Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Mac malware authors release a new, more dangerous version
ZDNet ^ | May 25, 2011, 12:05pm PDT | By Ed Bott

Posted on 05/26/2011 2:21:53 AM PDT by Swordmaker

Summary

Apple finally responded to the Mac Defender outbreak, with a technical note containing removal instructions and the promise of a removal tool. Within hours, the bad guys had released a new version of their malware. This one doesn’t require that you enter an administrator’s password.

Yesterday, 25 days after the Mac Defender malware began to appear in the wild, Apple finally responded. In a technical support note, “How to avoid or remove Mac Defender malware,” the company posted instructions for users to follow if they’ve encountered this malware specimen in the wild. It also promised a security update to remove infections automatically.

File that memo under, “Too little, too late.”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

A security researcher for Intego, the Mac-centric security company that identified the original Mac Defender, found the first example of this new code via a poisoned Google search very early this morning.

Several factors make this specimen different. For starters, it has a new name: MacGuard. That’s not surprising, given that the original program already had at least three names. But this one is divided into two separate parts.

The first part, a downloader program, installs in the user’s Applications folder. If you’re an administrator on your Mac (and most people are, given that the overwhelming majority of Macs have only one user and the default account in that scenario is an administrator), the installer will open automatically. All you have to do is click Continue to begin the installation.

Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

The downloader portion then installs the second part, which is similar to the original Mac Defender.

The new architecture seems to be a specific response to Apple’s instructions in the Mac Defender security note: “In some cases, your browser may automatically download and launch the installer for this malicious software. If this happens, cancel the installation process; do not enter your administrator password.”

In this new variation, no password is required as long as you’re logged in using an administrator account. That might lull a potential victim into thinking they’re safe.

I know a lot of Apple users who breathed a sigh of relief yesterday, thinking that Apple’s belated response finally means that the problem is over. As any computer security researcher will tell you, this arms war is just getting started.

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots. Peter James, an Intego spokeperson, told me his company’s analysts were “impressed by the quality of the original version.” The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.

If Apple plans to play Whack-a-Mole with these guys, they’re in for months of misery. Just ask any Windows security expert who was around in 2003 and 2004 when Microsoft was learning a similar painful lesson. If each reaction from Apple takes two or three weeks, the bad guys will make a small fortune and Mac users can count on significant pain and anguish.

If you’ve run across this new variation in the wild, let me know. I’ll have my eyes open and plan to report back if I find anything.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: mac; malware
Navigation: use the links below to view more comments.
first previous 1-2021-4041-51 next last
To: palmer

Hmm, I was wrong. I am admin and my accounts pane is locked.


21 posted on 05/26/2011 6:26:13 AM PDT by palmer (Cooperating with Obama = helping him extend the depression and implement socialism.)
[ Post Reply | Private Reply | To 20 | View Replies]

To: Swordmaker
We had some good news to temper the passing of my mother: my older daughter gave us the news on mother's day that she is making us Grandparents! She knew before the passing of my mother and whispered it to her on her deathbed... and my Mom nodded and smiled, showing she understood... so she knew she was going to be a greatgrandmother before she died. That makes me happy.

We promised my daughter not to tell anyone until she passed her third trimester and that OK came down after the ceremony on Monday! The genetic counselors say everything is A-OK, too! YAY! She is due to deliver on December 7th.

Evidently you meant first, not third, trimester. We will be looking forward to the big day with you.
Regarding your valuable recommendations to your fellow Mac users in #7 (and #11), I take it that anyone with physical access to my Mac has the ability to make himself an Admin, or even a Root, user by the simple expedient of inserting my OS X disk into my machine and launching from that disk (control C during powerup? Whatever). So since I am going to keep my Snow Leopard disk anyway, isn't it correct to say that I might just as well keep my account names/passwords right in the box with that disk? Only thing I would lose is that if someone found my password and used it, I wouldn't necessarily know it - whereas I would find it out if someone with the disk but not knowing the password came along and changed my password from what it had been, as soon as I tried to use my password?

Then the only disadvantage to putting the password with the disk is that the disk helps the intruder to identify the password - and thus to gain the ability to access Admin privileges without tipping me off?


22 posted on 05/26/2011 6:26:19 AM PDT by conservatism_IS_compassion (DRAFT PALIN)
[ Post Reply | Private Reply | To 14 | View Replies]

To: palmer
It seems to me that if the Accounts Pane is locked, then you are done (not running as Admin), so skip all the rest of those steps.

No, that's not correct. Even as an admin, the pane is normally locked to prevent accidental changes -- you need to provide your password to unlock the pane.

23 posted on 05/26/2011 6:28:32 AM PDT by kevkrom (Palin's detractors now resort to "nobody believes she can win because nobody believes she can win")
[ Post Reply | Private Reply | To 20 | View Replies]

To: Swordmaker

Windows will always be more vulnerable to viruses, due to being a more open program than Apple. I can’t just go pull a program off the shelf and load it onto Apple, as I can with Windows.

However, as one computer teacher told me, that is the tradeoff with using a more open system, like Windows. On the plus side, it’s been years since I caught a virus, so it would appear that Microsoft has learned a lot.


24 posted on 05/26/2011 6:55:56 AM PDT by Jonty30
[ Post Reply | Private Reply | To 12 | View Replies]

To: sayuncledave

I’ve been aware of the fact that Apple reputation has been more due to it’s small market share, more than the fact that it is more secure.

And, accordingly to a story that a story that was released here not that long ago, Apple Techs have been instructed to always deny the possibility of malware and viruses, no matter the facts of the situation.


25 posted on 05/26/2011 7:01:08 AM PDT by Jonty30
[ Post Reply | Private Reply | To 9 | View Replies]

To: Swordmaker
Thank you for the update!

May YHvH give you comfort
on the passing of your loved ones.

shalom b'SHEM Yah'shua HaMashiach

26 posted on 05/26/2011 7:17:40 AM PDT by Uri’el-2012 (Psalm 119:174 I long for Your salvation, YHvH, Your law is my delight.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Jonty30; Swordmaker
Hi Jonty. Welcome to FreeRepublic.

> I can’t just go pull a program off the shelf and load it onto Apple, as I can with Windows.

Your comments indicate you're not familiar with Apple's Mac computers. Please read up a bit before making more such (uninformed) comments, since they undercut your believability. No offense intended, just sayin', the folks around here know better, and will take you to task for that sort of mistake.

> On the plus side, it’s been years since I caught a virus, so it would appear that Microsoft has learned a lot.

Agreed - Win7 is a very good OS. I use it all day, every day, in addition to my NetBSD UNIX, Linux, and Mac machines (I'm a System Administrator, and have been dealing with this stuff for over 35 years). I don't have time to chat just now, but I'll catch up later tonight.

BTW, if you wish, I suggest you read up on the difference between a Trojan and a virus, and the difference between an autonomous attack and a social engineering attack. It will come in handy in later discussions.

27 posted on 05/26/2011 7:30:32 AM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 24 | View Replies]

To: dayglored

No, I think my point is still valid. Every computer store I’ve been to has a much smaller Mac software section than a Windows section.

That doesn’t mean there aren’t some programs compatible or programs that aren’t good Apple substitutes of Window mainstays, but I think it’s still true, even if it has improved as of late.

I’m not meaning to slam Apple or anything, I’m just speaking from the heart.


28 posted on 05/26/2011 7:45:56 AM PDT by Jonty30
[ Post Reply | Private Reply | To 27 | View Replies]

To: Swordmaker

I have a probably dumb question. My husband just got his Ipad. Does all of this go for that too?


29 posted on 05/26/2011 8:21:18 AM PDT by brytlea (If you don't know what APOD is you'd better find out!)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Swordmaker

I see your wonderful news! Congratulations, new life is always a welcome thing. May God blessings smile on you all, it’s your turn! :) So glad your Mom got to hear about it, and now she can watch from a great vantage point.


30 posted on 05/26/2011 8:27:01 AM PDT by brytlea (If you don't know what APOD is you'd better find out!)
[ Post Reply | Private Reply | To 14 | View Replies]

To: conservatism_IS_compassion
Evidently you meant first, not third, trimester. We will be looking forward to the big day with you.

What can I say... It was 4 AM... ;^)>

There IS a way to lock even the DVD method of changing the administrator name and password... so you can really lock down a Mac... but off the top of my head I don't recall how to do it. But why make it easy?

31 posted on 05/26/2011 10:55:28 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: Jonty30
Windows will always be more vulnerable to viruses, due to being a more open program than Apple. I can’t just go pull a program off the shelf and load it onto Apple, as I can with Windows.

Jonty, you REALLY can't be that ignorant. It is FAR easier to install a program on a Mac than it is to install one on a PC,.. off the shelf... and you can install MORE applications on a Mac than you can on a PC, as you can install ALL Windows, UNIX, Linux, OSX, iOS, DOS, and a host of other OS's applications, simultaneously... And run them natively. Your assumption that the Mac is a "closed system" is myth. Your computer teacher was incompetent.

32 posted on 05/26/2011 11:14:24 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Swordmaker

Anyone that accesses the Internet as administrator instead of regular user is asking to be hosed, regardless of the type of operating system.


33 posted on 05/26/2011 11:21:55 AM PDT by TexasRepublic (Socialism is the gospel of envy and the religion of thieves)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Jonty30
I’ve been aware of the fact that Apple reputation has been more due to it’s small market share, more than the fact that it is more secure.

And you are AGAIN completely wrong.

And, accordingly to a story that a story that was released here not that long ago, Apple Techs have been instructed to always deny the possibility of malware and viruses, no matter the facts of the situation.

And I have talked to Apple Techs I know who work at the Apple stores who say they never saw that typo inclusive memo that came from an anonymous source to a blogger known for only reporting negative things about Apple. Apple has typically said nothing yea or nay about it.

34 posted on 05/26/2011 11:31:30 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 25 | View Replies]

To: brytlea
I have a probably dumb question. My husband just got his Ipad. Does all of this go for that too?

In a word, no.

35 posted on 05/26/2011 11:34:05 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 29 | View Replies]

To: Swordmaker

If Apple is the more open system, as you claim, as opposed to proprietary, than why in most stores, the software sections for Mac is always considerably smaller.

You would think, that if Mac allows more off-the-shelf software, they’d be the more widespread operating system.


36 posted on 05/26/2011 11:37:28 AM PDT by Jonty30
[ Post Reply | Private Reply | To 32 | View Replies]

To: Swordmaker

For those Greybeards that use “Speed Download” in place of Safari’s downloader, you should make sure that “Auto Open” is disabled in Speed Download’s preference pane.


37 posted on 05/26/2011 11:44:02 AM PDT by bobcat62
[ Post Reply | Private Reply | To 7 | View Replies]

To: Jonty30
If Apple is the more open system, as you claim, as opposed to proprietary, than why in most stores, the software sections for Mac is always considerably smaller.

You would think, that if Mac allows more off-the-shelf software, they’d be the more widespread operating system.

By your logic, the best restaurants must therefore be Macdonalds. . . and the best coffee must be Starbucks. Your logic that popularity defines quality fails.

38 posted on 05/26/2011 11:51:10 AM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 36 | View Replies]

To: Swordmaker

Not necessarily.

It depends on your personal priorities.
If you want a computer that works without a hitch, Mac is probably a better computer. However, if you’re looking for the most varied amount of software, it’s not necessarily the best choice.

I’d always rather have choice, as opposed to other possible priorities.


39 posted on 05/26/2011 11:59:15 AM PDT by Jonty30
[ Post Reply | Private Reply | To 38 | View Replies]

To: Jonty30
No, I think my point is still valid. Every computer store I’ve been to has a much smaller Mac software section than a Windows section.

That's a logical fallacy called "begging the question," Jonty. You use the fact there are fewer Mac users to argue there are fewer Mac users.

40 posted on 05/26/2011 1:46:59 PM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 28 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-51 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson