Just mere hours after Apple announces that they will be providing an update to prevent further infections by the MACDefender trojan, a new variant named MacGuard is discovered by the Anti-virus provider Intego.
The main difference between the two variants is that this new version installs as the current user and so gets rid of one step towards infection by removing the needs to the administrator password to be entered.
According to Intego, infection still happens when SEO poisoning seeds false results in web search results. Going to one of these sites results in the downloading of an avsetup.pkg file. If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If you aren’t using Safari, watch for unrequested downloads and don’t click on ZIP, DMG or PKG files you haven’t expressly downloaded.
This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.
The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application’s Resources folder.
Protecting yourself without anti-virus
First and foremost, to help prevent infection, Uncheck the “Open ‘safe’ files after downloading” option in Safari’s General preferences.
If, when using your browser a web page that looks like a Finder window appears, and says it is scanning your Mac, leave the page, and quit your web browser.
If an Installer application has opened, and you haven’t requested to install something, quit it right away.
Check your downloads folder. If anything new and not requested has downloaded, then delete it.