Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MacDefender ups the ante with removing the password need for installation

Published: 2011-05-26
Last Updated: 2011-05-26 12:17:12 UTC
by Swa Frantzen (Version: 1)
4 comment(s)

MacDefender, malware posing as security software that targets Mac OS X, and to which only days ago Apple had responded with instructions and a promise of an OS X update to eradicate the threat, has upped the ante with a new version according to Intego that does not need to ask the user's password any longer.

No, it's not using an exploit to avoid asking the right to write in the /Applications directory, it simply installs the software and activates it for the current user only. Since most macs are using only a single user that changes little for the malware. But it removes the pop-up for your password. Anybody in the admin group can write to the /Applications directory:

So they do not need to use the graphical sudo functionality as long as you're in the admin group (something administrator accounts are).

Not typing your password when you did not ask for software to be installed was one of those simple rules to explain to the users, guess we're now down to those much harder to explain instructions for our users.

--
Swa Frantzen -- Section 66

Keywords: mac macdefender
4 comment(s)
Diary Archives