New Apple antivirus signatures bypassed within hours by malware authors [Update]

New Apple antivirus signatures bypassed within hours by malware authors [Update]

Summary: After a month-long Mac Defender/Mac Guard malware attack, Apple has finally released the security update it promised last week. The update takes one more step on the road to turning an obscure security feature into something very close to full-fledged antivirus software, complete with daily checks for new definitions.

SHARE:

Update June 3, 5:00AM PDT: The cat-and-mouse game continues. Apple has now released the fourth update to its XProtect definitions list covering all five known versions of the Mac Defender software. (The latest release uses the name Mac Shield and is detected as OSX.MacDefender.E.) Here's a snippet from the latest definition file:

Update June 1, 6:00AM PDT: The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple's malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That's less than 8 hours after Apple's security update was released.

On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple.

Update June 2, 4:45AM PDT: Apple has updated its XProtect signatures to address the most recent version of Mac Defender. The signatures, which began being pushed out via the new automatic update mechanism sometime on June 1, now include three variants of the malware. Here's the detection result for the third variant, OSX.MacDefender.C:

It's worth noting that the automatic updater runs at startup or every 24 hours. On my test system, I had to force a manual update before the new signatures were available. Had I not done so, I would have had to wait until the 24-hour clock expired.

I've also captured a video that shows the File Quarantine feature successfully blocking an attempt to automatically install the Mac Guard malware. See below.

After a month-long Mac Defender/Mac Guard malware attack, Apple has finally released the security update it promised last week. The update takes Apple one step closer to turning an obscure security feature into something very close to full-fledged antivirus software.

Security Update 2011-003 includes changes to the File Quarantine feature, which beginning with Snow Leopard also includes antimalware checks for files downloaded through web browsers, e-mail, and other common paths. This update includes definitions for Mac Defender and its known variants, as well as an automated removal tool. It works only with the most recent version of Snow Leopard, 10.6.7. Earlier versions of OS X are apparently not included.

The two videos below show how Mac Guard (the current release of this malware) behaves before and after this security update.

Here's a start-to-finish, unedited "before" video that shows how the Mac Guard fake AV program goes from a seemingly innocent Google search result to a full install in just three clicks, with no password required. This demo uses the latest version of OS X 10.6 and the default browser, Safari, with its default settings.

Update: As I noted above, the May 31 release of Mdinstall.pkg is not detected by the 2011-003 update and signature files.

And here's the "after" video. Notice how the File Quarantine feature identifies the downloaded file as malware and prompts the user to move it to the trash.

Downloading the malware files with Firefox or Chrome results in a slightly different experience, but ultimately the same dialog box clicks in and blocks the attempt to install the package.

Significantly, it also includes a new update mechanism. According to the support note, “The system will check daily for updates to the File Quarantine malware definition list.” An opt-out capability is provided via the new "Automatically update safe downloads list" checkbox in Security Preferences.

Mac OS X Snow Leopard and malware detection, another support note that was also updated today, describes the new user interface option now available in OS X 10.6.7:

Apple maintains a list of known malicious software that is used during the safe download check to determine if a file contains malicious software. The list is stored locally, and with Security Update 2011-003 is updated daily by a background process.

If you do not wish to receive these updates, you can disable daily update by unchecking "Automatically update safe downloads list" in the Security pane, in System Preferences. This option appears in Security preferences after Security Update 2011-003 is installed.

Apple partisans have bragged for years that Macs don’t need antivirus software, but Apple has quietly said otherwise. The no-frills antivirus program included as part of the File Quarantine feature was originally documented in Apple support article HT3662:

Snow Leopard checks for malware

Mac OS X v10.6 Snow Leopard builds upon the existing unsafe file type check by also checking for known instances of "malware", or malicious software. When you open a quarantined file, the file quarantine feature will check to see if it may include known malware.

File Quarantine includes only a handful of signatures and has been updated fairly infrequently. A notice in the April 10.6.7 security bulletin notes that the OSX.OpinionSpy definition was added to Snow Leopard’s malware check. That action comes more than 10 months after this spyware application was first identified.

Multiple support documents at Apple.com recommend the use of antivirus tools for desktop and server versions of OS X:

  • From Mac OS X Server v10.6 - Advanced Server Administration (PDF), page 76: “Install antivirus tools, use them regularly, and update virus definition files and software regularly. Although viruses are less prevalent on the Mac platform than on Windows, viruses still pose a risk.”
  • From Mac OS X 10.6 Help: “Some harmful applications exist that can cause problems for your computer. Frequently, a harmful application will try to appear as an innocent document, such as a movie or graphic file. … Run an antivirus program if you find any suspicious files or applications, or if you notice any suspicious behavior on your computer.”
  • An August 2008 support document, “Safety tips for handling email attachments and content downloaded from the Internet”: “Only download and install applications from trusted sources, such as well-known application publishers, authorized resellers, or other well-known distributors. It is also advisable to use antivirus software to scan any files before installation. A selection of third-party products may be found at the Macintosh Products Guide.”
  • At the bottom of the Mac OS X Security page, after much chest-thumping about built-in security features: “The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.”

It will be interesting to see how widely Apple publicizes this notice. It will be even more interesting to see how the authors of Mac Defender and its variants respond.

Topics: Apple, Hardware, Malware, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

457 comments
Log in or register to join the discussion
  • Still not a single virus epidemics in whole 27-year long Mac history

    (even though laboratory and proof of concept examples did exist.)<br><br>And, whole MacDefender thing is grossly overblown by media since people have to have three level of cluelessness to actually harmed by this (comparing to PC counterparts, where such social engineering technologies much more effective): <a href="http://www.zdnet.com/tb/1-97915-1892322" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/tb/1-97915-1892322" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/tb/1-97915-1892322" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/tb/1-97915-1892322" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/tb/1-97915-1892322" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/tb/1-97915-1892322" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/tb/1-97915-1892322" target="_blank" rel="nofollow">http://www.zdnet.com/tb/1-97915-1892322</a></a></a></a></a></a></a><br><br>This trojan thing is not really different from user receiving letters on GMail that would state that some one has huge money locked on the offshore account, but he/she needs some money to unlock it, banking card info to transfer it, etc. Such mails have nothing to do with Google, the same as this trojan does not exploit any "lacks" in Apple's software since in all cases users have to install it *voluntary*.<br><br><br><br><br>Also, the software that Apple included in the update is nothing like what people call antivirus now. It does not run 24/7 checking the memory, IO bandwith, system files and thus making your computer crawling. <br><br>It looks only at quarantine folder for downloads, checking files for few malware signatures. And most people will never know that this feature even exists (contrary to actual antivirus which always let you know about itself).
    DDERSSS
    • Wow! Talk about head in the sand!

      @denisrs NT
      richdave
      • His head IS buried... But not in the sand..

        @richdave N/T
        Wolfie2K3
      • Message has been deleted.

        Message has been deleted.
        james347
      • Message has been deleted

        Message has been deleted
        james347
      • Sounds clear headed to me.

        @richdave
        His head is buried firmly in reality. 11+ years of OS X with no real threats. 10+ years of security experts saying just wait! You will see. Here is looking forward to another decade of proving them wrong.

        Note: We know threats are out there! Apple has warned us to protect ourselves. Nobody thinks the mac is immune to any and all future attacks. But at current threat levels, worrying about infection is just a waste of time.
        DougPetrosky
      • RE: Apple updates antivirus software, adds daily definition check

        @dougpetrosky<br>Apple has plenty of vulnerabilites, both now and over the years: go to us-cert.gov, search on Apple and you'll find them. All software is vulnerable. To say otherwise is foolish marketing-speak and only puts a target on your chest. Remember the Oracle "unbreakable" campaign?
        batpox
      • RE: Apple updates antivirus software, adds daily definition check

        @richdave You need more than 'Wow' to make a reasoned argument. if you have one, lets hear it. Otherwise you are just a cheerleader, and contribute nothing.
        radleym
      • RE: Apple updates antivirus software, adds daily definition check

        @DougPetrosky<br><br>You know, it's never worth it worrying about infection at all, on any operating system. It's best to just develop safe habits and seek to understand how the fundamental technologies we use actually work. I do however think that it's also true Apple is finally leaving the security in obscurity subset and moving into the scope of effective targetability. It's a monetary game in the end, and Apple legitimately does next to nothing to mitigate security breaches, simply because they haven't had to. The fact that Apple managed to remain obscure for 27 years in my opinion is simply an indication of mismanagement of a type MS is suffering at present. It's certainly not a selling point to me, and it doesn't equal correct attention to detail placed in permission checking at a low level. They consumed a unix kernel attempting to correct that, but are still dogged by a lack of understanding of what makes the infrastructure secure in the first place.
        Ternarybit
      • RE: Apple updates antivirus software, adds daily definition check

        @richdave LMAO
        MrElectrifyer
      • RE: Apple updates antivirus software, adds daily definition check

        @richdave You can say head in the sand all you want, but what he stated are facts.

        There STILL AREN'T AS MANY THREATS FOR MAC.

        And this Mac Defender isn't a virus, nor is it destructive.

        There really isn't anything ANY software maker can do to prevent a user making STUPID DECISIONS, like installing software they didn't ask for, and giving it a credit card number.
        lelandhendrix
      • RE: Apple updates antivirus software, adds daily definition check

        @Sounds clear headed to me.

        "Nobody thinks the mac is immune to any and all future attacks"

        actually you could have said this clearer... because OSX has actually proven that you can have a system that is "secure" it still has never been attacked successfully in the wild... a user for instance can not be surprised by something showing up without the user doing it in the first place... even Charlie white's exploits need a user to actually say "yes" to questions and going to sites and such...

        a better way to say it is: " no User is immune to future attack vectors, the system is already secure enough, educating a user to understand when someone calls on the phone or pops up a website that asks for the user's credit card number in the wrong place, that this is nothing more than a scam rather than a security threat"

        if someone asks for your credit card on the phone or a website, you are in the wrong place if you were just surfing with no intent to buy.
        honkj
      • Its always the same excuse...

        @ DougPetrosky
        For years and years every time Windows, or even Office had even the slightest flaw, the slightest of far removed risks, the Apple enthusiasts would be out in droves jumping up and down and pointing at what a risky piece of software Windows is.

        Feigning laughter and disgust over Office for example because the Chinese version of Excel had a minor vulnerability. For years Windows users have had to endure the scorn of Apple enthusiasts simply because another socially engineered piece of malware was making its way into the Windows environment. Nothing more then a continued and ongoing over reaction; usually in the extreme,about every and any issue Windows was reported to have.

        The absolute honest to god fact always was that the vast majority, as in practically ALL Windows users have been protected for almost ever, in IT terms, from the vast majority of threats by their installed AV systems. For the vast vast majority of Windows users there are many of the threats faced by Windows that they would have had to be even more stupid then Apple users to allow something on their system, this is because their AV system would be blocking directly and alerting the user to exactly the situation, necessitating the user deciding to literally choose to disable their AV system and retry what every they were doing.

        During this incredibly insulting period of time where Apple users have sought to degrade Windows users because Windows is popular, and thus has threats, even though free AV systems were more then adequately blocking those threats; Apple users always maintained the same story pertaining to their own OS.

        Apple users for years have been saying the same line; "We know Apple and OSX isn't perfect, but there are no imperfections". Basically translated I guess as, Apple may be imperfect, its just that we don't know because so far nothing imperfect has reared its head (that we agree to believe).

        But in their view Windows was always trash simply because the threats for Windows existed. It was never based on anything like, is this a threat Windows users cannot protect themselves from, is this a threat shutting down large numbers of computers around the world? Never.

        Windows users have long time been protected and protected well. And now that OSX is getting threats, the very same kinds of threats that Windows has been criticized by them, absolutely astonishingly, the Apple enthusiasts are still saying the same thing!! Apple isn't perfect but there currently are no imperfections! Absolutely ignorant to say the least.

        Why why why cannot these Apple users just admit the truth thats always existed, and that as is follows:

        1. Both Windows and OSX are perfectly good operating systems that draw users to them based on a variety of reasons, when users choose a respective system for sensible related reasons to the particular operating system, they have chosen the OS that is best for them.

        2. Windows has had 90% of the market share for just about for ever and as such it has been the largest target by far and as such, almost all security threats have related to Windows, but a sane Windows user will be using AV and keeping it updated and as such their true threat exposure is actually incredibly minimal.

        3. Whats good for the goose is good for the gander, in other words, if socially engineered malware attacks expose flaws in Windows OS and that makes Windows crap then any OS, including OSX, is likewise crap if socially engineered attacks exist for it as well. Or the alternative, neither OS is crap and its just the unfortunate nature of operating a computer on the net.

        I for one do NOT find that their is anything inherently bad about OSX, its just far to many of the Apple enthusiasts who in their efforts to boost their self esteem for their choice of OS go to ridiculous efforts to explain away clear flaws in OSX while at the same time are critical about Windows for the same kinds of reasons they give OSX a pass on.
        Cayble
    • RE: Apple updates antivirus software, adds daily definition check

      @denisrs <br><br>I'm just a student, but there is a lot about your opinion/post/reply that not only discredits itself but all in all passes it's message poorly. I'm not one to nitpick typing habits or grammatical errors, but your post is barely readable. You make no valid points, you misclassify things in an attempt to make a point, and you repeatedly use fallacies to come to places where people seemingly find no other option but to agree with you.
      TheParoxysm
      • Message has been deleted.

        Message has been deleted.
        james347
      • RE: Apple updates antivirus software, adds daily definition check

        @TheParoxysm
        Well student, you need to get some remedial reading skills. I understood the article perfectly! That being said, we can all cheer, now that Apple did the right thing. Hooraay!!!
        eargasm
      • RE: Apple updates antivirus software, adds daily definition check

        @TheParoxysm If you're going to criticise other people's grammar, you should check your own first. "it's message" should be "its message".
        DJL64
      • RE: Apple updates antivirus software, adds daily definition check

        @TheParoxysm Well said...?!?
        ItsTheBottomLine
      • RE: Apple updates antivirus software, adds daily definition check

        @windozefreak,

        It's not the article he's commenting on. It was Denisrs's post that he was replying to. I have to agree with TheParoxysm on this one. I'm not one for grammatical errors as I make tons myself. But the points were not great.
        voska1
      • RE: Apple updates antivirus software, adds daily definition check

        @TheParoxysm What you should be asking is why aren't the Apple reporters (O'Grady and Morgenstern) on this site taking over this story? Why do they not try to take the lead on it, rather than keep letting the MS guy or Kingsley-Hughes have to break all the important security news related to this issue? Pull up the Companies listing on this site, and click on 'Apple', and see who's covering it. You get nothing but cricket chirps from the supposed Apple correspondents. Sad - probably too frightened of losing their tenuous grips on the almighty Jobsian propaganda trickle they have if they start shedding some light on a legit story line. Keep whistling past the graveyard, boys...
        ejhonda