The Mac scareware that started popping up recently has got a little more insidious. Not quite a full-blown virus, it still requires a clueless or distracted user to install it, but the latest version does not require an administrator password to be entered.
No ad to show here.
By the 5th of May the miscreants had jacked up the SEO manipulation, and changed the message to a much more convincing Mac Finder window, and the name changing from Mac Defender to Mac Security. It still, however, required that the user not only click on the window, but enter their administrator password to allow the malware to install.
By the 25th the black hat developers had changed the script so that the download installed directly into the Applications folder, which no longer asks for a password to run (anything running from this folder is assumed legit). It now appeared as MacGuard.
So good news Mac users – your days of relative safety from viruses are drawing to a close as more malware writers target OS X. The FakeAvDl-A is more an annoyance than anything else (it also tries to trick users into entering their credit card details to unlock the “anti virus” software’s ability to remove malware), and to be effective requires that the user has left Apple’s silly default “Open ‘safe’ files after downloading” option in Safari checked.
Apple initially more or less ignored the threat, but has now published a knowledge base item.
There’s lots of fairly hysterical coverage of the topic by anti-virus companies (both the Sophos page and Intego), but at the moment it’s more of a punishment for the unwary than a major threat. But it’s almost certainly a harbinger of things to come.
To avoid getting into trouble, if you use Safari go uncheck that option (Safari/Preferences/General, right at the bottom of the tab). Firefox, Chrome and Opera are not affected.
