This Mac malware thing is really scary now

It's time for Windows PC users to start a support group for their Mac friends. You know their pain -- clicking a link sent by email or instant message or simply visiting a website, and WHAM! You've got a virus, downloaded and installed with no administrator password required.

Uh-oh. The malware ghetto is coming to the Mac, where street gangs and thieves overrun the once pretty manicured neighborhood. Mac users, you may need to bar the windows and lock the doors. Uh, first install locks on the doors.

MacGuard is Mac Defender -- only Worse

Today, Intego warned about a new Mac Defender variant -- this one capable of installing without administrator privileges. This is the kind of drive-by shooting -- eh, drive-by-download -- Windows users are all too familiar with. Arguably, Windows 7 and Internet Explorer 9 are hardier than their forebears at dispelling this kind of attack. Intego's warning is scary, considering most Mac users don't run antivirus software. Worse, they've been educated that Macs are invulnerable to malware.

The new variant, which Intego ranks as only "medium" risk, still requires some interaction from the user -- and that's at least limited barrier to infection. From the Intego security blog:

Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts. The first part is a downloader, a tool that, after installation, downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site...

Unlike the previous variants of this fake antivirus, no administrator's password is required to install this program. Since any user with an administrator's account -- the default if there is just one user on a Mac --can install software in the Applications folder, a password is not needed. This package installs an application, the downloader, named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original installer are left behind.

The second part of the malware is a new version of the Mac Defender application called MacGuard. This is downloaded by the avRunner application from an IP address that is hidden in an image file in the avRunner application's Resources folder. (The IP address is hidden using a simple form of steganography.)...

Intego considers that the risk for this new variant to be medium, in part because the SEO poisoning has been very efficient in leading Mac users to booby-trapped pages, but also because no password is required to install this variant.

Interesting. That means the "medium" I took to be surprisingly low risk is really a high one.

No Admin Password Required

Installation without password is troubling for two reasons:

1. The added authentication is a barrier to unauthorized installation and warning to the user that software is asking permission to do something. If you're used to being prompted for a password when installing software and are prompted otherwise, it's a sign something is amiss. No password prompt, no warning.

2. Users are more likely to accidentally install the malware. Many users might be confused by the installer stealthily downloaded to their Macs. If password is required, they can accidentally click install and have another chance to back out. No password required means you click and you're in trouble quick.

In a support document posted yesterday, Apple acknowledged that Mac Defender can infect Macintosh computers and that: "In some cases, your browser may automatically download and launch the installer for this malicious software." According to research released last week by Microsoft, 1 in 14 programs that are downloaded are later determined to be malware, and in most cases, the malicious software was installed by good old-fashioned social engineering.

The problem here is SEO poisoning, where a web search brings up among the results a hyperlink leading to a malware site capable of downloading the installer automatically.

Suddenly in writing about this attack, I'm having déjà vu, like I've reported this before -- and I have, about Windows XP. But Microsoft has hardened the security of Internet Explorer and Windows Vista/7 and, more importantly, more users run anti-malware software than did a decade or even five years ago. Meanwhile, the Mac is a sweet country village where no one locks doors (e.g., uses anti-malware software).

There remains but the caveat: Intego's business is selling anti-malware software for Macs. So there's built-in conflict of interest -- as there would be for most any software developer. Intego wants to scare you into buying its security software. Will you? Or another vendors? Please answer the poll above that's appropriate to you.

Screen grab source: Intego