New MacGuard Phishing Attack Bypasses Mac OS X Password Requirement

A new MacDefender variant targeting Apple's Mac OS X platform now can circumvent the password requirement to install fake antivirus software onto victims' computers.

The latest version of the fake antivirus MacDefender, known as MacGuard, was first detected by researchers at Mac security firm Intego. Unlike other versions of Mac Defender, MacGuard bypasses password requirements, and automatically installs without any user intervention.

Intego researchers first detected a fake antivirus attack with Mac Defender targeting the Mac OS X platform May 2. Like other fake antivirus schemes, known as scareware, the virus appeared on users' Macs via a pop-up or an infected link, offering a phony virus scan. The fake scan would inevitably claim to find a virus, and then would trick the user into submitting credit card numbers in exchange for bogus antivirus software.

Since it was first discovered earlier this month, alternately named versions of the MacDefender virus have emerged, such as MacProtector, and MacSecurity. Up until now, the different version have been the same application but with different names.

However, the new MacGuard, which is spread via SEO poisoning attacks, functions slightly differently. Initially, the installation package, known as avSetup.pkg, is downloaded automatically when a user visits a malicious or infected site, typically via an SEO poisoning attack.

If Safari's "Open safe files after downloading" feature is checked, the payload will open Apple's Installer and the user will see a standard installation screen, Intego researchers said. If not, users could see a downloaded ZIP archive and feel inclined to double click, which would also launch the Mac OS Installer.

The package then installs a downloader, dubbed avRunner, which then launches automatically while the installation package deletes itself from the user's Mac, essentially erasing its tracks.

"Unlike the previous variants of this fake antivirus, no administrator's password is required to install this program," Intego researchers said in an advisory. "Since any user with an administrator's account -- the default if there is just one user on a Mac -- can install software in the Applications folder, a password is not needed."

The downloader then installs the new MacDefener version, MacGuard, downloaded by the avRunner application from an IP address hidden in an image file.

Intego researchers say that users should be wary of Web pages that appear to be a Finder window.

"Leave the page, and quit your Web browser. If anything has downloaded, and the Installer application has opened, quit it right away; look in your Downloads folder for the file, then delete it," Intego said.

Apple issued an advisory earlier this week warning users of the MacDefender virus , saying that "In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants."

Security experts question how Apple will keep up with what appears to be a constant stream of MacDefender variants -- a tactic which emulates the myriad of fake antivirus attacks on the Windows platform.

Next: Partners Weigh In On Customer Impact

"On Windows, the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases," said Chester Wisniewski, senior security adviser at Sophos, in a blog post. "(Is Apple) going to develop their own antivirus software? The fast pace with which new variants arrive requires a very different style of software development and updating than Apple is accustomed to."

At least one channel partner echoed that the emergence of a prolific Mac virus, especially one that downloads without any user intervention, changes the threat landscape for their customers.

David Sockol, president of Santa Clara, Calif.-based Emagined Security, said that if anything, the surge of Mac Defender malware would put Mac users more on par with Windows users, and possibly compel them to become more security conscious.

"Mac users think that they are immune from viruses. A big one hits, and all of a sudden, they have to sit up and take notice," Sockol said. "Now people have to start rethinking their approach and have to move to a more proactive stance."

"A lot of corporations have mixed environments. Where they have focused the majority of their attention on Windows, now all of a sudden those organizations have to realize that they have to deal with all the different environments," he said.

Yet despite a heightened awareness, Sockol said he didn't anticipate a huge increase in demand for Mac security products.

"We'll see a little bit of an uptick, but in the end, its installing what's already on the market today."