Mac Defender becomes MacGuard, gets sneakier

The Mac scareware that started popping up recently has got a little more insidious. Not quite a full-blown virus, it still requires a clueless or distracted user to install it, but the latest version does not require an administrator password to be entered.

It started on May 2 (timeline here), where fake antivirus began to spread though poisoned Google image search results. It was pretty primitive, causing Safari browsers to run a piece Javascript that threw up a fake anti-virus scanner message. It was poorly done – even a thoroughly unsophisticated Mac user would be suspicious of a Windows XP error message.

By the 5th of May the miscreants had jacked up the SEO manipulation, and changed the message to a much more convincing Mac Finder window, and the name changing from Mac Defender to Mac Security. It still, however, required that the user not only click on the window, but enter their administrator password to allow the malware to install.

By the 25th the black hat developers had changed the script so that the download installed directly into the Applications folder, which no longer asks for a password to run (anything running from this folder is assumed legit). It now appeared as MacGuard.

So good news Mac users – your days of relative safety from viruses are drawing to a close as more malware writers target OS X. The FakeAvDl-A is more an annoyance than anything else (it also tries to trick users into entering their credit card details to unlock the “anti virus” software’s ability to remove malware), and to be effective requires that the user has left Apple’s silly default “Open ‘safe’ files after downloading” option in Safari checked.

Apple initially more or less ignored the threat, but has now published a knowledge base item.

There’s lots of fairly hysterical coverage of the topic by anti-virus companies (both the Sophos page and Intego), but at the moment it’s more of a punishment for the unwary than a major threat. But it’s almost certainly a harbinger of things to come.

To avoid getting into trouble, if you use Safari go uncheck that option (Safari/Preferences/General, right at the bottom of the tab). Firefox, Chrome and Opera are not affected.