Apple plays Whack-A-Mole with malware authors (updated)

Eight hours after Apple released a security update to protect against the Mac Defender malware the author(s) modified it to bypass the new File Quarantine signatures. Then Apple updated the signatures again. Game on!

After being in the wild for more than a month Apple released Security Update 2011-003 on Tuesday in response to the Mac Defender/Mac Guard malware that's believed to be first credible malware targeting Mac OS X.

The problem is that eight hours after Apple released the update the author(s) had already modified the malware (now called Mac Guard) to bypass the new File Quarantine signatures added in the patch.

ZDNet's Ed Bott has posted two videos that show how Mac Guard (the current release of this malware) behaves before and after the Apple security update.

Apple is now actively engaged in a game of "Whack-A-Mole" with the malware authors.

Apple patches. Malware authors recompile. Repeat.

Update: Italian site Spider-Mac reports [translation] that Apple updated its File Quarantine signatures overnight to detect the new Mac Guard variant. It did so by modifying the Xprotect.plist file with a new entry for "OSX.MacDefender.C".

After installing Security Update 2011-003 a new option appears in System Preferences > Security called "Automatically update safe downloads list" that is checked by default.

This allows Apple to automatically push out updates to its File Quarantine signatures without requiring the user to run a Software Update and install a patch. But Apple's mechanism is far from perfect. Ed Bott notes that the "safe downloads" updater only runs at startup or every 24 hours. In other words, if you don't reboot (which I almost never do), your Mac would be vulnerable to Mac Defender/Mac Guard until the 24-hour clock expires.

Is this the beginning of the end of Mac security as we know it?

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All