Skip to comments.Mac malware authors release a new, more dangerous version
Posted on 05/26/2011 2:21:53 AM PDT by Swordmaker
Apple finally responded to the Mac Defender outbreak, with a technical note containing removal instructions and the promise of a removal tool. Within hours, the bad guys had released a new version of their malware. This one doesnt require that you enter an administrators password.
Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, How to avoid or remove Mac Defender malware, the company posted instructions for users to follow if theyve encountered this malware specimen in the wild. It also promised a security update to remove infections automatically.
File that memo under, Too little, too late.
Within 12 hours of Apples announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.
A security researcher for Intego, the Mac-centric security company that identified the original Mac Defender, found the first example of this new code via a poisoned Google search very early this morning.
Several factors make this specimen different. For starters, it has a new name: MacGuard. Thats not surprising, given that the original program already had at least three names. But this one is divided into two separate parts.
The first part, a downloader program, installs in the users Applications folder. If youre an administrator on your Mac (and most people are, given that the overwhelming majority of Macs have only one user and the default account in that scenario is an administrator), the installer will open automatically. All you have to do is click Continue to begin the installation.
Unlike the previous variants of this fake antivirus, no administrators password is required to install this program. Since any user with an administrators account the default if there is just one user on a Mac can install software in the Applications folder, a password is not needed. This package installs an application the downloader named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the users Mac, so no traces of the original installer are left behind.
The downloader portion then installs the second part, which is similar to the original Mac Defender.
The new architecture seems to be a specific response to Apples instructions in the Mac Defender security note: In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password.
In this new variation, no password is required as long as youre logged in using an administrator account. That might lull a potential victim into thinking theyre safe.
I know a lot of Apple users who breathed a sigh of relief yesterday, thinking that Apples belated response finally means that the problem is over. As any computer security researcher will tell you, this arms war is just getting started.
Apple appears to be treating this outbreak as if it were a single incident that wont be repeated. They seriously underestimate the bad guys, who are not idiots. Peter James, an Intego spokeperson, told me his companys analysts were impressed by the quality of the original version. The quick response to Apples move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their targetAppletries to put up new roadblocks.
If Apple plans to play Whack-a-Mole with these guys, theyre in for months of misery. Just ask any Windows security expert who was around in 2003 and 2004 when Microsoft was learning a similar painful lesson. If each reaction from Apple takes two or three weeks, the bad guys will make a small fortune and Mac users can count on significant pain and anguish.
If youve run across this new variation in the wild, let me know. Ill have my eyes open and plan to report back if I find anything.
If I come across any Mac viruses on my virus-free Windows computer, I’ll let you know.
I think the virus writer’s have been studying the Apple’s software for a long time and know many hole’s that Apple isn’t aware of .
It’s going to be interesting.
How do the bad guys “make a fortune?” Isn’t this against the law? Can’t they be found?
They use automated programs called bots, which collect information from infected computers.
Many of those infected computers will have financial information, like bank accounts, credit cards, stocks and bonds, or anything else that you can think of that is defined as financial information.
If your computer gets infected, it will send that information to whomever is collecting it and they will proceed to raid bank accounts or use credit card information or even use insider trading information to get rich.
They can be caught, but it takes a lot of time and effort to go through IP addresses and hope the criminals didn’t have time to erase their tracks or be traced to a country like China, Iran, or Russia where they really can’t be touched.
In the end, it’s actually a positive development, because it forces Apple to take similar steps that Microsoft had to take to secure Windows.
If you are not now running as a Standard User, here is how to set up a new Administrator user (you will always need one in OSX) and change your current user to a Standard User, which is much safer:
You are now safe from this exploit.
Use your new administrator's name and password to install any software or to do system maintenance. You can install software from your Standard User account by providing that name and password for each instance. You will not be able to make changes to your system files, Libraries, Applications folders, or the HD root directory unless you provide that Administrator name and password.
Note, the administrator name and password will STILL not allow you to make changes to ROOT UNIX files or to alter any of the core files as the ROOT is not activated on the default OSX install... That requires one level higher user level even yet. However that administrator IS capable of activating ROOT by creating a ROOT superuser and creating a ROOT superuser password.
For information on how, who is at risk, and for SWORDMAKER'S INSTRUCTIONS on how to NOT TO NOT BE VULNERABLE TO THIS PROBLEM... This is a must read thread!
If you want on or off the Mac Ping List, Freepmail me.
Ahh, but Jonty30, the hole in question is social engineering. People are conditioned to pay attention to official-looking dialog boxes. The original version of this relied upon deceit, but nothing else.
One malware event may or may not open a door here. That door has been swinging in the wind, widely, for a very long time in the microsoft camp. I deal with it everyday in my professional life, on all three primary platforms. You’re right that Apple, as well as all other software manufacturers, needs to have a serious eye on security.
Largely, they have. What has changed here is that the number of macs has increased to the point where those malefactors writing viruses and malware now feel that they have another worthwhile target. That isn’t the same as saying that they didn’t have one before. All that really started with the Morris worm in 1988. And came to full fruition with windows years after that.
Whether this is a cottage industry now or not, I do agree with you that ALL makers of software need a generally better eye on security. I wouldn’t, however, and cannot, single out Apple alone. No mac in my district, and that’s a large number of thousands, has yet been infected. On the other hand, we do regularly see a need to clean one or another of the pcs. No big deal. No need to crow about it. It is a numbers game, ultimately. You may look at this as something which speaks well of recent Apple sales, if nothing else.
Ping for later reading.
Apple's online instructions on how to dispose of this malware are still effective... contrary to Bott's negative comment of "too little, too late!"
A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender "anti-virus" software to solve the issue.
This “anti-virus” software is malware (i.e. malicious software). Its ultimate goal is to get the user's credit card information which may be used for fraudulent purposes.
The most common names for this malware are MacDefender, MacProtector and MacSecurity.
In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.
In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.
Mac OS X 10.4, Mac OS X 10.6, Mac OS X 10.5
How to avoid installing this malware
If any notifications about viruses or security software appear, quit Safari or any other browser that you are using. If a normal attempt at quitting the browser doesn’t work, then Force Quit the browser.
In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password. Delete the installer immediately using the steps below.
How to remove this malware
If the malware has been installed, we recommend the following actions:
Malware also installs a login item in your account in System Preferences. Removal of the login item is not necessary, but you can remove it by following the steps below.
Use the steps in the “How to avoid installing this malware” section above to remove the installer from the download location.
Note: Apple provides security updates for the Mac exclusively through Software Update and the Apple Support Downloads site. User should exercise caution any time they are asked to enter sensitive personal information online.
Oh, BS, Jonty. Windows was forced to take the steps that Apple took a long time ago to match the security of UNIX that was built into OSX from the first. Quit trying to rewrite history. Apple took those steps back in 2001 when it dumped Mac-OS9 and lower and even THAT was more secure than Windows was then. It's been Microsoft that has been playing catch up.
thank you for all this info.
I have been out of the loop with all this information.
First..how do you know if you have or don’t have a virus?
Do I understand it can only be accessed by downloading a bad program? Is there a way to be safe with these things? I dont download much other than the updates they tell me I need, is there a problem in this?
I will try to do the administer user change you suggested.
BTW. Hope things are going okay for you following the death.. you have been in my thoughts.
There are still zero viruses for the OSX Mac... this is a trojan horse application. Not the same thing. I dont download much other than the updates they tell me I need, is there a problem in this?
There is no problems with downloading and installing the updates from Apple... always use "Software Update..." from the Apple Menu on the Menu Bar. These updates from Apple are security signed and certified from Apple. Your system checks that and if they are NOT what they say they are it will stop the update dead in its tracks and warn you! Apple will NEVER notify you by a pop-up from a website that you need to click on something because they've found a problem.
I will try to do the administer user change you suggested.
Print out the Post and do them step by step and you should be fine... Then just continue Freeping as you've been Freeping and you be OK.
I'm doing fine. We buried my Mom's ashes with my Dad's on Monday with a nice family only ceremony. It was quite moving.
We had some good news to temper the passing of my mother: my older daughter gave us the news on mother's day that she is making us Grandparents! She knew before the passing of my mother and whispered it to her on her deathbed... and my Mom nodded and smiled, showing she understood... so she knew she was going to be a greatgrandmother before she died. That makes me happy.
We promised my daughter not to tell anyone until she passed her third trimester and that OK came down after the ceremony on Monday! The genetic counselors say everything is A-OK, too! YAY! She is due to deliver on December 7th.
So, since I run Firefox, not Safari, I shouldn't worry? (In any event, I'm not dumb enough to run an installer I didn't intentionally download, no matter how "official" looking it is.)
Honesty? I don't know.
Bump for later. Thanks for the post.
And I'm sorry to hear of your loss. God's blessings.
It seems to me that if the Accounts Pane is locked, then you are done (not running as Admin), so skip all the rest of those steps.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.