New Version of Mac Defender on the Loose - Mac Guard

A new variant of the Mac Defender malware is out in the wild using the same effective SEO poisoning to trick Mac into downloading and installing a malicious program.

Dubbed MacGuard, the app comes in two pieces, one of which is an installer called avRunner.

As with the first threat, Texas, Austin-based security vendor Intego has been quick to acknowledge its existence, labeling the risk “medium” as no administrator password is required to install this new variant.

Here’s how it works, according to Intego.

“If Safari's "Open ‘safe’ files after downloading" option is checked, the [avRunner] package will open Apple's Installer, and the user will see a standard installation screen.”

“If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.”

Intego outlines that, “Unlike the previous variants of this fake antivirus, no administrator's password is required to install this program.”

“This package installs an application - the downloader - named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original installer are left behind,” Intego notes.

The avRunner application then proceeds to download the second part of the malware - a new version of the MacDefender application called MacGuard.

The malware aims to do the same thing Mac Defender did - trick users into paying for an antivirus license to keep their systems clean of malware. Users must provide their credit card information to pay for the ‘goods.’

In a Support document, Apple has recently acknowledged the existence of the first piece of malware that does this (Mac Defender) and has outlined the steps to either avoid installing or removing it.

The same steps should apply for Mac Guard.

Intego also advises to un-check Safari’s option to open ‘safe’ files after downloading, just to be on the safe side, but ultimately says that a proper solution is to install antivirus software, of which they have VirusBarrier on offer.