The discovery was announced on Wednesday by security firm Intego. Unlike previous versions of the software, which required users to enter an administrator password to install the fake antivirus, the latest variant uses a different install method.
"The first part is a downloader, a tool that, after installation, downloads a payload from a web server," the security firm said. "As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site."
No administrator's password is required to install the application, and if users have Safari's "Open 'safe' files after downloading option checked, the package will open Apple's Mac OS X installer, and users will see a standard installation screen. However, at this point users must still agree to install the "MAC Defender" malware.
The second part of the malware is a new version called "MacGuard." The avRunner application automatically downloads "MacGuard," which, like its predecessor, aims to trick users into providing credit card numbers in exchange for supposedly ridding a users' systems of "infected" files.
This week, Apple posted instructions on its website explaining how to remove the "MAC Defender" malware. The company also revealed it will release an update to its Mac OS X operating system that will automatically find and remove the malware.
Some reports have suggested that the "MAC Defender" malware has spread quickly, with one anonymous AppleCare representative claiming that the "overwhelming majority" of recent calls to Apple were related to the malware. The software was first discovered early this month, also by Intego.
While the original variant was categorized as a "low" threat because it requires users to type in an administrator password, the latest version is considered more dangerous, and was ranked with a "medium" risk.
The malware has spread through search engines like Google via a method known as "SEO poisoning." Using this technique, phony sites are designed to game search engine algorithms and show up when users search for certain topics.
93 Comments
I wish the press would stop using words like "virus" and "attack". The software doesn't attack anything (other then the intelligence of those who install it) and it is not a virus nor is it a trojan. It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.
the fact that you are intentionally installing a program, regardless of entering a password, should mean the risk is still low.
Yeah, installing a trojan horse bit of nagware is only an "attack" in the mind of Ed Bott. The ability to load software limited to the current admin user is also not a "dangerous" new development. The user has to be an ADMIN who is PURPOSELY INSTALLING SCARE-WARE from an unknown source.
This is an irresponsible headline and lead for AI to be printing.
Inaccurate, misleading, sensationalist.
True, attacking the intelligence of the end user, the weaklings amongst them will provide the card details too. Press nowadays all about click, the loudest and fastest but little is paid for reputation, accuracy and responsibility.
OTH, they who made this nuisances wouldn't go far with OSX with this kind of approach especially when it is now a well publicised issue of which Apple already post a solution.
When this type of nonsense happens to Windows users...many Apple people I know (I use both OS X and Windows computers) use this as a reason to switch from PC to Mac.