Ramblings of this guy you know!

Tech Stuff and random observations on life as I see it….

New MACDefender Variant: lock up your browsers

Just mere hours after Apple announces that they will be providing an update to prevent further infections by the MACDefender trojan, a new variant named MacGuard is discovered by the Anti-virus provider Intego.

The main difference between the two variants is that this new version installs as the current user and so gets rid of one step towards infection by removing the needs to the administrator password to be entered.

According to Intego, infection still happens when SEO poisoning seeds false results in web search results. Going to one of these sites results in the downloading of an avsetup.pkg file. If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If you aren’t using Safari, watch for unrequested downloads and don’t click on ZIP, DMG or PKG files you haven’t expressly downloaded.

This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

The second part of the malware is a new version of the MacDefender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application’s Resources folder.

Protecting yourself without anti-virus

First and foremost, to help prevent infection, Uncheck the “Open ‘safe’ files after downloading” option in Safari’s General preferences.

If, when using your browser a web page that looks like a Finder window appears, and says it is scanning your Mac, leave the page, and quit your web browser.

If an Installer application has opened, and you haven’t requested to install something, quit it right away.

Check your downloads folder. If anything new and not requested has downloaded, then delete it.


One response to “New MACDefender Variant: lock up your browsers

  1. Pingback: Recent Tech articles – 22nd-29th May « Ramblings of this guy you know!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: