Skip to comments.Mac malware scam grows legs – MacGuard needs no password
Posted on 05/27/2011 7:14:04 AM PDT by for-q-clinton
The once relatively virus-free Apple Mac ecosystem has been tainted forever by a nasty malware scam and you sense an age of innocence has ended. Its a deadly shock to that ecosystem because now a second variant bug has arrived that requires no password.
The malware first manifested itself when Mac users noticed ads for a product called Mac Defender that promised to protect them against malware and viruses. However, it turned out Mac Defender was actually a piece of malware that becomes active on a desktop after a user is suckered into entering a password, and floods the screen with pop-up pornography sites.
Since then a number of variants MacGuard, MacSecurity and MacProtector - have arrived.
According to security firm Intego, the goal of this fake antivirus software is to trick users into providing their credit card numbers to supposedly clean out infected files on their Macs.
New variant requires no passwords
Intego has discovered a new variant of this malware that functions slightly differently. It comes in two parts.
The first part is a downloader, a tool that, after installation, downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted website.
If Safari's "Open safe files after downloading" option is checked, the package will open Apple's Installer, and the user will see a standard installation screen.
If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.
Unlike the previous variants of this fake antivirus, no administrator's password is required to install this programme. Since any user can install software in the Applications folder, a password is not needed, Intego said in a warning note.
This package installs an application - the downloader - named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original installer are left behind.
The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application's Resources folder. (The IP address is hidden using a simple form of steganography.) Intego VirusBarrier X6s Anti-Spyware feature detects this operation:
Intego considers that the risk for this new variant to be medium, in part because the SEO poisoning has been very efficient in leading Mac users to booby-trapped pages, but also because no password is required to install this variant.
But I thought they promised this was only possible on windows, so I bought a mac to be "secure".
And to think people paid a premium for this.
A better article on the latest mac virus.
Another thread on the latest Mac Virus/malware. I wonder how they are going to spin this one?
I’m the farthest thing from a Mac fanboi, but I think this isn’t indicative of anything other than a shift in the social computing sphere. Apple has an increasing market share, and haxX0rs are going to tailor exploits more for those machines.
Also count on M$ coming out in the coming months to say something along the lines of, “See, Win 7 IS more secure,” when in reality it’s just that more people are wise to schemes on Win machines. Mac users have heretofore thought they were immune or less likely to have problems, but with this new batch of malware, they’re going to have to wise up like the Windoze users have over the last 15 years.
For the record, I’m a Linux fanboi.
By that, he means: an age of willful and smug naivete.
Completely agree. I’ve been saying it for years, but the macbots told me...no never. Besides any virus will need to be installed with the admin password.
Clearly that it no longer the case.
I know...this *should* shut up the annoying macbots. But I’m sure the most annoying will spin this away as if it is a non-issue. But all those issues where a windows user ran porn.exe for free porn and got a virus...well those are legit dings against windows.
Even with this virus, MACs are million times better than those cheap HPs.
It seems like most of the big tech blogs are ignoring this bit of news.
Apparently Apple hasn’t supplied them with sufficient talking points to pass on to the fan base to try to talk this one under the rug.
Now that OSX won’t be ablet o claim virus/malware free and users don’t need to worry about it...how will they market their product to security concerned users?
“Switch to OSX soon before it gets too popular and then our security will be no better than windows. The sooner you switch the longer you’ll enjoy limited security by hiding out with the minority.”
I’ve noticed that. The Apple threads are always silent until their leaders tell them what to think. Happens every time OSX is the first machine cracked at the Pwn2Own contest. A couple days or weeks pass and then they get their marching orders and finally those threads start getting replies. But even then they are pretty dead because most users are left scratching their heads and saying WTF! it was still the first one hacked 3 years in a row!
Last years excuse was the guy that hacked it was a genius NASA dude. The rest of the world isn’t as smart as him, so users have nothing to worry about.
Right, compare a $1800 laptop to a $500 laptop. That’s a good comparison.
I have to be very amused when viruses and malware on Macs are described as something new.
The fact is that in the old days, there were more viruses on Macs then on PCs. This was before the World Wide Web was invented, and e-mail attachments were virtually unknown. The viruses spread by floppy diskette exchanges, BBSes, and college networks.
There were at least half a dozen useful Mac anti-virus software packages, (Virex, Interferon being two of the biggies). We admins received our Virex upgrades via snail-mail (how’s that for quaint?)
WDEF, Word Macro viruses (an equal opportunity employer), nVir, all had their day.
So, the real long term Mac fanboys (and I still like Macs just fine) know that viruses can hit a Mac.
NOW, I would say that the difference between Windows and Macs/Linux/Unix/Solaris etc. is not so much in file structures or user permissions.
It is ActiveX. Microsoft wants the computers to do a LOT more automatically without a lot user interaction. The same tool that makes this happen in IE greatly increases the ease and variety of attacks that can be made on it.
1800? it cost more than that. These computers are perfect. You don’t get them for free.
My favorite excuse was that they hacked the Mac first because you win the machine you break, so they naturally went for the one that they really wanted the most.
Yep...prior to OS X macs were a mess. Crashing all the time, virus prone, and just garbage. Macbots think time began with OS X...the earlier OS’s don’t count. But they love to ding Windows XP, 2000, 9x, etc. But that’s like comparing OS 9 to XP, but instead they stack the latest and greatest OS X against XP. They need to compare windows 7 to OS X. And the past 3 years OS X was the first machine hacked in the pwn2Own contest.
That was some funny stuff. Sad thing is many macbots believed it!
They will lie. They are Apple. Al Gore sits on their board. They will charge everyone for an ‘upgrade’ when the freeware community they are stealing from fixes this issue.
Does Intego recommend you download their software to take care of this? Or are they just doing this as a service?
Are you still claiming this is a scam by the AV makers?
Try to do a little research first: http://www.bing.com/search?q=mac+guard+virus&go=&form=QBLH&qs=HS&sk=&pq=mac+g&sp=1&sc=8-5
maybe you’ll listen to Apple:
Looks like they will take a couple/few days to fix it. OMG! why so long?
No, it's not a virus, it's another social engineering trojan. A nasty one, yes. But not a virus -- it does not spread on its own. User action is still required.
I -do- wish you would learn something about this topic before so gleefully posting misinformation.
Do you work for an anti-virus software vendor? You use all their bogus scare tactics. Just askin'...
BTW, this is about the tenth thread on this topic, and yours has nothing new (the bit about not requiring a password has been out for days). Do you really think there's even one person out there, living under a rock, that hasn't heard about it yet?
You might also take a moment to point out that Apple is responding to this malware with a free security update, I think within the next few days. There are numerous threads on that already, you can look it up.
You and your cohort can resume your little juvenile "We Hate Apple, Aren't We Cool" party now.
Is this Mac malware or McMaleware?
you mean this article: http://support.apple.com/kb/HT4650
I just posted in the other thread on this. And why does it take apple so long to get a virus patch out?
I guess they are wanting to push 3rd party AV...as the 3rd party OSX AV products already fix it.
Anyway...no password needed and you get a virus. Hey weren’t you one of the people who claimed you could not install a virus/malware/trojan/zipidy doo dah...whatever you want to call it without a password? If so, you were wrong.
>Even with this virus, MACs are million times better than those cheap HPs.<
But stop blowing smoke up my ass that Macs NEVER GET INFECTED and that “Oh, it’s impossible to crack Macs...they’re soooooooo PERFECT”. (Gag)
The truth is always nice.
Do you know ANYTHING about software development and production releases when there's a customer base of tens of millions?
Didn't think so.
Microsoft has the same difficult problem, and they routinely take weeks to produce patches; occasionally they get it down to a couple days in a major emergency. It's the nature of the beast.
I’m talking about the AV scanner and fixing of a machine that was attacked. Not patching the HUGE hole that allows this to happen.
Do you not know in the A/V world virus signature updates need to go out immediately for a new threat? Oh wait, I guess you don’t you use Macs and you thought you didn’t have to worry about such things.
> "You were wrong."
No, I was not wrong -- at that time there were no such things. Now there is one, and I'm not claiming that any more. Do you know how to tell time? You know, like when "A" happens before "B"?
I have work to do, see ya later. Have your fun, I hope it pleases you and your buddies to dance around sounding like fools.
Macs are vulnerable because of growing market share over PC’s. I bought a Mac last December (Christmas gift to myself). Recent figure I heard was that 15 percent of computer users use a Mac. And it’s not just Mac they’re after, these people are gunning for smartphones too.
Yep you were wrong because I have always said once OSX gets a big enough install base they will be attacked and get a virus and be subjected to more types of attacks. Their security model will break...just as it has for the past 4 years in the pwn2own competition...which was a known issue when you made the claims. So the attack did exist you just chose to ignore it and say it hasn’t happened in the wild yet.
A few days is quicker than a few months, which is usually the turnaround time for MS to issue a patch.
Exactly right. I’ve been saying it for years...the bigger the market share they get the more viruses they will get. But the macbots said that’s not true and they were rock solid. Even though 4 years in a row they lost the pwn2own competition where they were the first one hacked.
Real men don't use MAC’s. Only leftist, Che t-shirt wearing, Obama supporting Marxists use MAC’s.
Real men love the sting of battle. Real men love the smell of the napalm of anti virus warfare. Real men know how to use AVG, AdAware, Spybot, and other manly pieces of home computer defense.
Sissies take the easy road and buy a MAC.
Microsoft can say whatever it wants about how secure their product is and how great Windows 7 is. Fact of the matter is Windows 7 is nothing more than Windows Vista Service Pack 4.
Apple users and Apple have talked about the malware attack. I am not doubting that, I reminded my wife/kids to never install anything on the mac - except very intentionally.
And now Apple is gonna come out with a fix to help with a malware attack - that is way cool.
I don’t live under a rock, but I *DO* work for a living, and hadn’t heard about this development.
Fortunately, this was (evidently by your comment) posted more than once, giving folks like myself who do things other than obsess over Macs an opportunity to learn of this new problem.
I don’t hate Macs, but I sure find the snobbery and arrognace inherent in Mac fans quite distasteful and off-putting. I’ll bet Obama (ptui) is a Mac fan: It would suit his self-image.
>>>I dont hate Macs, but I sure find the snobbery and arrognace inherent in Mac fans quite distasteful and off-putting. Ill bet Obama (ptui) is a Mac fan: It would suit his self-image.
Equally off-poutting is the unbridled arrogance of Windows users who go out of their way to demean people who don’t drink Bill Gates’ kool-aid. And the wazoo apertures who paint Mac users as good time plastic banana dope smoking maggot infested liberals. It’s bigotry. Stereotyping. And it’s wrong. People here should be above that... but they’re not.
You are aware that Rush is a Mac user too, right? I was referring to the members of the “Church of Jobs”, not the average user who just wants a simple intuitive machine. That you took it personally and threw ad hominem in for good measure speaks volumes.
This is as silly as the Ford vs Chevy vs Dodge wars.
I'm not a Machead however! Or a Mac owner.
I do like to consume apples however, the Braeburn type from the grocery store and not the computer type!
Yous a funny one eh? :)
And I was referring to the members of the Church of Gates... you took offense anyway. And took it personally. And that too speaks volumes.
Linux or Windows? ...You act like an Apple...
“...Those who have a problem with Apple should just not buy the product and that takes care of that. Dont come to FR to flame those who like the product. Thats just dumb...”
— Jim Robinson, owner of FreeRepublic.