New, More Dangerous Mac Defender Variant Arises

Apple has finally responded to the Mac Defender malware that has infected a number of Mac users, but while Apple took considerable time before it took any action, the malware writer did not: he already has a new variant available that is more dangerous than the original.

The new malware has a new name for its fake antivirus component: MacGuard. Previously, two variants of Mac Defender were dubbed Mac Security and Mac Protector.

Intego, which identified the first version of the malware, discovered the new variant via a poisoned Google search early Wednesday morning. The new variant is split into two parts.

The first part is a downloader program which is installed into the user’s Applications folder. Assuming the end user is an administrator of the Mac (and, just as with Windows, most people are, as most computers have only one user with the default account being an administrator), the installer will open automatically. It won't ask for an administrator password. Intego said:
Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.
The downloader then downloads and installs the second portion, which operates in the same manner as the originalfake antivirus Mac Defender.

The thought is that the changes sidestep portions of Apple's support note on Mac Defender, where the company says: “In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password.”

The fact that no password is required simplifies the install and potentially makes it more dangerous, said Ed Bott of ZDNet. Still, if a potential victim cancels the install, they will be OK. Once again, it's finally begun: Mac OS X is finally being targeted by malware writers "in quantity."

It makes one laugh, but not because the ad was humorous, but rather because the ad was, simply stated wrong, at those Mac vs. PC ads that said the Mac wasn't vulnerable to malware (below).