Apple isn't sharing malware definitions with third-party antivirus firms, new analysis sug...

Posted:
in macOS
A fresh look at malware intended to spy on people in the Middle East indicates that Apple isn't sharing definitions of existing threats with third-party antivirus (AV) companies, at least not consistently.




In publishing an analysis of "Meeting_Agenda.zip," a file containing the malware, Mac security specialist Patrick Wardle noted that only two antivirus providers, Kaspersky and ZoneAlarm, were able to properly flag it. Searching for related files on VirusTotal -- a site commonly used by security professionals -- Wardle uncovered four more, but three weren't detected by any AV platforms and the last was caught by just two.

"The fact that the signing certificate(s) of all the samples are revoked (CSSMERR_TP_CERT_REVOKED) means that Apple knows about this certificate... and thus surely this malware as well...yet the majority of the samples (3, of 4) are detected by zero anti-virus engines on VirusTotal," Wardle wrote.

Based on this, it's believed that Apple isn't sharing data according to standard industry practices. macOS has had its own anti-malware defenses since an update to 2009's Snow Leopard, but providing definitions to third parties increases the chances of catching and killing code, preventing its spread.

The malware analyzed by Wardle is neutered, Ars Technica commented, as even if a Mac is infected the control servers the software tries to reach are no longer online. When it was active, it would attempt to bypass macOS defenses to steal documents or screenshots for a group known as Windshift.

Comments

  • Reply 1 of 14
    On a slight tangent. If all of this information is public and mainstream enough to be written up by Forbes, then why do all of these anti-virus companies suck so bad.

    Go figure Apple rolled their own.
    tbornotgenovellemacseekerDeelronwatto_cobra
  • Reply 2 of 14
    lennlenn Posts: 36member
    Of course. Apple gets their panties in a twist when someone doesn't tell them about a vulnerability in their stuff but they act in the same way when they find something.
  • Reply 3 of 14
    Apple is in the process of producing an "iLife" like suite of applications that will safeguard against, Malware, Virus' create strong passwords and all other crap that is on the internet. 

    For iOS 13 and MacOS 'Bakersfield' all Apple products will be anonymous to miscreants including Google, Facebook, twitter and all third part Apps that harvest data! :)

    You heard it here first! :)

    Best.
    watto_cobra
  • Reply 4 of 14
    lenn said:
    Of course. Apple gets their panties in a twist when someone doesn't tell them about a vulnerability in their stuff but they act in the same way when they find something.
    There's a difference between finding an OS level exploit and a software level exploit. OS controls everything and so it's in Apple's best interest to want to find these vulnerabilities from every level.

    This article proves well and truly why we shouldn't buy virus checkers. In fact the number one thing I tell people who buy Windows machines is to uninstall the 3rd party virus checker installed on their new machines because A) they'll kill the machine when their licence has expired - dick move virus checker manufacturers, why the hell kill the freaking printer ball bags? B) they're not even needed when the ones built into the OS are actually great, don't suck the life out of the machine, and don't nag you all the time either?

    I'm glad Apple doesn't share because there should be no virus checking software on a Mac. Who cares if we share viruses with Windows, their stupid fault for buying a Windows machine in the first place.
    watto_cobrabeowulfschmidt
  • Reply 5 of 14

    This article proves well and truly why we shouldn't buy virus checkers.
    And someone is still buying something that he can get in basic version (and from my experience very well working) for free?
    watto_cobra
  • Reply 6 of 14
    I'm glad Apple doesn't share because there should be no virus checking software on a Mac. Who cares if we share viruses with Windows, their stupid fault for buying a Windows machine in the first place.
    I'm not so trusting of Apple being able to recognise and find all new and existing threats, as history has proven they have been slow and wrong often enough. It's nice that Apple's solution is in the system software, as it is on Window nowadays. But I'm not looking at Apple as the sole source of all knowledge about what this should protect me from. Sharing works both ways, as now the antivirus tools makers have a greater commercial incentive not to share, making it worse for everyone.
  • Reply 7 of 14
    List of Major Exploitations on Apple:

    1)
    watto_cobra
  • Reply 8 of 14
    gatorguygatorguy Posts: 24,176member
    tbornot said:
    List of Major Exploitations on Apple:

    1)
    1)CrossRider
    2)OSX/MaMi
    3) OSX/Dok
    4)MacDownloader
    5)OSX/Pirrit
    6)Meltdown
    7)Spectre
    8)XAgent

     ... so exploits happen. Gatekeeper is great of course at keeping the bad stuff out, but not foolproof
    https://www.wired.com/story/mac-malware-hide-code-signing/

    There's always going to be a way in.
    edited December 2018 emoellerphilboogiechristopher126davgreg
  • Reply 9 of 14
    gatorguy said:
    tbornot said:
    List of Major Exploitations on Apple:

    1)
    1)CrossRider
    2)OSX/MaMi
    3) OSX/Dok
    4)MacDownloader
    5)OSX/Pirrit
    6)Meltdown
    7)Spectre
    8)XAgent

     ... so exploits happen. Gatekeeper is great of course at keeping the bad stuff out, but not foolproof
    https://www.wired.com/story/mac-malware-hide-code-signing/

    There's always going to be a way in.
    And if not, Apple has left the root password wide open this year. Even their sw update fix didn't fix it.
    christopher126davgreg
  • Reply 10 of 14
    MplsPMplsP Posts: 3,911member
    gatorguy said:
    tbornot said:
    List of Major Exploitations on Apple:

    1)
    1)CrossRider
    2)OSX/MaMi
    3) OSX/Dok
    4)MacDownloader
    5)OSX/Pirrit
    6)Meltdown
    7)Spectre
    8)XAgent

     ... so exploits happen. Gatekeeper is great of course at keeping the bad stuff out, but not foolproof
    https://www.wired.com/story/mac-malware-hide-code-signing/

    There's always going to be a way in.
    Just got done helping my dad clean malware off of his iMac. He has no idea where he got it, but it doesn’t matter. The fact is it’s out there and a pain in the ars to deal with. An ounce of prevention ...
    christopher126
  • Reply 11 of 14
    davgregdavgreg Posts: 1,036member
    Would be nice if Apple worked with ZScaler to provide a service to customers that worked on all devices- iOS, Mac OS, tvOS, etc.

  • Reply 12 of 14
    Here’s the thing about this “outrage” PR. Apple are reported to have revoked a developer certificate. That doesn’t mean they’ve seen all variants of some bad actor’s signed malware, it doesn’t even mean they’ve seen any of them: there’s no way of knowing what lead to the decision to revoke (it might simply be that the “developer” stole credentials, or used a bad funding source). Apple (and other software vendors) can’t be expected (and may not be legally permitted) to always divulge or highlight every action they take to protect their customers.
  • Reply 13 of 14
    evilutionevilution Posts: 1,399member
    Do you think that Kaspersky, Norton and ZoneAlarm etc share their virus and Trojan findings with their competitors? No of course not, they use it to strengthen their own product. Why do all the work and then hand it all over?
  • Reply 14 of 14
    evilution said:
    Do you think that Kaspersky, Norton and ZoneAlarm etc share their virus and Trojan findings with their competitors? No of course not, they use it to strengthen their own product. Why do all the work and then hand it all over?
    Yes, they do. Everyone in the industry does.
    gatorguy
Sign In or Register to comment.