It's named MacGuard, and as the previous versions, it is distributed via poisoned search links. The payload consists is an installation package - avSetup.pkg.
The researchers warn that if Safari’s “Open ‘safe’ files after downloading” option is checked, the installation package will open Apple’s Installer, and the user will be presented with the standard installation screen. It the option isn't checked, the installation will be started only if the user himself double-clicks on the package.
"This package installs an application – the downloader – named avRunner, which then launches automatically," explain the researchers. "At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind."
Once installed, the avRunner attempts to connect to an IP address hardcoded into an image file in avRunner's Resources folder and hidden from view by using steganography:
If it succeeds, it downloads the actual rogue AV application - MacGuard.
Intego advises users to ignore Finder windows that pop-up and seemingly scan their Mac, telling them their system is infected, and to quit their browser if they are faced with them. They should also quit the Installer application if it's open, and to delete anything that might have been downloaded by it. Finally, they should uncheck the “Open ‘safe’ files after downloading” option in Safari, to prevent the automatic download of similar files.
Hopefully Apple will be taking in consideration this last version as it works on the security update it has announced yesterday.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.