Intego confirms new MACDefender variants, as Apple issues a software update to find and remove malware

Intego has warned of more variants of the MACDefender rogue anti-virus.

Appearing high in search engine rankings, MACDefender infects users by opening random websites and offering to ‘clean' a user's PC with the rogue anti-virus. As detailed by SC Magazine last week, the amount of downloads are relatively minimal but do show a turning point for malware for the Mac OS.

Mac security firm Intego has now detected several more variants of MACDefender, named MacProtector and MacSecurity, both of which are the same application using different names.

It said: “The goal of this fake anti-virus software is to trick users into providing their credit card numbers to supposedly clean out infected files on their Macs. We have discovered a new variant of this malware that functions slightly differently.

“It comes in two parts. The first part is a downloader, a tool that downloads a payload from a web server after installation. As with the MACDefender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted website.”

It also said that unlike previous variants of MACDefender, no administrator's password is required to install this program, as any user can install software in the applications folder. The malware installs a downloader application named avRunner, which launches automatically, while the installation package deletes itself from the user's Mac, so no traces of the original installer are left behind.

The second part of the malware is a new version of the MACDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application's resources folder. The IP address is hidden using a simple form of steganography.

Intego said that it considers the risk for this new variant to be medium, in part because the search engine optimisation poisoning has been very efficient in leading Mac users to booby-trapped pages, but also because no password is required to install this variant.

Apple has issued support instructions on how to avoid installing MACDefender and how remove the malware. It also said that in the coming days, it will deliver a Mac OS X software update that will automatically find and remove MACDefender malware and its known variants. “The update will also help protect users by providing an explicit warning if they download this malware,” it said.

Chester Wisniewski, senior security advisor at Sophos Canada, said: “This is good news for OS X users who have been affected, but with new variants arriving daily, how will this work?

“When Apple introduced XProtect with OS X 10.6 Snow Leopard, they added rudimentary detection of malware. In the nearly two years since its introduction, they have only updated it a few times.

“Are they going to develop their own anti-virus software? The fast pace with which new variants arrive requires a very different style of software development and updating than Apple is accustomed to.”


Sign up to our newsletters