MacDefender Malware Morphs to More Dangerous Variant
According to experts at security firm Intego, MacGuard is more dangerous than Mac Defender and several earlier variants, including Mac Protector and Mac Security as it doesn't require an administrator password to install. (See also "Three Ways to Secure Macs at Work: Lessons from MacDefender.")
The aim of the malware is the same -- to persuade victims to hand over their credit card details - though the process is slightly different. Initially, visiting an infected website automatically triggers the download of a file that installs itself on your Mac.
If you have the "Open safe files after downloading" option in Safari checked the installation process will begin automatically and the avRunner program will be installed on your Mac. This then downloads a second file package from a domain belonging to the cybercriminals behind the attack, while deleting all traces of the original installer files.
This second file is the MacGuard package, which will automatically install itself as well. It will then demand credit card details to rid your Mac of the infection.
Intego recommends unchecking the Open safe files after downloading option in Safari and if you should end up on any website that looks similar to Mac OS X's Finder window you should close the browser immediately. If the Installer opens, quit it straight away and check the Downloads folder for any unrecognized files and delete them.
Earlier this week, Apple promised an update to Mac OS X that would find and delete variants of the Mac Defender malware on a user's Mac, as well as warn them should they unwittingly try and download the file.
"In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants," Apple said in a statement.
"The update will also help protect users by providing an explicit warning if they download this malware," it continued.
Apple also outlined steps that users with infected Macs can take to remove the scareware on the Apple Support forum.
However Chester Wisniewski of security firm Sophos questioned Apple's approach to the problem, as cybercriminals would simply create more variants to get around any defences the company puts in place.
"Are they going to develop their own anti-virus software? The fast pace with which new variants arrive requires a very different style of software development and updating than Apple is accustomed to.