New Apple antivirus signatures bypassed within hours by malware authors [Update]
After a month-long Mac Defender/Mac Guard malware attack, Apple has finally released the security update it promised last week. The update takes one more step on the road to turning an obscure security feature into something very close to full-fledged antivirus software, complete with daily checks for new definitions.
Update June 3, 5:00AM PDT: The cat-and-mouse game continues. Apple has now released the fourth update to its XProtect definitions list covering all five known versions of the Mac Defender software. (The latest release uses the name Mac Shield and is detected as OSX.MacDefender.E.) Here's a snippet from the latest definition file:
Update June 1, 6:00AM PDT: The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple's malware-blocking code.
The file has a date and time stamp from last night at 9:24PM Pacific time. That's less than 8 hours after Apple's security update was released.
On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.
As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple.
Update June 2, 4:45AM PDT: Apple has updated its XProtect signatures to address the most recent version of Mac Defender. The signatures, which began being pushed out via the new automatic update mechanism sometime on June 1, now include three variants of the malware. Here's the detection result for the third variant, OSX.MacDefender.C:
It's worth noting that the automatic updater runs at startup or every 24 hours. On my test system, I had to force a manual update before the new signatures were available. Had I not done so, I would have had to wait until the 24-hour clock expired.
I've also captured a video that shows the File Quarantine feature successfully blocking an attempt to automatically install the Mac Guard malware. See below.
After a month-long Mac Defender/Mac Guard malware attack, Apple has finally released the security update it promised last week. The update takes Apple one step closer to turning an obscure security feature into something very close to full-fledged antivirus software.
Security Update 2011-003 includes changes to the File Quarantine feature, which beginning with Snow Leopard also includes antimalware checks for files downloaded through web browsers, e-mail, and other common paths. This update includes definitions for Mac Defender and its known variants, as well as an automated removal tool. It works only with the most recent version of Snow Leopard, 10.6.7. Earlier versions of OS X are apparently not included.
The two videos below show how Mac Guard (the current release of this malware) behaves before and after this security update.
Here's a start-to-finish, unedited "before" video that shows how the Mac Guard fake AV program goes from a seemingly innocent Google search result to a full install in just three clicks, with no password required. This demo uses the latest version of OS X 10.6 and the default browser, Safari, with its default settings.
Update: As I noted above, the May 31 release of Mdinstall.pkg is not detected by the 2011-003 update and signature files.
And here's the "after" video. Notice how the File Quarantine feature identifies the downloaded file as malware and prompts the user to move it to the trash.
Downloading the malware files with Firefox or Chrome results in a slightly different experience, but ultimately the same dialog box clicks in and blocks the attempt to install the package.
Significantly, it also includes a new update mechanism. According to the support note, “The system will check daily for updates to the File Quarantine malware definition list.” An opt-out capability is provided via the new "Automatically update safe downloads list" checkbox in Security Preferences.
Apple maintains a list of known malicious software that is used during the safe download check to determine if a file contains malicious software. The list is stored locally, and with Security Update 2011-003 is updated daily by a background process.
If you do not wish to receive these updates, you can disable daily update by unchecking "Automatically update safe downloads list" in the Security pane, in System Preferences. This option appears in Security preferences after Security Update 2011-003 is installed.
Mac OS X v10.6 Snow Leopard builds upon the existing unsafe file type check by also checking for known instances of "malware", or malicious software. When you open a quarantined file, the file quarantine feature will check to see if it may include known malware.
File Quarantine includes only a handful of signatures and has been updated fairly infrequently. A notice in the April 10.6.7 security bulletin notes that the OSX.OpinionSpy definition was added to Snow Leopard’s malware check. That action comes more than 10 months after this spyware application was first identified.
Multiple support documents at Apple.com recommend the use of antivirus tools for desktop and server versions of OS X:
From Mac OS X 10.6 Help: “Some harmful applications exist that can cause problems for your computer. Frequently, a harmful application will try to appear as an innocent document, such as a movie or graphic file. … Run an antivirus program if you find any suspicious files or applications, or if you notice any suspicious behavior on your computer.”
At the bottom of the Mac OS X Security page, after much chest-thumping about built-in security features: “The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.”
It will be interesting to see how widely Apple publicizes this notice. It will be even more interesting to see how the authors of Mac Defender and its variants respond.