Mere days after Apple Inc. posted a fix for a fake anti-malware program affecting its Mac computers, a new and potentially meaner variant of the program has started making the rounds.
Software maker Intego said the new variant of MacDefender, named MacGuard, may pose a greater threat as it does not require a password for installation.
“Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account —the default if there is just one user on a Mac— can install software in the Applications folder, a password is not needed,” it said in a blog post.
It said that the package installs an application, called avRunner, which launches automatically and downloads the main malware, then deletes itself to leave no trace behind.
Intego assessed the risk of the new variant as “medium,” citing “effective” search engine optimization (SEO) poisoning that led many Mac users to the malware.
Only last May 2, Intego discovered the fake antivirus program MacDefender, which like the new variant targets Mac users via SEO poisoning attacks.
Victims are led to sites hosting the malware through SEO poisoning, which gets malicious sites to appear at the top of search results.
“The goal of this fake antivirus software is to trick users into providing their credit card numbers to supposedly clean out infected files on their Macs,” Intego said.
Intego said that the newest variant functions slightly differently and comes in two parts.
The first part is a downloader, a tool that, after installation, downloads a payload from a web server.
“As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site,” it said.
If the “Open ‘safe’ files after downloading” option on Apple’s Safari browser is checked, the package will open Apple’s Installer, and the user will see a standard installation screen.
But if not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package.
In either case, the Mac OS X Installer will launch.
The second part of the malware is a new version of the MacDefender application called MacGuard, downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application’s Resources folder.
The IP address is hidden using a simple form of steganography, Intego said.
Intego said its VirusBarrier X6’s Anti-Spyware feature detects this operation
“Intego considers that the risk for this new variant to be medium, in part because the SEO poisoning has been very efficient in leading Mac users to booby-trapped pages, but also because no password is required to install this variant,” it said.
Steps for protection
Intego said the first thing to do is to consider as bogus a web page that looks like a Finder window and purports to be scanning the Mac.
“Leave the page, and quit your web browser. If anything has downloaded, and the Installer application has opened, quit it right away; look in your Downloads folder for the file, then delete it,” it said.
Next, users should uncheck the “Open ‘safe’ files after downloading” option in Safari’s General preferences.
Also, it suggested that users scan their Macs after they have updated to the latest malware definitions.
Apple issues a fix
Earlier this week, Apple Inc. finally posted online instructions on how to remove a fake anti-malware program from its Mac computers, after initially ignoring the problem.
In a knowledge base article, Apple said the malware is most commonly known a MacDefender, MacProtector and MacSecurity.
“This ‘anti-virus’ software is malware (i.e. malicious software). Its ultimate goal is to get the user’s credit card information which may be used for fraudulent purposes,” it said.
Such malware fool users into believing their computers are infected with a virus, and offer them the fake “anti-virus” to solve the issue, it said.
Apple said it will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants “in the coming days.”
“The update will also help protect users by providing an explicit warning if they download this malware,” it added.
In the meantime, Apple offered step-by-step instructions on how to avoid or manually remove this malware.
Apple products affected by the malware include Mac OS X 10.4, Mac OS X 10.6, and Mac OS X 10.5.
- If any notifications about viruses or security software appear, quit Safari or any other browser that you are using. If a normal attempt at quitting the browser doesn’t work, then Force Quit the browser.
- In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password. Delete the installer immediately using the steps below.
- Go into the Downloads folder or your preferred download location. Drag the installer to the Trash. Empty the Trash.
If the malware has been installed, Apple recommended the following procedures:
- Do not provide your credit card information under any circumstances.
- Move or close the Scan Window. Go to the Utilities folder in the Applications folder and launch Activity Monitor. Choose All Processes from the pop up menu in the upper right corner of the window. Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector. Click the Quit Process button in the upper left corner of the window and select Quit; Quit Activity Monitor application.
- Open the Applications folder. Locate the app (MacDefender, MacSecurity, MacProtector or other name). Drag to Trash, and empty Trash.
Malware also installs a login item in your account in System Preferences. To remove it:
- Open System Preferences, select Accounts, then Login Items
- Select the name of the app you removed in the steps above (MacDefender, MacSecurity, MacProtector)
- Click the minus button
Apple also reminded its users it provides security updates for the Mac exclusively through Software Update and the Apple Support Downloads site.
“User should exercise caution any time they are asked to enter sensitive personal information online,” it added.