Another and potentially more dangerous version of the Mac Defender malware has been detected in the wild, says security firm Intego. Called “MacGuard,” the code is mostly similar in function to its predecessors. An attack begins, for instance, when a person is tricked into visiting a malicious URL, which triggers the automatic download of an installer called avSetup.pkg.
If a browser like Safari is set to open downloads automatically, an install window will then show; if not, the containing ZIP file will still be on a hard drive. The installer itself is where MacGuard differs, as while other versions of the malware require an administrator password, MacGuard avoids this by installing itself to the Applications folder. In reality two apps are installed: the first is a downloader called avRunner, which then fetches MacGuard itself from an IP hidden in an image file.
Like Mac Defender, MacGuard’s goal is to steal credit card numbers by claiming a Mac is infected and then offering to unlock scrubbing tools. Because there is one less barrier to an actual infection, MacGuard may pose a greater threat than its siblings. It also attempts to remove some of its traces by deleting the initial installer.
Genuine, up-to-date antivirus tools should be able to detect MacGuard. Apple has meanwhile promised to issue a patch that will protect against all known variants of Mac Defender, and issued instructions on manual removal. Should the malware already be running, it can be stopped by killing the appropriate processes in Activity Monitor and deleting culprit files.