Recently, we warned Mac lovers about a phishing malware called MACDefender that infects users via SEO poisioning attacks. If attacked, the malware starts to alarm the victim of a virus infection. MacDefender would then persuade users to download a fake anti-virus claiming only MACDefender can remove the alleged infected files from their computers. The ultimate goal of this attack is to get the user to enter in his/her credit card information to buy the anti-virus application, also a part of the scam. Since then, several variants have appeared: MacDefender, MacProtector and MacSecurity, all of which are the same application using different names.
Intego, the ones who discovered this malware in the first place, says things have just gotten worse. The first version of MACDefender would atleast prompt the user to enter in his/her admin password for the software to install, creating a fence of protection for those who are aware. But, a new variant of the same has been found that does not require an administrative password to be installed. Instead, it would just auto-install as a package without the need for any privileges.
Intego Explains This New Attack: The new variant of MACDefender comes in two parts. The first part is a downloader, a tool that, after installation, downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.
If Safari's Open 'safe' files after downloading option is checked, the package will open Apple's Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.
Unlike the previous variants of this fake antivirus, no administrator's password is required to install this program. Since any user with an administrator's account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original installer are left behind.
The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application’s Resources folder. (The IP address is hidden using a simple form of steganography)
How to remove this malware the Apple way? Apple responds to this by providing steps for the infected users on how they can remove this malware from their Macs.
Steps To Follow:
- Move or close the Scan Window
- Go to the Utilities folder in the Applications folder and launch Activity Monitor
- Choose All Processes from the pop up menu in the upper right corner of the window
- Under the Process Name column, look for the name of the app and click to select it; common app names include: MacDefender, MacSecurity or MacProtector
- Click the Quit Process button in the upper left corner of the window and select Quit
- Quit Activity Monitor application
- Open the Applications folder
- Locate the app ex. MacDefender, MacSecurity, MacProtector or other name
- Drag to Trash, and empty Trash.
A more detailed set of instructions to be followed can be found at Apple's support document.
Apple also promises that a MacOS X update is on its way and will be available soon for the end users to update to. This will adress all the issues that users have been facing with MACDefender and its variants which will automatically detect and remove the same from the systems. Users can then be safe from getting redirected to fake websites instead of the legitimate ones.
Apple's Knowledge Base Article States:
In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.
We recommend you to be vigilant of this new variant until Apple posts an official fix for it. If in case you see anything suspicious getting downloaded via Safari, close it immediately and follow the above instructions to be on the safer side. Do not enter your credit card information into any suspicious softwares. Stay tuned for more updates :) [via Intego]Contact Us for News Tips, Corrections and Feedback