MacDefender Malware Morphs to More Dangerous Variant


5 Aug 2011
Reaction score
Mac OS X users have been warned to be wary of a new variation of the Mac Defender "scareware" that is said to be more dangerous than the original infection.

According to experts at security firm Intego, MacGuard is more dangerous than Mac Defender and several earlier variants, including Mac Protector and Mac Security as it doesn't require an administrator password to install. (See also "Three Ways to Secure Macs at Work: Lessons from MacDefender.")

The aim of the malware is the same -- to persuade victims to hand over their credit card details - though the process is slightly different. Initially, visiting an infected website automatically triggers the download of a file that installs itself on your Mac.

If you have the "Open safe files after downloading" option in Safari checked the installation process will begin automatically and the avRunner program will be installed on your Mac. This then downloads a second file package from a domain belonging to the cybercriminals behind the attack, while deleting all traces of the original installer files.

This second file is the MacGuard package, which will automatically install itself as well. It will then demand credit card details to rid your Mac of the infection.

Intego recommends unchecking the Open safe files after downloading option in Safari and if you should end up on any website that looks similar to Mac OS X's Finder window you should close the browser immediately. If the Installer opens, quit it straight away and check the Downloads folder for any unrecognized files and delete them.

Earlier this week, Apple promised an update to Mac OS X that would find and delete variants of the Mac Defender malware on a user's Mac, as well as warn them should they unwittingly try and download the file.

Opinion: Mac Defender crashes Apple security myth

"In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants," Apple said in a statement.

"The update will also help protect users by providing an explicit warning if they download this malware," it continued.

Apple also outlined steps that users with infected Macs can take to remove the scareware on the Apple Support forum.

However Chester Wisniewski of security firm Sophos questioned Apple's approach to the problem, as cybercriminals would simply create more variants to get around any defences the company puts in place.

"Are they going to develop their own anti-virus software? The fast pace with which new variants arrive requires a very different style of software development and updating than Apple is accustomed to.
Top Bottom
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features of our website. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock