Mac Defender variant doesn't require admin password

The latest variant of Mac Defender, MacGuard, requires no admin password to be installed.
Source: Intego Security specialist and Mac anti-virus maker Intego has announced that it has discovered MacGuard, a new variant of the Mac Defender malware. Unlike Mac Defender and its other variants, including "Mac Security" and "Mac Protector", MacGuard does not require an administrator password for installation.

According to a post on The Mac Security Blog, the latest variant of the fake anti-virus application targeting Mac OS X systems "functions slightly differently" in that it comes in two parts. The first is a downloader tool that, once installed, downloads a payload from a web server. The installation package (avSetup.pkg) is automatically downloaded when users visit a specially crafted web site – if the Safari browser is set to automatically open "safe" files, the installer will be automatically launched.

Intego says that: "Since any user with an administrator’s account – the default if there is just one user account on a Mac – can install software in the Applications folder, a password is not needed", adding that: "This package installs an application – the downloader – named avRunner, which then launches automatically." Once launched, the installation package deletes itself from the user's system so as to leave no traces. The second part of the malware is MacGuard itself, which is downloaded and installed by avRunner.

Apple has responded to the Mac Defender threat with avoidance and removal instructions. The company says that it will release an update that will automatically find and remove Mac Defender and its known variants "in the coming days".

See also:

• Apple publishes Mac Defender removal details, promises fix, a report from The H.
• Trojan construction kit for Mac OS X, a report from The H.

(crve)