OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

MacGuard details

Published May 26th, 2011 at 10:32 PM EDT , modified May 27th, 2011 at 1:09 PM EDT

I managed to get my hands on a copy of MacGuard this evening, and ran it through some tests to try to clarify some of the rumors floating around.  The good news is that, in all, this is just another boring old variant in the MacDefender malware line.  The same old removal instructions still apply, and the application itself does not appear to have developed any new features.  However, when it comes to the installation, there are some notable differences!

The version of MacGuard I have was downloaded from a site that looks just the same as the MacSecurity/MacProtector sites:

There has been no significant change to this web interface that I can see.  Once you click Remove All, a file named MacProtector.mpkg.zip is downloaded.  Inside that .zip file is a file named avSetup.pkg.  (Other people are reporting an installer named avRunner.pkg…  how different that may be, I don’t know.  Most likely it’s the same thing by a different name.)  As usual, if Safari’s Open “safe” files after downloading option is turned on, the .zip file is decompressed and the installer is opened automatically.  Thus far, the only difference is the name of the installer, but that’s about to change.

I proceeded to click the Install button, and suddenly things aren’t looking so similar.  This time, there is no password prompt…  it simply installs!  It connected to another site (after I approved the connection in Little Snitch), downloaded the app and installed it in the main Applications folder.  After that point, the rest of MacGuard’s behavior is the same as for all the previous variants, and the same MacDefender removal instructions apply.

The differences pose a pretty big problem on a couple levels.  First, security experts have been warning against providing your administrative password incautiously, which will almost certainly lead many people to believe that the lack of a password prompt makes something safe.  That is not true, and never has been, for that matter, but that won’t stop people from thinking that.  In the future, security experts will need to provide better guidelines for recognizing malware than “don’t enter your password.”

Second, because the installer downloads the actual payload, it’s entirely possible that a quick-and-dirty installer could slip right past anti-virus software and then download a more sophisticated malicious payload in right under its nose.  (Whether that would work will depend on each individual anti-virus software package.)  This is a perfect illustration of the problems of over-reliance on anti-virus software.  You simply cannot install it and forget it, assuming that you are now safe.  Your brain must be the first line of defense, with anti-virus software used, if you choose to do so, as a backup.

One interesting thing to note about MacGuard: if you try to install it from a Standard account, rather than from an Administrator account, the installer simply fails.  This proves that it is safer to use a Standard account for day-to-day use, reserving your Administrator account for those tasks it is necessary for.  Of course, there is no guarantee that this behavior will persist.  Nothing that the MacDefender series of trojans do requires admin access.

As an interesting aside, see Rich Mogull’s article for MacWorld, where he discusses this outbreak from an interesting perspective that I fully agree with but haven’t seen articulated nearly as well by anyone else.

[The following update added 5/27/2011 @ 1:00 PM]

The link from which I downloaded this malware is, of course, dead today.  However, more interesting (though not surprising) is the fact that the installer no longer functions today.  The site from which it downloaded the actual payload must have been blocked or taken down.  This means that we’re likely to see repeated minor variations of the malware, as the security community finds each variant and shuts the door on the servers involved in distributing the malware.

Also, note that the latest ClamXav definitions identify this installer today as Trojan-Downloader.OSX.Fav.A.

Tags: , , , , , ,

6 Comments

  • sylvia says:

    I try to follow your instructions but macguard and mackeeper won’t remove

    • Thomas says:

      More information would be required to know why that might be. Also, note that MacKeeper is technically not malware, though thanks to shady marketing practices and the fact that much of what it does is not necessary (and some not even a good idea), most folks consider it to be barely a step up from malware. Removing MacKeeper would probably not involve the same procedure, though I don’t know for sure.

  • sylvia says:

    related to macguard:
    it seems some of the program might be removed but there is a macguard box in trash that will not delete

    I then stupidly added mackeeper thinking it was legit though I’ve been a macuser since the 80’s (how stupid can one be!) and it won’t remove at all . I follow your instructions in the final step the delete button is grayed out and can’t be clicked

  • sylvia says:

    Okay I think i finally removed them both. (I hope, fingers crossed, etc.) Thank you for your help. I’m now a fan of yours and will go back often to your site.

  • tony curtis says:

    Hi Thomas, there appears to be a static Troj (or a spoof?) at [IP address removed] It’s an image when searching for Thunderbirds mole and scrolling down. Direct Google link: Thunderbirds mole godka.pl=188 et-al

    Haven’t checked yet if latest Apple update, or ClamXAV catches it, so far just forced-quit.

    regards

    tony curtis

  • C. Dougherty says:

    This URL is up and running this Trojan as of today (15 June 2011):

    [URL removed]

This post is more than 90 days old and has been locked. No further comments are allowed.