Mac Defender 2.0... Malware Creator Responds to Apple Update

Apple may've taken a lot longer than anyone would have liked to respond to the Mac Defender fake antivirus malware, but he/she/they haven't.

In fact, on the heels of Apple's announcement, the Mac Defender creator has already fired another salvo back across Apple's bow.

The latest?

According to Intego, a Mac-centric antivirus firm, the latest version, dubbed "Mac Guard," that has upped the ante and made stopping it all the harder.

For starters Intego says in their blog post on Mac Defender,

Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts.

"The first part is a downloader, a tool that, after installation, downloads a payload from a web server.

"As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.

Yikes. Auto-download? That sounds a lot like Windows malware to me.

And, here's where it gets really ugly.

Apple, in their infinite wisdom, has Safari, the default browser on the Mac, in its default configuration, automatically open so-called "safe" files after downloading.

Translation, it downloads on its open and even opens itself for you... all on its own! Yay! Before you know it, and without your asking for it, the standard, friendly looking Mac installer is in front of you. All on its own.



What next? All you have to do is click 'Continue' and so on as you normally would, and poof! your machine is infected.

The thing is, a lot of people won't know any different. All they see is the friendly-looking installer (that can't be harmful, right??), and a 'Continue' button.

What do they do? Click 'Continue,' of course!

What's more, according to Intego, is Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. [Editor's note: emphasis theirs.]

This whole Mac Defender/Protector/Security/Guard trojan malware is causing more than a little buzz, including a piece on Mac Guard on ZDNet.

In the article, author Ed Bott's [Editor's Note: Botts... an apropos name for someone in Internet security], says,

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots.

"Peter James, an Intego spokeperson, told me his company’s analysts were 'impressed by the quality of the original version.'

"The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.

That about sums up our take on things here, too. Seriously, Apple, these were a couple of real missteps on your part. First the long delay.

Then the craptastic response. C'mon. How 'bout disabling the inane Automatically open "Safe" files. That's not really a default, is it?

That's the best the company that makes innovative products like the iMacs, iPhones, iTunes, iPods, and iPads can do?

Maybe this is going to be a long road after all.

[N.B. The original Apple announcement on Removing Mac Defender, which we discussed in an earlier blog about Mac Defender, mentioned two steps Apple was taking to combat Mac Defender. They were going to be:

1. releasing a Mac Defender remover as part of their next update and
2. having OSX do some sort of realtime intervention if you tried to install the malware.]