or Connect
AppleInsider › Forums › Software › Mac OS X › Apple releases Mac OS X update to catch MAC Defender malware
New Posts  All Forums:Forum Nav:

Apple releases Mac OS X update to catch MAC Defender malware

post #1 of 77
Thread Starter 
Apple has released Security Update 2011-003, which adds malware detection and removal for the "MAC Defender" scam and delivers a daily update mechanism for updating subsequent malware definitions.

The security update for Mac OS X 10.6.7 is available from Software Update or the company's Downloads page. Installing the update does not require a system reboot.

The update adds malware discovery and removal for MAC Defender and all of its known variants, using the simple malware file quarantine feature that was first added to Mac OS X 10.6 Snow Leopard.

The Mac OS X file quarantine feature examines external files downloaded within Mail, iChat, Safari or other file quarantine-aware applications, warning users of downloads that match the definition of malware.



In addition to adding a definition for the latest "MAC Defender" trojan horse to warn users that the download should be deleted, the new security update adds a daily malware definitions check to make subsequent malware attempts even easier for Apple to protect it users from.

Users can opt out of the daily malware definitions update check by unchecking the new "Automatically update safe downloads list" checkbox in Security Preferences.



post #2 of 77
Just like Windows.... Oh, wait, I mean, just like Windows could have done and should have done years ago.

FTR, why don't Google, Bing and other search sites quarantine sites which enable malware like this. Particularly when the sites allow themselves to be a regular transport mechanism for malware. As long as search sites like Google, Bing and others don't help to stop it, more people will continue to visit these same sites over and over and over again. By helping to stop it, instead of making it easier, search sites can make distribution of malware more difficult.

It won't solve the problem, but anything that makes it more difficult for malware or educates users to be more careful makes it better for the rest of us.
post #3 of 77
Hooray! Although I've already turned off the "automatically open safe file types" option in Safari. Google should be ashamed of itself for allowing SEO poisoning, BTW. As far as I'm concerned, Google Image Search is more or less overrun by content farms and phishing servers.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #4 of 77
Quote:
Originally Posted by Suddenly Newton View Post

Hooray! Although I've already turned off the "automatically open safe file types" option in Safari. Google should be ashamed of itself for allowing SEO poisoning, BTW. As far as I'm concerned, Google Image Search is more or less overrun by content farms and phishing servers.

It's not a problem specific to Google. Any search engine can deliver "poisoned" results.

http://www.sophos.com/security/techn...o-insights.pdf
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #5 of 77
Quote:
Originally Posted by Gatorguy View Post

It's not a problem specific to Google. Any search engine can deliver "poisoned" results.

http://www.sophos.com/security/techn...o-insights.pdf

I don't think anyone was implying it was specific to Google.
post #6 of 77
It's nice that Apple has finally gotten proactive. Even though we only seem to get less than one piece of malware a year, Apple should be dealing with it in a rapid way. Hopefully this will be that way.
post #7 of 77
Since it's not viruses that Mac gets but just trojans installed by the unwary, this File Quarantine is perfect.

Instead of a full-on performance draining virus checker running 24/7, it now simply has a file-download blacklist that Safari, Mail and iChat reference.

It has already had this for some time, the difference now is it checks in with Apple daily for updates to the blacklist.
"About file quarantine in Mac OS X v10.5 and v10.6"
http://support.apple.com/kb/HT3662

Edit: Cool. It not only checks when you download files but when you open them too, so people using Firefox should be covered. But Safari users will catch it sooner.
post #8 of 77
Quote:
Originally Posted by ascii View Post

Since it's not viruses that Mac gets but just trojans installed by the unwary, this File Quarantine is perfect.

Instead of a full-on performance draining virus checker running 24/7, it now simply has a file-download blacklist that Safari, Mail and iChat reference.

It has already had this for some time, the difference now is it checks in with Apple daily for updates to the blacklist.
"About file quarantine in Mac OS X v10.5 and v10.6"
http://support.apple.com/kb/HT3662

I have to admit that I use the Symantic suite for Mac, and I've been using their predecessors for quite some time, since System 8. While with System 7, 8, and 9, we did get a few virii a year, and some few pieces of malware, we haven't had any actual problems with OS X. But, I do get Windows junk. Since I don't want to pass that on to my Windows using friends(yes, I do have some), I use this to mainly eradicate those. But better safe than sorry. The way I have it set, it doesn't slow the machine down.
post #9 of 77
Quote:
Originally Posted by melgross View Post

I have to admit that I use the Symantic suite for Mac, and I've been using their predecessors for quite some time, since System 8. While with System 7, 8, and 9, we did get a few virii a year, and some few pieces of malware, we haven't had any actual problems with OS X. But, I do get Windows junk. Since I don't want to pass that on to my Windows using friends(yes, I do have some), I use this to mainly eradicate those. But better safe than sorry. The way I have it set, it doesn't slow the machine down.

That's the only reason I can think of to install a virus checker - to protect Windows users. Especially after today. But virus checkers remain a big seller on the App Store so I guess a lot of people think like you, or they just assume you have to have one.
post #10 of 77
I have ClamX just for funsies, but have not updated that thing in months. Use it to check USB sticks that are given to me, mostly from Windows Users. I dunno, it sucks that someone released this in the wild, on the other hand it is so easy to neutralize it almost does not count.
--SHEFFmachine out
Da Bears!
Reply
--SHEFFmachine out
Da Bears!
Reply
post #11 of 77
I actually had a toothy grin on my face when I saw the "daily malware definitions check".

If its kept squeaky clean and up to date with as many malware definitions as possible, then even the opening of safe files automatically from Safari will be of very little security risk. It'll just flag a warning and dump it to the trash. Although I think the dialogue box should've read "it will be moved to the trash", rather than asking for confirmation.

... at night.

Reply

... at night.

Reply
post #12 of 77
Security is one area that I hope Apple is on top of. The Mac community has had a pretty easy go thus far in the virus and malware department.

In twenty-one years the only issue that I recall having to deal with was the Auto-Start worm back in 1998. (if I recall correctly)

It actually wasn't a problem for me as I was running virus protection with up-to-date definitions. It saved my bacon when a client sent me files on a zip disk. It caught the virus and spit out the disk.

I was lucky because I had just installed virus protection software about a week earlier.
post #13 of 77
Quote:
Originally Posted by ascii View Post

Edit: Cool. It not only checks when you download files but when you open them too, so people using Firefox should be covered. But Safari users will catch it sooner.

I think it's Apple's answer to Sophos' "On Access" scanning. The ONLY thing I hope Apple do differently to Sophos is have it not check already installed and previously used Applications. Sophos' On Access scanner caused large applications like Fireworks and Dreamweaver, Word, Eclipse (etc.) to take a fair few minutes to open, rather than thirty seconds. On a Notebook it was even worse because it hammered on the CPU and Hard Disk like no tomorrow, using more battery life than it really should.

... at night.

Reply

... at night.

Reply
post #14 of 77
Ran the update and it corrupted my security settings in system prefs. It actually crashes system prefs when I click on security. Did a restart but to no avail. Any thoughts?
post #15 of 77
Quote:
Originally Posted by jmgregory1 View Post

Ran the update and it corrupted my security settings in system prefs. It actually crashes system prefs when I click on security. Did a restart but to no avail. Any thoughts?

Remove com.apple.preference.security.plist from ~/Library/Preferences.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #16 of 77
When the latest 10.6.8 beta appeared with the MAC Defender check and removal I thought it odd this wasn't part of a Security Update. Are we to assume that those 10.6.8 developers were not aware of the impending Security Update or that 10.6.8 will just be a backup measure for those that oddly don't get the Security Update?
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #17 of 77
I ran software update. Restarted my Mac as the installer states an admin has to log in to make the Security Update effective.

I launch avSetup.pkg which opens up to installer that says "Install Mac Guard Setup" at the top of the installer window but it isn't flagged by the OS.

It's an assumption but I thought this variant would be included in the definitions.

Any thoughts?
post #18 of 77
Quote:
Originally Posted by thenewperson View Post

I don't think anyone was impplying it was specific to Google.

Yes, the word Google has replaced "search engine". I should have said "search engine". I just happen to use Google for everything, but I was lamenting that SEO poisoning is out of control. I won't image search on anything popular.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #19 of 77
Today, for the first time in history, Apple has begin to actively maintain a virus database and quarantine software that is download.

It seems like a big deal to me.
post #20 of 77
The plural of virus is viruses. There is no such word as virii.

post #21 of 77
Quote:
Originally Posted by InfoDave View Post

Today, for the first time in history, Apple has begin to actively maintain a virus database and quarantine software that is download.

It seems like a big deal to me.

I seem to recall Mac OS keeping a local DB as far back as Leopard, the difference being that it's "actively," as you stated, doing so indepedently of Mac OS and standard security updates.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #22 of 77
Quote:
Originally Posted by jbruni View Post

The plural of virus is viruses. There is no such word as virii.


So does that mean there's no Elvii either? Or should we ask a few souls in Vegas? (If Vegas still has any souls)
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #23 of 77
Quote:
Originally Posted by Bsginc View Post

Just like Windows.... Oh, wait, I mean, just like Windows could have done and should have done years ago.

FTR, why don't Google, Bing and other search sites quarantine sites which enable malware like this. Particularly when the sites allow themselves to be a regular transport mechanism for malware. As long as search sites like Google, Bing and others don't help to stop it, more people will continue to visit these same sites over and over and over again. By helping to stop it, instead of making it easier, search sites can make distribution of malware more difficult.

It won't solve the problem, but anything that makes it more difficult for malware or educates users to be more careful makes it better for the rest of us.

There is a wonderful application called WOT(web of trust) that systematically flags websites with ratings based on embedded code. It allows you to preview sites without endagering your computer/mac.

You should try it some time. /end sarcasm
post #24 of 77
Between OS X
And myself,
I'll Kick All Your ASSES !!!!

post #25 of 77
Quote:
Originally Posted by sheff View Post

I have ClamX just for funsies, but have not updated that thing in months. Use it to check USB sticks that are given to me, mostly from Windows Users. I dunno, it sucks that someone released this in the wild, on the other hand it is so easy to neutralize it almost does not count.

Running an out of date antivirus software will do more harm than good, in the fact that it may give one a false sense of security.
post #26 of 77
Quote:
Originally Posted by Jexus View Post

There is a wonderful application called WOT(web of trust) that systematically flags websites with ratings based on embedded code. It allows you to preview sites without endagering your computer/mac.

You should try it some time. /end sarcasm

The information is appreciated. However, your sarcasm was neither necessary nor appreciated. Instead, responses like yours tend to cut off discussion. And, FWIW, once WOT gets big enough, it will be be perverted by dishonest and greedy people just like everything else on the web is once it attracts enough attention. The basic problem needs to be fixed and not just avoided by finding (for now) safe alternatives.

That said, your reply fails to address the larger issue of why search engines leave their users out in the cold by not helping to stop the crap. Makes one wonder if, perhaps, they don't derive some of their revenue from malware developers. Perhaps like those who suck off legitimate searches to get their bogus sites at the top of key word searches perhaps?
post #27 of 77
Quote:
Originally Posted by InfoDave View Post

Today, for the first time in history, Apple has begin to actively maintain a virus database and quarantine software that is download.

It seems like a big deal to me.

No, they've done that for a while.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #28 of 77
Quote:
Originally Posted by InfoDave View Post

Today, for the first time in history, Apple has begin to actively maintain a virus database and quarantine software that is download.

It seems like a big deal to me.

I don't think we are dealing with a virus, but a piece of malware.
A.k.a. AppleHead on other forums.
Reply
A.k.a. AppleHead on other forums.
Reply
post #29 of 77
Quote:
Originally Posted by jbruni View Post

The plural of virus is viruses. There is no such word as virii.


This!

It would have to be spelled 'virius' for the option of dropping the 'us' and replacing it with 'i' would work.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #30 of 77
Quote:
Originally Posted by solipsism View Post

This!

It would have to be spelled 'virius for the option of dropping the us and replacing it with 'i' would work.

If more than one Pope Pius get together they would be Popes Pii?
A.k.a. AppleHead on other forums.
Reply
A.k.a. AppleHead on other forums.
Reply
post #31 of 77
Quote:
Originally Posted by solipsism View Post

When the latest 10.6.8 beta appeared with the MAC Defender check and removal I thought it odd this wasn't part of a Security Update. Are we to assume that those 10.6.8 developers were not aware of the impending Security Update or that 10.6.8 will just be a backup measure for those that oddly don't get the Security Update?

Previous security updates are always included in major point releases.

For example, 10.6.7 includes all security updates before it. http://support.apple.com/kb/ht4472
post #32 of 77
Sure would be nice if this article provided some useful information about File Quarantine and where the executables reside, customization, etc. Here's one for starters:

http://www.mactricksandtips.com/2010...ing-files.html
post #33 of 77
Quote:
Originally Posted by jbruni View Post

The plural of virus is viruses. There is no such word as virii.


Ok, what's the plural of Platypus?
Crying? No, I am not crying. I am sweating through my eyes.
Reply
Crying? No, I am not crying. I am sweating through my eyes.
Reply
post #34 of 77
Quote:
Originally Posted by Robin Huber View Post

If more than one Pope Pius get together they would be Popes Pii?

I believe they would be called Popes Priōra, regardless of what Toyota wants you to think.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #35 of 77
Quote:
Originally Posted by bigdaddyp View Post

Ok, what's the plural of Platypus?

Quote:
Originally Posted by Wikipedia

Scientists generally use "platypuses" or simply "platypus". Colloquially the term "platypi" is also used for the plural, although this is technically incorrect and a form of pseudo-Latin

*ahem*

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #36 of 77
Quote:
Originally Posted by Gatorguy View Post

It's not a problem specific to Google. Any search engine can deliver "poisoned" results.

http://www.sophos.com/security/techn...o-insights.pdf

Regardless... if Google starts quarantining malicious sites, they'll force other search engines to do the same or risk having Google become the Safe Search.
post #37 of 77
Quote:
Originally Posted by NomadMac View Post

I ran software update. Restarted my Mac as the installer states an admin has to log in to make the Security Update effective.

I launch avSetup.pkg which opens up to installer that says "Install Mac Guard Setup" at the top of the installer window but it isn't flagged by the OS.

It's an assumption but I thought this variant would be included in the definitions.

Any thoughts?

Did you move the file out of quarantine previously (i.e. did you dismiss the dialog warning you that the file is downloaded from the internet and to confirm if you want to run it?). If so you will not be asked again, you will have to reset the warnings.

Mac Pro, 8 Core, 32 GB RAM, nVidia GTX 285 1 GB, 2 TB storage, 240 GB OWC Mercury Extreme SSD, 30'' Cinema Display, 27'' iMac, 24'' iMac, 17'' MBP, 13'' MBP, 32 GB iPhone 4, 64 GB iPad 3

Reply

Mac Pro, 8 Core, 32 GB RAM, nVidia GTX 285 1 GB, 2 TB storage, 240 GB OWC Mercury Extreme SSD, 30'' Cinema Display, 27'' iMac, 24'' iMac, 17'' MBP, 13'' MBP, 32 GB iPhone 4, 64 GB iPad 3

Reply
post #38 of 77
Quote:
Originally Posted by 2oh1 View Post

Regardless... if Google starts quarantining malicious sites, they'll force other search engines to do the same or risk having Google become the Safe Search.

According to the Sophos link, legitimate web content is often compromised.

Quote:
By hosting the SEO attack within a legitimate site, the attackers are able to piggyback on the reputation of that site, making it harder for the search engines to identify and remove the rogue links. Additionally, distributing attacks across multiple compromised host sites provides increased resilience against URL filtering and other defensive mechanisms.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #39 of 77
So I uncheck that new box in System Preferences --> Security. Close. (Re)Open System Preferences --> Security... its checked again. Niice.

...

UPDATE:
Setting seems to "stick" after a Restart.
post #40 of 77
Quote:
Originally Posted by Mario View Post

Did you move the file out of quarantine previously (i.e. did you dismiss the dialog warning you that the file is downloaded from the internet and to confirm if you want to run it?). If so you will not be asked again, you will have to reset the warnings.

Thanks, Mario.

I believe I dismissed the dialog box when I downloaded it several days ago. I don't know how to reset the warnings. If you would be so kind to educate me.

I did take the file, put it on a keychain drive, dropped the avSetup.pkg file into the Download folder on a different Mac that I had just updated and restarted. I then launched avSetup.pkg and there was no warning.

I guess it actually has to download the file for the Security update to work?
Doesn't seem that effective to me if that's a requirement. Or do you think the OS modifies the installer somehow?
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple releases Mac OS X update to catch MAC Defender malware