Reprinted from TidBITS#1079/06-Jun-2011 with permission.
Copyright (C) 2011, TidBITS. All rights reserved.
http://www.tidbits.com/

Apple Responds to Increasingly Serious MacDefender Situation
------------------------------------------------------------
  by Adam C. Engst <ace@tidbits.com>
  article link: <http://tidbits.com/article/12199>
  16 comments

  Most Mac malware of recent years has been more smoke than fire, with 
  security firms issuing dire warnings about some new malware only to 
  have it fall off the radar within weeks. The recent appearance of 
  the scareware MacDefender, also seen as MacProtector and 
  MacSecurity, is breaking that mold, with the number of infections 
  increasing rapidly (for details on MacDefender’s discovery, see 
  “Beware Fake MacDefender Antivirus Software,” 2 May 2011). After 
  talking with an AppleCare support rep, Ed Bott at ZDNet has done 
  some back-of-envelope calculations to estimate that as many as 
  60,000 to 125,000 customers could be affected, with the number 
  growing.

<http://tidbits.com/article/12149>
<http://www.zdnet.com/blog/bott/apple-continues-to-tell-support-reps-do-not-help-with-mac-malware/3375>

  Bott’s conversation also elicited the interesting fact that Apple 
  had told AppleCare reps not to help customers with removing 
  MacDefender, instead pointing people at antivirus software. That was 
  odd, since MacDefender doesn’t worm its way into a system 
  particularly far, and is easily removed by hand.

  Although we don’t know if AppleCare reps are now being allowed to 
  help callers remove MacDefender, Apple is clearly taking the malware 
  more seriously. The company has now posted a support document that 
  outlines how to identify and remove MacDefender. Even more 
  interesting is the fact that Apple last week released Security 
  Update 2011-003 that specifically deals with this malware (see 
  “Security Update 2011-003 Addresses MacDefender Malware,” 31 May 
  2011).

<http://support.apple.com/kb/ht4650>
<http://support.apple.com/kb/HT4657>
<http://tidbits.com/article/12211>

  What’s fascinating about this move is that Apple almost never 
  acknowledges specific pieces of malware. It’s not uncommon for 
  Apple to add general protective features to Mac OS X and Safari, but 
  Apple seldom adds code to Mac OS X to deal with a particular threat. 

  On the one hand, doing so makes good sense, since MacDefender’s 
  deception is clearly sufficient to fool lots of users into entering 
  an admin password, and a relatively small percentage of Mac users 
  run antivirus software that would protect them. On the other hand, 
  we’re left wondering if this is something Apple plans to do 
  whenever a sufficiently serious threat appears, or if it’s a 
  one-off. And we’re certain that antivirus firms like Intego, 
  Symantec, and McAfee are wondering the same thing, since if Apple 
  were to take on malware protection more seriously, it could make it 
  all the harder to sell antivirus solutions to Mac users.


**Beware MacGuard** -- Increasing the level of concern is the fact 
  that Intego has identified a new MacDefender variant called 
  MacGuard. MacGuard works generally along the same lines as 
  MacDefender, but uses a different installation technique that 
  doesn’t require an admin password. 

<http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/>

  MacGuard accomplishes this trick by relying on a poisoned Web page 
  that automatically downloads not an application, but an installer 
  package called avSetup.pkg. If Safari’s “Open ‘safe’ files 
  after downloading” option (or the equivalent in Firefox or Google 
  Chrome; see the previous article for details) is checked, Apple’s 
  installer automatically opens avSetup.pkg, which then installs an 
  application called avRunner in the Applications folder and deletes 
  itself to cover its tracks. Installing into the Applications folder 
  doesn’t require a password if you’re logged in as an 
  administrator. avRunner then launches automatically and downloads 
  the MacGuard application from the Internet, hiding it within the 
  avRunner package, and launching it as well. 

  Of course, if you have disabled the “Open ‘safe’ files after 
  downloading” option, you’ll still have a Zip file containing 
  avSetup.pkg in your Downloads folder, and you’ll have to avoid 
  opening that manually. Just trash it.


**Avoiding MacDefender** -- It’s worth noting that MacDefender is 
  just scareware, with the main threat of capturing your credit card 
  number if you’re fooled into “buying” the software. As far as 
  anyone has found so far, all MacDefender does is open Web pages to 
  porn sites (which could be embarrassing, of course) and present 
  spurious warnings about how your Mac is infected, all aimed at 
  getting you to “buy” the software to eliminate the warnings. 
  It’s essentially a protection racket, but MacDefender does not 
  replicate itself or cause any other harm as far as anyone currently 
  knows.

  So, should you find yourself or someone you know attacked by 
  MacDefender, you have a number of chances to thwart its evil plans. 
  In order:

* Avoid visiting poisoned Web sites. Unfortunately, there’s no way 
  to know whether or not a site has been poisoned ahead of time, and 
  the key to MacDefender’s success has been its capability to use 
  search engine optimization techniques to push rogue sites up in 
  search engine rankings, making the rogue site seem worth visiting. 
  SophosLabs has a white paper that explains SEO poisoning (PDF).

<http://www.sophos.com/medialibrary/PDFs/technical%20papers/sophosseoinsights.pdf?dl=true>

* Turn off options like Safari’s “Open ‘safe’ files after 
  downloading” that open downloaded files immediately. That’s 
  important because these rogue sites can, as soon as they’re 
  visited, cause your Web browser to download a file. If it’s 
  downloaded, but not opened, you have a chance to delete it from your 
  Downloads folder before it does any harm.

* If prompted for an administrator password when you haven’t 
  intentionally downloaded an application you know and trust, _do not 
  enter the password_. I know we’re prompted for our admin passwords 
  all the time, but really, take a moment and make sure you’re 
  entering it only when appropriate. If you don’t enter the password 
  when prompted, the software can’t be installed.

* Should you accidentally get this far — or have MacGuard worm its 
  way onto your Mac — such that you’re faced with an application 
  running that you didn’t intentionally download, immediately do a 
  Web search on the name of the application, so you can learn more 
  about it (at which point you’d discover that it’s not 
  legitimate). If you’re flustered, shut your Mac off and contact 
  someone who knows more about this sort of stuff before proceeding.

* Lastly, if such an application ever pushes you to enter credit card 
  information, just don’t do it. At the moment, this is the only 
  damage MacDefender can do, but having your credit card number stolen 
  is not fun and can require a non-trivial amount of work in terms of 
  changing automatic payments, stored payment information, and so on.

  I think many of us in the press rather pooh-poohed MacDefender, 
  since it seemed like there were too many places to short-circuit its 
  nefarious plans. But we may have overestimated the security 
  sophistication of many Mac users; as Apple’s star has risen, so 
  too has the number of Mac users who have minimal security awareness. 
  It’s a bit like a lot of country folks moving to the city, where 
  they become easy prey for all sorts of scams and criminal activities 
  that city dwellers know to avoid from having grown up throwing 
  deadbolts, setting car alarms, and holding onto their purses.

  A friend’s 11-year-old son was infected by MacDefender (in its 
  MacSecurity variant). It’s unclear what site downloaded the 
  malware, but when it prompted for the admin password that he 
  didn’t know, he asked his mother for help. She wasn’t paying 
  much attention, since she hadn’t started the download, so she 
  absentmindedly entered the admin password, and the deed was done. 
  Luckily, my friend, who’s an IT director, learned of the situation 
  before anyone got to the point of trying to “buy” the program, 
  and we were able to delete all traces of the malware, but this shows 
  just how clever MacDefender’s technique is.

  So does this change our advice that Mac users shouldn’t run 
  antivirus software (see “Should Mac Users Run Antivirus 
  Software?,” 18 March 2008)? For TidBITS readers, I still say no, 
  since I think anyone who reads TidBITS regularly probably has a 
  sense of when something is unusual or wrong, and knows enough to 
  shut it down. That said, I may be rethinking our recommendation for 
  the sort of users who stand no chance of identifying unusual 
  behavior. It may be just like offering advice to a graduating 
  college student who’s moving from a small town to a large city — 
  such a person probably needs a lot more coaching and help than a 
  similar student who grew up with constant parental warnings about 
  what to do and what not to do.

<http://tidbits.com/article/9511>


  ----
  read/post comments: <http://tidbits.com/article/12199#comments>
  tweet this article: <http://tidbits.com/t/12199>