Securing your Mac from the new MacGuard malware variant
There is a new variant of the MacDefender malware for OS X that can be installed without requiring an admin password.
The MacDefender phishing malware for OS X has caused a bit of concern in the Mac community. People who inadvertently visit the false "Apple Security Center" Web site are downloading the installer for the scam software and installing it. This has previously required users to interact with the software installer and provide an admin password to install the package; however, as reported on by, a new variant installs the program under the current user's account and uses an install option that does not require an admin password.
Overall this new variant is not much different from the previous versions of the malware, but it does make it slightly easier to inadvertently install the malware (especially if you are running your system as an administrator--the default account type for OS X), and may sneak by users who are on the lookout for the MacDefender malware but who are not watching for other packages.
This program will still require user interaction in order to install, so you will see an installer program running and will have to click through a couple of installation windows in order to get it on your system; however, the difference now is that it can be installed without an administrator password. While this does not change much for people who would install the software anyway, it is an example of why it is important to reserve administrator accounts for administrator purposes only.
If your working account is an administrator account, you can convert it to a non-admin account very easily, and this will not change the way your system runs at all. All it will do is require administrative credentials to perform certain tasks that otherwise could have been done without supplying credentials. As a result, your system will notify you if a program is trying to modify some system resources that would otherwise be freely editable if you were running in an admin account.
To convert your account to a standard one, go to the Accounts system preferences and create a new account that will be your new administrator account. Give it a name and a password, and ensure that it has administrator capabilities.
When the new administrator account has been made, log out of your current account and into the new admin account, and go back to the Accounts system preferences. Click the lock and authenticate your new admin credentials. Now select your old account and uncheck the box for "Allow user to administer this computer." Now log out of your new admin account and back into your old account, and you're good to go: you should be safer from these types of malware threats.
In addition to converting your account, be sure to uncheck Safari's option to automatically open "Safe" files. While this option was included as a matter of convenience for OS X users, it does pose a security risk and we recommend keeping it turned off. To do this, go to the General section of Safari's preferences, where you should see the check box for this setting. Uncheck it for all accounts on the system to ensure that any malicious files are not inadvertently opened. Even though initially opening these files will still require you to interact with the installer, it is best to never open them and to remove them from the system. Disabling this setting in Safari will help with this.
Beyond these options for OS X, you can install a legitimate malware scanner on your system, keep it updated, and set it up to regularly scan your download folders. Even with these new malware threats for OS X users there is debate as to whether or not a malware scanner is required for Macs, but regardless, a malware scanner should be able to root out these programs and remove them. Malware detection companies like Intego, SecureMac, and Sophos are regularly updating their malware definitions to detect these new threats. For more details on how to protect your Mac from these phishing attempts, see outlining methods of ongoing protection from these scams.
Recent and related articles: