Apple plays Whack-A-Mole with malware authors (updated)

Apple plays Whack-A-Mole with malware authors (updated)

Summary: Eight hours after Apple released a security update to protect against the Mac Defender malware the author(s) modified it to bypass the new File Quarantine signatures. Then Apple updated the signatures again. Game on!

SHARE:
TOPICS: Security, Apple, Malware
44

After being in the wild for more than a month Apple released Security Update 2011-003 on Tuesday in response to the Mac Defender/Mac Guard malware that's believed to be first credible malware targeting Mac OS X.

The problem is that eight hours after Apple released the update the author(s) had already modified the malware (now called Mac Guard) to bypass the new File Quarantine signatures added in the patch.

ZDNet's Ed Bott has posted two videos that show how Mac Guard (the current release of this malware) behaves before and after the Apple security update.

Apple is now actively engaged in a game of "Whack-A-Mole" with the malware authors.

Apple patches. Malware authors recompile. Repeat.

Update: Italian site Spider-Mac reports [translation] that Apple updated its File Quarantine signatures overnight to detect the new Mac Guard variant. It did so by modifying the Xprotect.plist file with a new entry for "OSX.MacDefender.C".

After installing Security Update 2011-003 a new option appears in System Preferences > Security called "Automatically update safe downloads list" that is checked by default.

This allows Apple to automatically push out updates to its File Quarantine signatures without requiring the user to run a Software Update and install a patch. But Apple's mechanism is far from perfect. Ed Bott notes that the "safe downloads" updater only runs at startup or every 24 hours. In other words, if you don't reboot (which I almost never do), your Mac would be vulnerable to Mac Defender/Mac Guard until the 24-hour clock expires.

Is this the beginning of the end of Mac security as we know it?

Topics: Security, Apple, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • LIES!

    All Apple products are immune from viruses and malware.

    It must be true, because Steve Jobs (Apple) and his fellow board member Eric Schmidt (Google) keep telling me so.
    Tim Acheson
    • Unless users willingly and voluntary install malware (like MacDefender) ...

      @Tim Acheson: ... <b>Apple products are *effectively* immune from viruses and malware</b>, yes (even though theoretically they are not immune): not a single epidemic for whole twenty-seven years old history of Macintosh.<br><br>"your Mac would be vulnerable to Mac Defender/Mac Guard until the 24-hour clock expires."<br><br>Mac is not -- and never was -- vulnerable to any variant Mac Defender/Guard, etc., please do not distort. Each and every time user has to willingly and voluntary install it after believing ridiculous claim that his/her Macintosh has got a "virus" (even though there was no epidemic ever). And after that user has to be twice more clueless to get actually harmed from it.
      DDERSSS
      • The problem is ....

        @denisrs

        if it "just works" you should not have to think.

        Your analysis applies equally to Windows I might add.
        Economister
      • RE: Apple plays whack-a-mole with malware authors

        @denisrs
        How much does Apple pay you for your inane posts?
        Droid101
      • RE: Apple plays whack-a-mole with malware authors

        @Economister: applies to Windows 7 malware with similar qualities, yes. But in more than malware, risks for Windows 7 is still theoretically higher (practically not that much since MS does great work patching vulnerabilities).

        @Droid101: How much does Google pay you for your inane posts?
        DDERSSS
      • RE: Apple plays whack-a-mole with malware authors

        @denisrs [b]Mac is not -- and never was -- vulnerable to any variant Mac Defender/Guard, etc., please do not distort[/b] I call bullsh1t on this. IF Mac is not vulnerable to Mac Defender then there would be NO articles on it, no Apple Antivirus software (their terms BTW not mine), and no debate over this. By your logic that this requires user interaction and approval I can say that my Windows 7 machines is not vulnerable to the Windows 7 Defender (or whatever it's called) because I have to give it permission to be installed.

        The entire point that you and the rest of the ones afflicted with headinthesanditis are NOT getting is that the uneducated Mac user (just like his or her uneducated PC counterpart) is very likely to fall for this sort of scareware tactic.
        athynz
      • RE: Apple plays whack-a-mole with malware authors

        <i>applies to Windows 7 malware with similar qualities, yes. But in more than malware, risks for Windows 7 is still theoretically higher (practically not that much since MS does great work patching vulnerabilities).</i>

        @denisrs There is one significant advantage Windows 7 has: window colours. Seems stupid I know, but the fact that the user can change the colour of the window chrome means the scareware writer can't match it on a web page, this makes the visual side harder to pull off.
        jeremychappell
      • You missed the main part: even uneducated users never heard of 'viruses' on

        @athynz: ... Mac, so the whole story of this javascript that says that it all of sudden found a "virus" is not really believable.<br><br>That is why I had to say that the whole thing is overblown in the media (as always). This scheme simply can not work as well as for Windows PCs due to totally different atmosphere of security/insecurity.
        DDERSSS
      • RE: Apple plays whack-a-mole with malware authors

        @denisrs
        You are a troll plain and simple. Whether intentionally or not. Try making sense, and see if you don't get attention as well.
        AreV
      • RE: Apple plays whack-a-mole with malware authors

        @denisrs
        Agreed! However, you can get the same effect by not turning on your computer! LOL!
        eargasm
      • RE: Apple plays whack-a-mole with malware authors

        @denisrs
        The only kind of sense your post makes is nonsense.
        If the Mac is immune why does it need anti malware updates? Do Mac users feel left out when the users of other OS'es have a gala time updating their systems ?
        Come on, get you head out of the sand and get real . Times are a changing !!
        sksinghkgn@...
      • RE: Apple plays whack-a-mole with malware authors

        @denisrs A virus is a virus.<br><br>And honestly, most Mac users ARE <del>STUPID</del> COMPLACENT ENOUGH to not be cautious about what they click. :><br><br>Oh yeah, and the last two variants DON'T need user approval. It's literally land on a page and it installs silently in the background. Sounds like OSX is no longer bulletproof. :P
        ZazieLavender
      • RE: Apple plays whack-a-mole with malware authors

        @denisrs

        Strange that you should post here considering that you don't read the articles here. It has been clearly stated more than once here in Zdnet articles that there are variants of Mac Defender that can install WITHOUT approving it and giving it your password.
        josh92
      • Do you read the articles yourself? Even when Defender defines destination

        @josh92: ... folder not as system, but as user sandbox -- and hence administrative password is not required, <b>user still has to agree with the installation purely voluntary, by his/her own hand.</b>
        DDERSSS
      • RE: Apple plays whack-a-mole with malware authors

        @denisrs [b]You missed the main part: even uneducated users never heard of 'viruses' on Mac, so the whole story of this javascript that says that it all of sudden found a "virus" is not really believable.[/b]

        I did not miss the main part... but somehow you seem to be. This IS an issue that IS affecting some Mac users hence the articles, the internal Apple memos that were posted, and the fact that Apple has not only released an antivirus package but is now pushing/ offering updated definitions to it.

        Obviously there are those who believed that they did get a virus.
        athynz
      • RE: Apple plays whack-a-mole with malware authors

        @derekgore

        Trolls post solely to provoke. By definition they do so intentionally. The referenced post evinced neither.
        DeusXMachina
      • RE: Apple plays whack-a-mole with malware authors

        @sksinghkgn

        "If the Mac is immune why does it need anti malware updates?"

        Because not all malware are viruses, and in particular, as trojans are just programs, there is no simple OS remedy for them other than to disallow the running of programs.

        "Come on, get you head out of the sand and get real"

        Do so yourself. Or at least learn something about the topics you respond to.
        DeusXMachina
      • RE: Apple plays whack-a-mole with malware authors

        @athynz: <b>I did not ever state that no one on Mac got the malware installed.</b> On the contrary: I said that these who use Windows PC and Macs might believe in this scam more likely, since they used to whole concept of virus and antivirus thing. Mac users are usually aware that getting virus is not really probable at all, so it is much harder for them to be cheated by this Javascript prompter to install the malware.<br><br>Also, there is no "antivirus" in Mac OS X -- including the latest updates. If you think Edward Bott (of "Microsoft Report") is right source of that type of information about Apple implementing "antivirus", you are wrong. Apple's update only included mechanism to check downloads' cache folder on matter whether signature of downloads matches to few known malware types or not.<br><br>This has nothing to do with what anitivirus does, sitting in OS constantly 24/7, checking memory, all of input/output operations, file system everywhere -- what eventually brings even fast Windows PCs to their knees, making them crawl.<br><br>So: no vulnerabilities in Apple software found, no virus epidemic, no antiviruses by Apple, and quite little *real-life* (not blown by mass-media) impact of new malware due to malware's ridiculous claim that Mac got a "virus" (when there was no single epidemic ever). There is just no way to interpret all of this at any close scale who mass media (specifically, ZDNet -- others do not care much since what happened is quite small thing) blown this up.
        DDERSSS
      • RE: Apple plays whack-a-mole with malware authors

        @ZazieLavender<br> <br>"A virus is a virus."<br><br>Yes, and a trojan is a trojan. But a virus is not a trojan.<br><br>"And honestly, most Mac users ARE STUPID COMPLACENT ENOUGH to not be cautious about what they click. :>"<br><br>Based on what knowledge do you make this statement? All the theoretical physicists, pharmacology designers, bioengineers, and cryptographers (fields where Macs predominate) that use Macs?<br><br>"Oh yeah, and the last two variants DON'T need user approval. It's literally land on a page and it installs silently in the background. Sounds like OSX is no longer bulletproof. :P"<br><br>Actually, this is not accurate, which you would know if you:<br>1) knew anything about the issue, and/or<br>2) knew anything about how Macs work.<br><br>The only way permission to INSTALL is "bypassed" is if the user is already running Safari with Auto Open Safe Downloads turned on. Otherwise, you WILL be prompted for permission.<br>Even then, this only allows the download of avSetup.pkg. It does NOT give run permissions to the macguard app. To actually run the app, guess what. Permissions must be entered by the user. Ed Bott not giving particularly clear or accurate information despite using his Mac for some time now not withstanding, this piece or B.S. has no basis in fact.<br><br>But nice try. Thanks for playing. Next.
        DeusXMachina
      • RE: Apple plays whack-a-mole with malware authors

        @josh92<br>"Strange that you should post here considering that you don't read the articles here."<br><br>Strange that you post here without knowing the facts.<br><br>"It has been clearly stated more than once here in Zdnet articles that there are variants of Mac Defender that can install WITHOUT approving it and giving it your password."<br><br>By Ed Bott, who then went on to say that nevertheless, the program WILL NOT RUN without user permission.
        DeusXMachina