New Mac Malware: Passwords? We Don't Need No Stinking Passwords!
Just as Apple was officially responding to the MacDefender scareware scam that popped up a few weeks ago, a new and possibly more dangerous variant set to work tricking users into installing dangerous software. Unlike the original MacDefender scam, however, the new version does not require an administrative password to install itself on a machine and do its dirty work.
05/26/11 8:30 AM PT
The newest strain of malware aimed at the Mac OS X platform doesn't require a user password to install and spread, according to a warning from security company Intego.
Like a similar scam that arose weeks ago, this new version of malware promises visitors of certain websites a free security scan. Unlike the older version, however, the new Mac malady installs itself without requiring the user to input an administrative password.
Do the Evolution
The infection emerged just hours after Apple acknowledged a different "rogueware" application infiltrating its platform. Labeled "MacDefender," the security scam attempts to trick users into thinking their computers are full of viruses and bugs.
Once installed, the malware taunts users with pop-ups and messages, luring them into paying for the "security" service.
"It instructs users they are required to purchase the product in order to remove the malware, which is a fraud. MacDefender steals the money victims pay to purchase this fake product and hands over their credit card information to criminals," Amit Klein, CTO of Trusteer, told MacNewsWorld.
After Apple owned up to the threat and insisted it was updating Mac OS X to identify the scareware, a new strain -- MacGuard -- popped up.
The newest version is more threatening because, unlike the previous versions, it doesn't prompt the user for a password in order to install the program. This means that one careless click could lead to lasting infection.
The process involves two separate parts. First, an installation package is downloaded automatically after a user visits a certain site specifically crafted for infectious purposes.
Then, depending on browser settings, the package could cause Apple's Installer to open and the standard installation process can begin.
Even if the settings don't allow the file to install automatically, users may be curious about the file and click through without realizing it could be harmful.
Researchers speculate that the same group of hackers is responsible for all the variants and have upped their game by requiring one less step -- not needing a password -- to install MacGuard.
"This new variant is very similar to previous ones, but the installation process, bypassing the need for a password, does make it more dangerous," Peter James, spokesperson for Intego, told MacNewsWorld.
Proceed With Caution
Still, security experts say this isn't a complete breach of Apple security. Instead, hackers are preying on user vulnerability. Social engineering, in this case, is the hacker tool of choice.
"Fraudsters are becoming more sophisticated in their use of social engineering tactics and keep coming up with creative new ways to convince people to surrender their personal information and payment card data, which puts money at risk," said Klein.
"The Mac OS is not more secure that PC OS. It has just been attacked less frequently by malware authors. This is slowly changing. We are seeing more attack tools for the Mac OS being released. If this continues, the risk of using a Mac could become similar to the risk of using a PC," said Klein.
As of press time, Apple hadn't released a statement addressing this particular malware and didn't respond to MacNewsWorld's request for comment.
Since both the new and old scareware scams are designed to trick the user, Mac owners need to be wary of suspicious computer activity.
The red flag is a window that looks like Finder that appears to be scanning the computer, according to Intego. If a user sees that, Intego recommends quitting the browser immediately.
If anything has downloaded, the Installer application should be closed and the file should be deleted out of the Downloads folder.
Under Safari's General Preferences, users are advised to uncheck the "Open safe files after downloading" option.
If users are alert and cautious, they can avoid harming their device.
"This is not a Mac OS X vulnerability, but social engineering, taking advantage of users who are unaware of what is happening," said James.