New variant of Mac Defender needs no password

There’s a new variant of [Mac Defender](http://blog.intego.com/2011/05/02/intego-security-memo-macdefender-fake-antivirus/ “The Mac Security Blog » Intego Security Memo – MAC Defender Fake Antivirus Program Targets Mac Users”) doing the rounds – and unlike the initial versions this one doesn’t require an administrator password to install:

> Unlike the previous variants of this fake antivirus,no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

(via [The Mac Security Blog » INTEGO SECURITY MEMO – New Mac Defender Variant, MacGuard, Doesn’t Require Password for Installation](http://blog.intego.com/2011/05/25/intego-security-memo-new-mac-defender-variant-macguard-doesnt-require-password-for-installation/))

It will he interesting to see how this develops. What’s clear is that variants of the malware are going to be coming quickly, and I’m curious about how Apple plans to make good on it’s promise to [deal with Mac Defender in an OS patch](http://www.zdnet.com/blog/btl/apple-mac-os-x-update-to-put-mac-defender-malware-issue-to-bed/49278?tag=nl.e539 “Apple Mac OS X update to put Mac Defender malware issue to bed | ZDNet”). Short of requiring all apps to be [signed](http://developer.apple.com/library/mac/ipad/#technotes/tn2206/_index.html “Technical Note TN2206″), it’s going to find it very difficult to create a permanent solution at the OS level.

  • http://twitter.com/jasonline Jason Staines

    I imagine this is exactly why they weren’t offering to remove malware from users’ Macs. Once they started down that path, they’d be cleaning every piece of malware installed by users from now till the end of time. Rather than do that, they directed people to an AV solution to sort out a problem that – let’s be honest – the users contributed to. Of course, that wasn’t good enough for trolls like Bott, who presumably would accept nothing short of Jobs personally removing every piece of malware while flagellating himself and saying “I’m so sorry, Ed. I made a mistake.” 
    I don’t know how they can do it at the OS level short of requiring two accounts – an admin and a user (with no admin powers). Of course, that isn’t going to stop numpties who, despite being in their powerless user account, will still type in the admin password when prompted to by “FreeHotLesbians.app”.

    BTW: nice, sane, rational post from you on this issue, Ian. Thanks.

  • http://www.facebook.com/GeneralStephenWest Stephen West

    But it still requires installation. And if you uncheck Safari’s autorun, you won’t even get the install screen.

  • http://www.technovia.co.uk Ian Betteridge

    Of course. But so does the vast majority of Windows malware these days. And the fact that Windows machines still get infected regularly demonstrates that a lot of people will install stuff when asked.

    (As an aside: I wonder if the “there is no malware for the Mac” belief, which is especially common amongst Windows converts, will make people more susceptible to installing dodgy stuff. After all, if you believe the platform is malware-free, you’re not exactly going to worry about what you install.)