Posted by: David Harley | May 25, 2011

MacGuard: fake AV raising the bar

Just when I was getting really bored with the MacDefender thing, Intego comes along with a blog about a variant called MacGuard that doesn’t require the victim to enter an administrator password.

According to Intego it achieves this little bit of magic because if you’re the only user on a Mac (sounds like the average home user to me) and therefore have, by default, administrator rights, you don’t need to enter the administrator password to install software in the Applications folder, which is where the downloader parks itself. The downloader connects to a malicious IP addresses hidden in its own Resources folder using a mildly doctored image file. Neat, but nasty.

This is not the sky falling, but it does change the game somewhat. It means that all advice along the lines of “treat as suspicious all unexpected requests for the administrator password in order to install something you weren’t expecting to install” require expansion.

Intego suggest, essentially, that you treat as suspicious anything that claims to be scanning your Mac. Which is sound advice for the moment, but I have a horrible suspicion that this story doesn’t stop here.

David Harley CITP FBCS CISSP
Small Blue-Green World

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: