Apple plays Whack-A-Mole with malware authors (updated)

Summary:Eight hours after Apple released a security update to protect against the Mac Defender malware the author(s) modified it to bypass the new File Quarantine signatures. Then Apple updated the signatures again. Game on!

After being in the wild for more than a month Apple released Security Update 2011-003 on Tuesday in response to the Mac Defender/Mac Guard malware that's believed to be first credible malware targeting Mac OS X.

The problem is that eight hours after Apple released the update the author(s) had already modified the malware (now called Mac Guard) to bypass the new File Quarantine signatures added in the patch.

ZDNet's Ed Bott has posted two videos that show how Mac Guard (the current release of this malware) behaves before and after the Apple security update.

Apple is now actively engaged in a game of "Whack-A-Mole" with the malware authors.

Apple patches. Malware authors recompile. Repeat.

Update: Italian site Spider-Mac reports [translation] that Apple updated its File Quarantine signatures overnight to detect the new Mac Guard variant. It did so by modifying the Xprotect.plist file with a new entry for "OSX.MacDefender.C".

After installing Security Update 2011-003 a new option appears in System Preferences > Security called "Automatically update safe downloads list" that is checked by default.

This allows Apple to automatically push out updates to its File Quarantine signatures without requiring the user to run a Software Update and install a patch. But Apple's mechanism is far from perfect. Ed Bott notes that the "safe downloads" updater only runs at startup or every 24 hours. In other words, if you don't reboot (which I almost never do), your Mac would be vulnerable to Mac Defender/Mac Guard until the 24-hour clock expires.

Is this the beginning of the end of Mac security as we know it?

Topics: Security, Apple


Jason D. O'Grady developed an affinity for Apple computers after using the original Lisa, and this affinity turned into a bona-fide obsession when he got the original 128 KB Macintosh in 1984. He started writing one of the first Web sites about Apple (O'Grady's PowerPage) in 1995 and is considered to be one of the fathers of blogging.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.