Published May 26th, 2011 at 10:32 PM EDT , modified May 27th, 2011 at 1:09 PM EDT
I managed to get my hands on a copy of MacGuard this evening, and ran it through some tests to try to clarify some of the rumors floating around. The good news is that, in all, this is just another boring old variant in the MacDefender malware line. The same old removal instructions still apply, and the application itself does not appear to have developed any new features. However, when it comes to the installation, there are some notable differences!
The version of MacGuard I have was downloaded from a site that looks just the same as the MacSecurity/MacProtector sites:
There has been no significant change to this web interface that I can see. Once you click Remove All, a file named MacProtector.mpkg.zip is downloaded. Inside that .zip file is a file named avSetup.pkg. (Other people are reporting an installer named avRunner.pkg… how different that may be, I don’t know. Most likely it’s the same thing by a different name.) As usual, if Safari’s Open “safe” files after downloading option is turned on, the .zip file is decompressed and the installer is opened automatically. Thus far, the only difference is the name of the installer, but that’s about to change.
I proceeded to click the Install button, and suddenly things aren’t looking so similar. This time, there is no password prompt… it simply installs! It connected to another site (after I approved the connection in Little Snitch), downloaded the app and installed it in the main Applications folder. After that point, the rest of MacGuard’s behavior is the same as for all the previous variants, and the same MacDefender removal instructions apply.
The differences pose a pretty big problem on a couple levels. First, security experts have been warning against providing your administrative password incautiously, which will almost certainly lead many people to believe that the lack of a password prompt makes something safe. That is not true, and never has been, for that matter, but that won’t stop people from thinking that. In the future, security experts will need to provide better guidelines for recognizing malware than “don’t enter your password.”
Second, because the installer downloads the actual payload, it’s entirely possible that a quick-and-dirty installer could slip right past anti-virus software and then download a more sophisticated malicious payload in right under its nose. (Whether that would work will depend on each individual anti-virus software package.) This is a perfect illustration of the problems of over-reliance on anti-virus software. You simply cannot install it and forget it, assuming that you are now safe. Your brain must be the first line of defense, with anti-virus software used, if you choose to do so, as a backup.
One interesting thing to note about MacGuard: if you try to install it from a Standard account, rather than from an Administrator account, the installer simply fails. This proves that it is safer to use a Standard account for day-to-day use, reserving your Administrator account for those tasks it is necessary for. Of course, there is no guarantee that this behavior will persist. Nothing that the MacDefender series of trojans do requires admin access.
As an interesting aside, see Rich Mogull’s article for MacWorld, where he discusses this outbreak from an interesting perspective that I fully agree with but haven’t seen articulated nearly as well by anyone else.
[The following update added 5/27/2011 @ 1:00 PM]
The link from which I downloaded this malware is, of course, dead today. However, more interesting (though not surprising) is the fact that the installer no longer functions today. The site from which it downloaded the actual payload must have been blocked or taken down. This means that we’re likely to see repeated minor variations of the malware, as the security community finds each variant and shuts the door on the servers involved in distributing the malware.
Also, note that the latest ClamXav definitions identify this installer today as Trojan-Downloader.OSX.Fav.A.