Mac Defender Variant Installs Malware Without Admin Password

A new variant of the rogue Mac Defender anti-virus program, targeting the Mac operating system, does not require an admin password to be installed on victims’ computers, a security company has warned.

In a blog post, security software maker Intego explained that the new Mac Guard rogue AV tool is slightly different than the Mac Defender malware in functionality and looks more like legitimate Mac software.

The company explained that the malware infects Macs in two steps. First a downloader is installed on a Mac when users visit a malicious, compromised website. The downloader is downloaded automatically when users visit such websites.

If users have selected the ‘open safe files after downloading’ option, then the rogue package will open Apple’s application installer. If the option is not selected, unsuspecting users might click the mysteriously downloaded file out of curiosity.

The rogue package then installs the downloader, avRunner, which launches automatically. The installation package also gets deleted automatically to remove traces.

The avRunner then installs the Mac Guard fake AV program on the system from an IP address stored in an image file on avRunner’s Resources folder.

“Intego considers that the risk for this new variant to be medium, in part because the SEO poisoning has been very efficient in leading Mac users to booby-trapped pages, but also because no password is required to install this variant,” the company said.