that Apple didn't build OS-X...would be interesting to have seen how resistant Copeland would have been since it completely closed-source and would likely have stayed that way.
    ZDNet Gravatar
    dpsAndrew
    26th May
  • The Mac sky is falling Special Eddie...
    Talk about lame... Mac malware can't spead all by itself... They have to trick a user to installing it and that user has to enter an admin password to do the install... Unlike Winblows... Where you can pick up malware just by visiting a site or checking out a friends facebook page (and you don't even have to be an admin, you can simply be a power user or a regular user).

    But Special Eddie keeps crying that the Mac sky is falling and it isn't and everyone knows it... Mac Malware is still a great big yawn and there still isn't a virus for any version of Mac OS X... OS X is UNIX and no one is going to write a UNIX virus... Nothing to do with market share... So the only thing Mac users will ever have to deal with is socially engineered malware that requires 6 to 8 screens of user interaction to install... But all you trolls be sure to hop on that Special Ed bus and pat yourselves on the back real good...

    So riddle me this special Eddie... Just how is the Mac sky falling???


    ???


    ???


    ???


    Yeah... That's what I thought...

    BTW... You can keep deleting my accounts and I can keep making more... This retarded little game you started really is lame and pointless... But I guess that is kinda fitting considering that you are really lame and pointless.

    Awwwww... Did I hurt yer wittle feelwings Special Eddie??? You better go tell your mommy and get my account deweeted... That'll show dat mean ol' i8thcat... LOL... You are such a Doofus...
    ZDNet Gravatar
    i8thecat3
    27th May
    • Flagged
  • The Mac sky is falling?? I must have missed that one.
    @i8thecat3
    Please, i8thecat3, please direct us to the line in Ed's article where he said anything about any sky falling?

    ???

    ???

    ???

    Yeah... That's what I thought...

    And Doofus? How old are you, 10?

    You are just about the worst kind of Apple apologist that lives. You come across like a spoiled little child that has their allowance tied up in Apple stocks and is more then willing to spin any lie you can dream up to avoid any negative impact on Apple stock.

    You clearly have no idea (and that in itself is very telling) but the way you just ranted only tarnishes the reputation of Mac users generally. If anyone reading your post thinks you represent in any way the thinking process of a Mac user in general they would think Mac users are a bunch of childish morons who are prepared to excuse away any flaw in a Mac to preserve their own enormously fragile self esteem thats apparently been based solely on their choice of computer hardware.

    So sad indeed.
    ZDNet Gravatar
    Cayble
    27th May
  • Grow a brain cell Cayble
    @Cayble

    The sky is falling is a metaphor brainiac... Special eddie posting daily about how bad this so called mac malware epidemic is like chicken little running around screaming that the sky is falling...

    And your ignorant claim that I am spinning a lie is just that... ignorant... have you see this malware on a Mac... Gee, No... Of course you haven't... You are still afraid to touch a mac let alone have any clue as to how they work.

    So put your self rightous rant to bed, it is painfully obvious that you are a clueless MS Troll and that you ride the Special Eddie Bus.

    Here is a little advice... Go touch a Mac... it's not going to bite you, and even you can quickly learn how to use them... And then, while using that mac, go hit a page with mac defender on it and see just how stupid all this troll hysteria really is... Then go stand in front of a mirror and laugh at yourself hysterically... Cus that's what you Special Eddies do.
    ZDNet Gravatar
    i8thecat3
    27th May
    • Flagged
  • Sigh.
    @Bookmark71
    "I wish they had built their operating system with security in mind." Yeah, just like MS did, right?

    The ensuing posts read like a sad roll-call of all the little Microsoft bigots, trolls and shills having their field day.
    ZDNet Gravatar
    rahbm
    28th May
  • RE: Mac malware authors release a new, more dangerous version
    Scalable recognition is a slow evolving technology that will reap huge benefits when it fully matures. I have seen these techniques used for help systems in the area of medical diagnostics. These work best with specialty areas with distinct vocabulary requirements.
    Mobile broadband uk
    ZDNet Gravatar
    Amanda123456
    13th Sep
  • RE: Mac malware authors release a new, more dangerous version
    that information posted here seems to be very reliable, I believe you really have shown a excepicional work, I think it's very good, you posted this kind of article, keep on posting interesting stuff, hugs!
    Mobile broadband uk
    ZDNet Gravatar
    Amanda123456
    13th Sep
  • RE: Mac malware authors release a new, more dangerous version
    that information posted here seems to be very reliable, I believe you really have shown a excepicional work, I think it's very good, you posted this kind of article, keep on posting interesting stuff, hugs!
    Mobile broadband uk
    ZDNet Gravatar
    Amanda123456
    13th Sep
  • RE: Mac malware authors release a new, more dangerous version
    Great and fantastic blog. I am interested very much in the subject matter of your blog, it???s my first visit. Mobile broadband uk
    ZDNet Gravatar
    Amanda123456
    13th Sep
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources