Mac malware authors release a new, more dangerous version

Mac malware authors release a new, more dangerous version

Summary: Apple finally responded to the Mac Defender outbreak, with a technical note containing removal instructions and the promise of a removal tool. Within hours, the bad guys had released a new version of their malware. This one doesn't require that you enter an administrator's password.

SHARE:
353

Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, “How to avoid or remove Mac Defender malware,” the company posted instructions for users to follow if they’ve encountered this malware specimen in the wild. It also promised a security update to remove infections automatically.

File that memo under, “Too little, too late.”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

A security researcher for Intego, the Mac-centric security company that identified the original Mac Defender, found the first example of this new code via a poisoned Google search very early this morning.

Several factors make this specimen different. For starters, it has a new name: MacGuard. That’s not surprising, given that the original program already had at least three names. But this one is divided into two separate parts.

The first part, a downloader program, installs in the user’s Applications folder. If you’re an administrator on your Mac (and most people are, given that the overwhelming majority of Macs have only one user and the default account in that scenario is an administrator), the installer will open automatically. All you have to do is click Continue to begin the installation.

Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

Update: The preceding scenario assumes that the user has visited the SEO-poisoned site using Safari (the default browser in OS X) and that the browser's default settings are in use. You can block the automatic installation in Safari by clicking File, Preferences, and then clearing the Open "Safe" Files After Downloading check box.

In this release, visiting a malware distribution site using Firefox or Safari causes a Zip file to be downloaded. Running the installer in that Zip file does not require an administrator password.

The downloader portion then installs the second part, which is similar to the original Mac Defender.

The new architecture seems to be a specific response to Apple’s instructions in the Mac Defender security note: “In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password.”

In this new variation, no password is required as long as you're logged in using an administrator account. That might lull a potential victim into thinking they’re safe.

I know a lot of Apple users who breathed a sigh of relief yesterday, thinking that Apple’s belated response finally means that the problem is over. As any computer security researcher will tell you, this arms war is just getting started.

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots. Peter James, an Intego spokeperson, told me his company's analysts were "impressed by the quality of the original version." The quick response to Apple's move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.

If Apple plans to play Whack-a-Mole with these guys, they’re in for months of misery. Just ask any Windows security expert who was around in 2003 and 2004 when Microsoft was learning a similar painful lesson. If each reaction from Apple takes two or three weeks, the bad guys will make a small fortune and Mac users can count on significant pain and anguish.

If you've run across this new variation in the wild, let me know. I'll have my eyes open and plan to report back if I find anything.

Topics: Security, Apple, Hardware, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

353 comments
Log in or register to join the discussion
  • RE: Mac malware authors release a new, more dangerous version

    Lets see how long it takes for Apple to acknowledge this new variant and that's assuming they do. I need to go back and watch some of those Mac vs. PC ads and laugh about how Mac's couldn't get this stuff.
    LoverockDavidson
    • RE: Mac malware authors release a new, more dangerous version

      @LoverockDavidson

      I wish they had built their operating system with security in mind.
      Admin71
      • LOL!

        @Bookmark71

        Apple design their OS with security in mind? Oh, but Uncle Skeletor, er, Steve said they did, so it must be so.
        Joe_Raby
      • It's hard to program against uniformed users.

        @Bookmark71

        It is secure. You can't program against the user entering their password when requested by an installation routine without preventing all installations.

        Maybe John Dvorak is right - people should be required to show knowledge and skill and be issued a license before they can operate a computer, just like driving an automobile.

        (as soon as you make something idiot proof, somebody develops a better idiot)
        SkiddMarxx
      • They did.

        @Bookmark71

        For the security environment of about 15 years ago. It was ahead of Windows' security architecture when it was released, but Apple rested on those laurels while the last couple of Windows releases have increased intrinsic security by leaps and bounds.
        Lester Young
      • RE: Mac malware authors release a new, more dangerous version

        @mseyf

        Uh, mseyf.... read the article. The new version of this thing doesn't need you to enter your admin password to install this thing!

        So..... Apple apparently did NOT design OSX with security in mind, as the people 'in the know' have been saying for years now.
        Lerianis10
      • re: I wish they had built their operating system with security in mind.

        Remember that Apple didn't build OS-X...would be interesting to have seen how resistant Copeland would have been since it completely closed-source and would likely have stayed that way.
        dpsAndrew
      • The Mac sky is falling Special Eddie...

        Talk about lame... Mac malware can't spead all by itself... They have to trick a user to installing it and that user has to enter an admin password to do the install... Unlike Winblows... Where you can pick up malware just by visiting a site or checking out a friends facebook page (and you don't even have to be an admin, you can simply be a power user or a regular user).

        But Special Eddie keeps crying that the Mac sky is falling and it isn't and everyone knows it... Mac Malware is still a great big yawn and there still isn't a virus for any version of Mac OS X... OS X is UNIX and no one is going to write a UNIX virus... Nothing to do with market share... So the only thing Mac users will ever have to deal with is socially engineered malware that requires 6 to 8 screens of user interaction to install... But all you trolls be sure to hop on that Special Ed bus and pat yourselves on the back real good...

        So riddle me this special Eddie... Just how is the Mac sky falling???


        ???


        ???


        ???


        Yeah... That's what I thought...

        BTW... You can keep deleting my accounts and I can keep making more... This retarded little game you started really is lame and pointless... But I guess that is kinda fitting considering that you are really lame and pointless.

        Awwwww... Did I hurt yer wittle feelwings Special Eddie??? You better go tell your mommy and get my account deweeted... That'll show dat mean ol' i8thcat... LOL... You are such a Doofus...
        i8thecat3
      • The Mac sky is falling?? I must have missed that one.

        @i8thecat3
        Please, i8thecat3, please direct us to the line in Ed's article where he said anything about any sky falling?

        ???

        ???

        ???

        Yeah... That's what I thought...

        And Doofus? How old are you, 10?

        You are just about the worst kind of Apple apologist that lives. You come across like a spoiled little child that has their allowance tied up in Apple stocks and is more then willing to spin any lie you can dream up to avoid any negative impact on Apple stock.

        You clearly have no idea (and that in itself is very telling) but the way you just ranted only tarnishes the reputation of Mac users generally. If anyone reading your post thinks you represent in any way the thinking process of a Mac user in general they would think Mac users are a bunch of childish morons who are prepared to excuse away any flaw in a Mac to preserve their own enormously fragile self esteem thats apparently been based solely on their choice of computer hardware.

        So sad indeed.
        Cayble
      • Grow a brain cell Cayble

        @Cayble

        The sky is falling is a metaphor brainiac... Special eddie posting daily about how bad this so called mac malware epidemic is like chicken little running around screaming that the sky is falling...

        And your ignorant claim that I am spinning a lie is just that... ignorant... have you see this malware on a Mac... Gee, No... Of course you haven't... You are still afraid to touch a mac let alone have any clue as to how they work.

        So put your self rightous rant to bed, it is painfully obvious that you are a clueless MS Troll and that you ride the Special Eddie Bus.

        Here is a little advice... Go touch a Mac... it's not going to bite you, and even you can quickly learn how to use them... And then, while using that mac, go hit a page with mac defender on it and see just how stupid all this troll hysteria really is... Then go stand in front of a mirror and laugh at yourself hysterically... Cus that's what you Special Eddies do.
        i8thecat3
      • Sigh.

        @Bookmark71
        "I wish they had built their operating system with security in mind." Yeah, just like MS did, right?

        The ensuing posts read like a sad roll-call of all the little Microsoft bigots, trolls and shills having their field day.
        rahbm
      • RE: Mac malware authors release a new, more dangerous version

        Scalable recognition is a slow evolving technology that will reap huge benefits when it fully matures. I have seen these techniques used for help systems in the area of medical diagnostics. These work best with specialty areas with distinct vocabulary requirements.
        <a href="http://www.itmagic.ltd.uk/3-mobile-broadband.htm">Mobile broadband uk</a>
        Amanda123456
      • RE: Mac malware authors release a new, more dangerous version

        that information posted here seems to be very reliable, I believe you really have shown a excepicional work, I think it's very good, you posted this kind of article, keep on posting interesting stuff, hugs!
        <a href="http://www.itmagic.ltd.uk/3-mobile-broadband.htm">Mobile broadband uk</a>
        Amanda123456
      • RE: Mac malware authors release a new, more dangerous version

        that information posted here seems to be very reliable, I believe you really have shown a excepicional work, I think it's very good, you posted this kind of article, keep on posting interesting stuff, hugs!
        <a href="http://www.itmagic.ltd.uk/3-mobile-broadband.htm">Mobile broadband uk</a>
        Amanda123456
      • RE: Mac malware authors release a new, more dangerous version

        Great and fantastic blog. I am interested very much in the subject matter of your blog, it???s my first visit.<a href="http://www.itmagic.ltd.uk/3-mobile-broadband.htm">Mobile broadband uk</a>
        Amanda123456
      • RE: Mac malware authors release a new, more dangerous version

        Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, ???How to avoid or remove Mac Defender malware,??? the company posted instructions for users to follow if they???ve encountered this malware specimen in the wild.<a href="http://www.dissertationindia.com/thesis.html">Thesis Writing Service</a> It also promised a security update to remove infections automatically.
        Amanda123456
    • LMFAO!!!

      @LoverockDavidson

      I'm having flashbacks of the XP days, when all the Mactards would scream at the top of their lungs: "any o/s that doesn't require a password to install something is worse than swiss cheese" and "what kind of idiot would run under an admin account"
      SonofaSailor
      • So let's not be like them, OK?

        @SonofaSailor

        Well, maybe once or twice to get it out of your system.
        Lester Young
      • RE: Mac malware authors release a new, more dangerous version

        @SonofaSailor and they are exactly right. This new variant, if I read the article correctly, only requires you to be running with administrator privileges. I suppose all your Windows accounts have administrator rights? Of course not. It's a bad idea on *nix OSes and on Windows. If the user is that naive, they deserve what they get. You should create at least two accounts on every OSX instance. One for an ordinary user with no admin rights and one with admin rights. For day-to-day work, use the user account. For tasks that require admin rights, login with the admin account. How hard is that? Who would install software they don't know about anyway?

        Now let's get back to work and quit calling each other's babies ugly. It's an argument that can not be won.
        ArtPeck
    • RE: Mac malware authors release a new, more dangerous version

      @LoverockDavidson
      except no Mac vs PC ad ever said what you are implying they said. The commercial said that macs didn't get PC viruses, not that they were immune to anything that could ever be made.
      doh123