MacDefender malware mutates into MacGuard

The MacDefender exploit which has been plaguing Apple users for a couple of weeks now has mutated into a new variant which no longer requires an administrator password to install itself.

MacGuard uses the same social engineering methods used by the MacDefender and MacSecurity engineering methods whereby a fake web site reports bogus infections to the OSX operating system.

The aim of the attack is to get unwitting users to pay for useless anti virus software, which then actually infects the system if installed, leaving the criminals with your cash as well as all of your credit card details.

Previous variants required an administrator password in order to install the spoofed app. Security outfit Intego has discovered that the new version operates in a slightly different way.

"It comes in two parts," notes Intego's Peter James. "The first part is a downloader, a tool that, after installation, downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site."

If the user has Safari's 'Open safe files after downloading' option switched on, the package launches automatically. If not, the installer will sit dormant in the 'downloads' folder where it runs the risk of being opened at a later date.

"Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program," says James. "Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed."

This package installs a downloader application called avRunner which then launches automatically. Craftily, the installer deletes the original package leaving no trace.

The second part of the malware is the actual variant of the MacDefender app called MacGuard, which is downloaded from a hidden IP address.

"Intego considers that the risk for this new variant to be medium, in part because the SEO poisoning has been very efficient in leading Mac users to booby-trapped pages, but also because no password is required to install this variant," says James.

Apple is aware of the original variants of the exploit and says it will issue an emergency upgrade to OSX in the next few days. Apple has not responded to inquiries about the new strain at time of writing and it's not clear whether the planned update will address it.