Newest MacDefender scareware installs without a password
Criminals 'give Apple the finger,' says security researcher, by releasing new version just hours after Apple warned of fake AV software
Computerworld - Hours after Apple owned up to a fake security software scam campaign, the "scareware" gang released a new variant, with a new name and a streamlined installation process that doesn't prompt victims for their password, a French antivirus firm said today.
"Given the timing, and the new name, it does seem like this was their reaction to Apple's support document," said Peter James, a spokesman for Intego, a maker of Mac-specific security software.
On Tuesday, Apple acknowledged the threat posed by what security experts call "scareware" or "rogueware." bogus security software that claims a computer is heavily infected with worms, viruses and other malware. Once installed, such software nags users with pervasive pop-ups and fake alerts until they fork over a fee to purchase the worthless program.
Apple also said it would update Mac OS X, adding the ability of the operating system to detect and delete the MacDefender scareware.
The group responsible for MacDefender -- and other earlier variants named MacProtector and MacSecurity -- must have read the news, said James.
"They changed the name to MacGuard, and released it today, maybe just to give Apple the finger," James said.
The cyber criminals also changed the way they distribute the fake security program, breaking it into two parts: a small downloader, dubbed "avRunner," which once on a Mac reaches out to a hacker-controlled site to download the phony MacGuard security software.
But the new version also includes a more important twist.
"Unlike the previous variants, no administrator password is required to install the downloader," said James. "People will still see an installer screen -- [the attackers] haven't gotten to the point where they're completely avoiding that yet -- but all one needs to do to install is click 'OK' a couple of times. So it's one less hurdle."
avRunner sidesteps the need for an administrator password by putting itself directly in the Applications folder of a victimized Mac. Unlike a legitimate installer package -- or an illegitimate one for that matter -- putting an executable in the Applications folder doesn't require a password when the user is the administrator.
With avRunner safely added to the Applications folder, it then grabs MacGuard from a remote server.
"A lot of the comments on blogs said 'Stupid Apple users, it's their own fault' because they were entering their [administrator] password," said James. "[The hackers] are now saying, 'Well, we don't even need to get a password.'"
James said that clues in the scareware point to Eastern European or Russian hackers as behind the MacDefender/MacGuard campaign. Last week, Microsoft's malware engineers found links between the Mac scam and a fast-growing one that targets Windows users, and concluded that the same gang is responsible for both.
"These are smart people," said James. "There's nothing new here that Windows users haven't seen, but this group has a couple of very good Mac developers."
Mac users running Safari can stop avRunner from automatically opening its installer screen by unchecking the box marked "Open 'safe' files after downloading" at the bottom of the General tab in the browser's Preferences screen.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Apple has bigger plans than just song ID with Shazam deal
- Mac Pro shortage sets record as worst Mac production debacle
- Apple slates WWDC for June 2-6, sets up ticket lottery
- Apple patches Safari's Pwn2Own vulnerability, two-dozen other critical bugs
- Microsoft's free OneNote vaults to top of Mac App Store chart
- Apple discounts iPhone 5C 8%-9% in five markets via storage cuts
- Apple hands stock worth $12.1M to top execs in retention deal
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts