MacDefender (now MacGuard) Can Install Without Credentials

The recent MacDefender Trojan has been receiving “rebranding” facelifts since it came out. It has now been deployed as MacProtector, MacDetector, MacSecurity, Apple Security Center, and there are no doubt more iterations to come. The malware has been updated, and now sports an improved UI that looks like a native Mac OSX application, unlike the first variant, which appeared to be Windows software. 

EDIT: A new variant is now being deployed that can install without credentials.  The image below shows a fake Finder window displayed within the browser.  If you see this window, close the browser, or Force Quit if you can't quit.  Don't select the "Cancel" or "Remove All" buttons, as this will install the malware without asking for your password.  As this makes the malware more likely to be deployed, we recommend users disable "Open "Safe" files after downloading," at least until Apple pushes their pending security update.

As a quick recap, the infection is spread via poisoned search engine results on image searches. When a bad link is followed in a search, the user is presented with an alert that Trojans or other threats have been detected on the system.  At the start of the attack, either a simple dialog box over your browser window, or a fake Finder window with a warning similar to this will be displayed:

Alert for MacDefender Trojan

(Image courtesy Nerds On Site)
 

If the default setting of “Open “Safe” Files After Downloading” is enabled in your browser, the software will download, the installer will launch, and you will be prompted to enter your password to complete installation of software, which is actually the malware payload.  A new variant called MacGuard is also live and will install without credentials.

As soon as the malware is installed and launched, you'll be informed the software is an "Unregistered Copy" and give you an option to register.  If you close the browser and quit the installer, the malware can safely be deleted from the downloads folder, and no harm is done.

MacDefender Registration Prompt

(Image courtesy Nerds On Site)

Of course, when you "register" the software will try to get you to purchase it, for as much as $79.95.  If you do purchase, not only do you have a bogus charge on your card, you also have given your credit card to criminals. 

Some key considerations for Mac users to be aware of are:

  1. The name and user interface displayed by this malware will change, so don't rely on the name.
  2. The nature of the enticing message, however, will remain a variant of the “viruses (or Trojans, or spyware, etc) have been detected on your computer” message, followed by a request to install the cleanup software, which of course is only available for a fee.

Mac users can defend themselves from variants of this attack by:

  1. Going to Safari->Preferences->General and deselecting the “Open “Safe” files after downloading” option
  2. Installing a reputable  antivirus software from a trusted source

Finally, users of any system should be aware there is currently no legitimate antivirus or security software that alerts you through a browser that malware of any type has been detected and that security software must be installed to remove it. A modern browser may block a suspect site, but it won’t behave in this manner. This is a sure-fire attempt to scare a user into installing a malicious program. In general, if you see a suspicious warning that asks you to install software, simply close the browser, or Force Quit if you need to. NEVER click “OK,” “Cancel” or any other button or links in the window alerting you to fake infections, as that is often what starts the actual download or installation of the malware.

Should you have an infection and require removal instructions, Apple has just posted an official article on their support database at http://support.apple.com/kb/HT4650. In this article, they indicate that software updates for removing and blocking the software will be forthcoming.

If you are an ESET Cybersecurity user and had an infection prior to installing our software and need removal help, remember  ESET offers free customer support.

 
 
 
 
 
 
 
 
 
 
 
 
 

Author ESET Research, ESET

  • sb

    Hi, I'd like it if you could post (with warnings) any URL's you've found in regards to these new iterations.
    It helps people alert their security personnel to block sites/domains proactively.

    Thanks!  You have my email hidden, so an email is OK too.

    • Dan Clark

      Hi sb. Unfortunately, publishing links is a good way to cause the curious or incautious to infect themselves, and potentially for sine to use them maliciously. For these reasons, we don’t post malicious URLs.

  • Joe Banks

    I've seen this virus several times. When you see it, quit out of whatever you are doing. This virus can be listed on anything. Even URLs at the top of google's search results. You just don't know. And you will be surprised to see the above warnings. The second real threat I've seen to the Mac. And since Mac users don't worry about security, Macs will be the easiest to infect. We will be seeing more of these virus attacks like MacDefender. And MacDefedner is easily removed. But not future attacks. As someone in another blog listed, it is about market share. As the Mac gains popularity, money is invested in writing viruses for the Mac. Viruses require programming and money. The only way to protect yourself is to disable scripting. Like noscript in Firefox. Defend yourself and keep your Mac updated to the day with software updates.

  • sb

    Understood – which I was hoping you could email me links?
    Thanks!

  • Herbacious

    I have a VM of up-to-date Snow Leopard with the Security Update 2011-003 as well as ESET Cybersecurity with today's update.  Tonight I found MacDefender intentionally, to determiine if Apple and ESET have addressed the threat to protect my users.  I found, unfortunately, no, neither keeps MacDefender from being installed.  For ten years I have not run AV and never had a malware problem.  Since my company's ESET license covered the Mac version, I've been running it since February on the Mac and on a Linux desktop.  Why is this not addressed by ESET's Cybersecurity?

    • Randy Abrams

      Today’s cyber-criminals are testing their malware against every security product and not releasing until they beat them. There often will be a short amount of time between the appearance of new malware and detection of it. Heuristics make it harder for the criminals to get past the security software, but not impossible and it takes time to tune heuristics to relatively new threats without generating false positives. The Mac Defender gang are releasing new variants at least once a day. There is going to be a small window of exposure in many cases. That is simply the reality of the threat. That is how crime has been for thousands of years.

      Did you send in a sample of the undetected threat? If you open the ESET GUI and switch to Advanced Setup then in the tools section there is an option to submit a sample. You may be blocked now as you probably were protected in the next update.

  • Herbacious

    Crime for thousands of years?  Your company sells a product to protect users from exactly this software.  If you look at your own KB article: SOLN2746, it states the Cybersecurity "detects and blocks" MacDefender, but this has not been my experience.  The same article lists a number of steps the user should take to remove it.  Instead, I suggest that rather than ask paying users to go through the many manal steps to kill a process and remove files,  ESET should remove it.

    • Randy Abrams

      Yes the history of crime (which MacDefender is a criminal act) is that the criminals adapt to security measures and security companies counter. The advice for manual removal was provided by Apple and at that time ESET was detecting all known variants of MacDefender. Since then new ones have come out. If you have a problem with ESET not detecting a variant then please submit the sample. If you have a problem with ESET not removing and infection than please use the free techinical support that ALL ESET customers are entitled to. If you experience is that ESET is not protecting against MacDefender then you haven’t tried 9 out of 10 variants of the threat. Do you actually still have a sample we don’t detect? Do you have a sample we don’t remove? Please do submit if you do, we are diligent about making the product as effective as possible.

  • Pablo Correa suarez

    deseo instalar  en mi ordenador para  blokear la amenazas de todos los  virus

    • David Harley

      Pablo, I’m afraid you need to go to the main eset.com web page to order ESET products.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

7 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.