Just when I was getting really bored with the MacDefender thing, Intego comes along with a blog about a variant called MacGuard that doesn’t require the victim to enter an administrator password.
According to Intego it achieves this little bit of magic because if you’re the only user on a Mac (sounds like the average home user to me) and therefore have, by default, administrator rights, you don’t need to enter the administrator password to install software in the Applications folder, which is where the downloader parks itself. The downloader connects to a malicious IP addresses hidden in its own Resources folder using a mildly doctored image file. Neat, but nasty.
This is not the sky falling, but it does change the game somewhat. It means that all advice along the lines of “treat as suspicious all unexpected requests for the administrator password in order to install something you weren’t expecting to install” require expansion.
Intego suggest, essentially, that you treat as suspicious anything that claims to be scanning your Mac. Which is sound advice for the moment, but I have a horrible suspicion that this story doesn’t stop here.
David Harley CITP FBCS CISSP
Small Blue-Green World