Updated rogue AV installs on Macs without password

Mac malware gets a new name, new Mac interface, and installs without requiring a user admin password.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
This screenshot shows the interface of the latest Mac rogue antivirus malware dubbed MacGuard.
This screenshot shows the interface of the latest Mac rogue antivirus malware dubbed MacGuard. Intego

A new version of rogue antivirus malware that targets the Macintosh operating system does not need victims to type in their administrator passwords to install and infect the machine, a security company said today.

The latest version of the malware has been overhauled to look like a native Mac OS X application and is using the application name MacGuard, according to an Intego blog post. But particularly concerning is the fact that unlike previous versions, which were dubbed Mac Defender, MacProtector, and MacSecurity, MacGuard installs itself without prompting for the admin password.

"If Safari's 'Open safe files after downloading' option is checked, the package will open Apple's Installer, and the user will see a standard installation screen," the antimalware company's post says. "If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch."

"Since any user with an administrator's account--the default if there is just one user on a Mac--can install software in the Applications folder, a password is not needed," Intego says. "This package installs an application--the downloader--named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original Installer are left behind."

The MacGuard program is downloaded by the avRunner application from an IP address that is hidden using steganography in an image file in the Resources folder of avRunner, the post says.

Web pages that look like a Finder window and appear to be scanning the computer are bogus, Intego said. Users should leave the page, quit the browser, and quit the Installer application immediately if anything has downloaded, as well as delete any associated file from the Downloads folder. Also, users should uncheck the "Open safe files after downloading" option in Safari's General Preferences, Intego advises.

In an Apple support article yesterday, the company said "in the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware."

The malware keeps changing names and appearances. It is designed to trick people into paying for supposed antimalware software that they don't need.

More information about how it operates is in this FAQ, and information about how to remove it is here and a comprehensive article about how to secure your computer against MacGuard is here.