.. have they figured out how to install it without asking an admin user for permission?
From the second article: "Bott tested Mdinstall.pkg on a Mac running Safari, and the malware installed itself without a password." It seems you don't need a password for at least one of the new variants, although you still get the "This is from the internet, do you trust it?" warning.
Wasn't there something about a PASCAL programmer knowing the value of everything and the Wirth of nothing?