Mac Defender Malware Mutates: It Can Now Infect Your Mac Without An Administrator Password



Apple may be preparing to nuke Mac Defender from orbit in the next Snow Leopard update, but not only is the malware still a very real threat… Mac Defender now mutated into an even bigger danger than it was before.

Mac antivirus company Intego just wrote to us to alert us to the latest variant of Mac Defender, called Mac Guard. What makes Mac Guard so dangerous compared to previous variants (including MacDefender, MacProtector and MacSecurity) is that Mac Guard doesn’t need you to enter your administrator’s password in order to install itself.

Here’s how it works:

The first part is a downloader, a tool that, after installation, downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.

If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.

Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application’s Resources folder. (The IP address is hidden using a simple form of steganography.)

As with other variants of Mac Defender, Mac Guard is easy enough to avoid if you know what you’re looking for, and remove if you accidentally become infected.

However, now that Mac Defender has made the leap to infecting users’ machines without entering an administrator’s password first, it’s likely a lot more people are going to be infected. Apple’s security update can’t come soon enough.

  • prof_peabody

    Intego doesn’t seem like a very reliable source to me.  They have no info on their web page about the new variant, and the info they have on MacDefender is more in the way of an advertisement for their services than it is actual info on the virus.  Very anti-consumer if you ask me.  I wouldn’t trust them necessarily. 

  • Conrad MacIntyre

    “Since any user can install software in the Applications folder, a password is not needed.”

    Ummm… what? That is not true. I have myself and my wife set up as Standard Users with a separate Administrator account that we both have the passwords for. And we definitely need an Admin Password to put Applications in the Applications folder.

    Seems like they don’t really know what they are talking about – or are intentionally fear-mongering. What products to they sell?

  • Noel Reynolds

    Who’s to say Apple’s ‘security update’ can even address this since presumably it was designed for the former variant of the malware.

    I love Apple, but their approach to this is not good.  Much of today’s malware is polymorphic, meaning it can change itself after infection.  This can prevent definition or signature-based scanning from detecting and removing it.  This means that a software patch is unlikely to address this.  Additionally, all the press about how many users are being affected by it is only going to generate more interest in writing malware for OS X.

  • Anonymous

    I’m safe.

    My PC is immune to Mac Malware.

  • CharliK

    Actually it is true. 

    but what is not mentioned is that without the password this version is likely unable to set itself up as a log in item (unless you left that area unlocked)

    and most importantly this malware is not a virus but a Trojan Horse. It operates not by changing anything in your system but by running a fake virus scan and then claiming you are horribly infected and you need to buy the full clean up software right not and run it. 

    So you run over to their website and put in your credit card with your billing address and the card security code etc. All the things they need to rob you blind. Perhaps you get an error of some kind designed to trick you into putting in a second card, even perhaps a third. You download the new software or get the unlock key or whatever and the program pretends to clean up your non existent virus while the developers are cleaning up with your credit cards. 

  • Ed_Kel

    …… Yet susceptible to the 100 viruses created while reading this post..  

  • MacGoo

    If you’re running from an Administrator profile, you don’t need a password to drop applications in the Applications folder – but if you run an installer, you always need to authenticate. Don’t be so contrary when there is a ready explanation and his intent is so obvious.

  • MacGoo

    Oooooo! *pounds nonexistent “dislike” button repeatedly, until the subtle irony of this brilliant comment seeps its way into my soul*

  • Ed_Kel

    Why do I keep hearing about this Malware “infecting” our Macs? It’s harmless unless you’re stupid enough to input your credit card information and VERY simple to get rid of…

    “Infected” is a term I wouldn’t choose to describe this.. The only thing this Malware is capable of is exploiting the Mac operator’s idiocy. Again, don’t give your credit card info and delete the app; it’s that simple.  

  • Hampus

    Good for you… Though, isn’t it just too bad the sites used to spread these OSX “Malwares” will download a Windows version if visited from windows?

  • Hampus

    Well, the thing is, really, what else can they do to block it?
    It gets on the computer by getting the user to install it, no way to stop that, well they could lock down OSX and only allow installations from the App Store but I very much doubt that is coming any time soon :p

  • Guest

    If you use the standard account, OS X will always ask you for the Administrator Password when copying a file to /Applications. No matter the OS, users should ALWAYS use the standard account to work and browse the web. Administrator accounts only to install, to edit system config files, etc.

  • Dorje Sylas

    I’m sorry, did I tell the Installer that it could run you? No? GTFO my hard drive! Secure delete, over written with 0s.

    Admin password or not the user still has to go all the way through manually clicking through the installer.

    Shoot, I’ll say it now, the next variant will install just for the current user in the user level Applications folder. Bet some of you folks didn’t know there can be an individual user applications folder. Any ass wipe with access to the Developer tools can set this shit up with a few checkboxes and almost no scripting knowledge. Note, this will not require a password either.

  • nthnm

    I don’t think this is no more dangerous in my opinion. Most of the same people who are going to open this file out of curiosity/stupidity would have entered their password from that same curiosity/stupidity.

  • nthnm

    “Seems like they don’t really know what they are talking about…” 
    You mean like so many of their articles? I personally love the site and their “news” but I now don’t know what to really believe or what to take with a grain of sale.

  • MBBM

    Sometimes……the obvious must be stated………..sad, but true

  • Dorje Sylas

    No, you don’t need the admin password. Not if the pkg file has been configured to NOT require the admin password. It’s on by default in Apple’s installer(package) maker but can be checked off. It’s not hard to generate this kind of delivery mechanism. I do it for custom deployments from Apple Remote Desktop regularly, and not always for Applications.

    You do however have to click at least 2 continue buttons and the install button. Possibly as few as a continue button and an install button if you can get it to by pass the install location confirmation. Try making and using pkg files before saying what can and can’t be done.

    If you are on an admin account and the pkg file has been setup not to ask for authorization it won’t. Unless it needs the admin password to unlock something or placing something a folder the admin does not normally direct access to.

  • Conrad MacIntyre

    I’ll have to take you at your word on that one. Nothing I have ever downloaded has *not* required my Admin Password to be placed in the /Applications folder.

    Side Note:
    This one Trojan (including variants, obviously) has caused such a hubbub in the Tech Blogosphere that it’s kind of crazy. This application requires repeated and explicit user interaction to be effective and can be removed with the Delete key. I remember having a Windows XP box a few years back… 2006?… and the first time I plugged it into my router (no anti-virus came pre-intalled back then) I got a “Sasser Worm” and I spent almost an hour and a half with Microsoft Support removing it. I was still convinced that Windows was the bestest. 

    Then the iPhone happened. I haven’t looked back.

    My Malware Concerns:
    I’ll be worried about malware when it can install itself into the deepest parts of my system without my knowledge or interaction and requires specialized tools to remove. Then I’ll get a have a virus scanner running constantly and be on par with my Windows friends for lost CPU cycles.

    Side Note 2:
    Where’s all the hate for Linux and their virus-free status? Just sayin’.

  • Dave

    I’ve heard that this can only install in the apps folder if  you are running under an admin account. The first thing anyone with a Mac should do is setup a standard user account and always use it. I rarely ever log into the admin account. You can still install programs with the admin userid and password in the standard user account and please do not use admin as the admin userid. Give me a break.

  • Dave

    Wow, we have PC users telling us how to practice safe computing. What a joke. I understand, you are bored because there is nothing to do or think about with a dead platform. So you might as well torment us. Good for you. But wait Windoze 8 is coming out just as soon as they can figure their users needs out. I wonder when that will be.

  • Marcos Antonio da Silva

    It’s the end of the world as we know it! 

  • cheesy11

    werent apple meant to be eliminating the macdefender from the face of the earth?

  • Kaosumahoutsukai

    I can pull arbitrary numbers out of my ass too.

  • iHate_Is_Back

    Dead platform???? Get off the cool-aid bandwagon my man I’ll be the first to admit Windows blows but it’s far from dead. When you consider it’s run by 90% of the user’s out there its WAY FAR FROM DEAD. Your OSX nearly went dead a decade ago and is only now clawing its way back to passing notoriety amongst rank and file users. Welcome back from the brink OSX and welcome to the modern world of malware and viruses. Only a matter of time before all you OSX users are running anti virus programs beside your PC brethren. Enjoy the fun and games.

  • aggarwal_rahul

    With a support initiative from
    Apple regarding how to avoid or remove MAC Defender
    malware from Mac OS X which will deliver a software update that will
    automatically identify and remove the dreaded Mac Defender malware and its
    known variants. Though, this manual removal instruction is a note worthy move
    from Apple, it is just a short term solution. As the variants get more complex
    and new malware surfaces, patching up the infected parts is surely a tough task
    for Apple engineers. Mac Defender is now termed as a Trojan and thus, with more
    time and intelligence invested, such malwares intrusions shall be terminated.

  • Jim

    The actual rate is about 1.32898746 new viruses per minute, and that is from a 2007 Symantec study. So the real number is 3 or 4. Is that better?