or Connect
AppleInsider › Forums › Software › Mac OS X › MAC Defender variant quickly thwarts Apple's Mac OS X security update
New Posts  All Forums:Forum Nav:

MAC Defender variant quickly thwarts Apple's Mac OS X security update

post #1 of 120
Thread Starter 
A day after Apple released a security update for Mac OS X to address the "MAC Defender" malware, a new variant of the bogus antivirus software has been spotted in the wild [update: Apple has quickly responded, too].

Update: Quickly after the variant was released, Apple responded in kind in the ongoing cat-and-mouse game and updated its anti-malware definitions to address the latest version of the software.

As first reported by Ed Bott at ZDNet, the new variation of MAC Defender, named "Mdinstall.pkg," has been crafted to bypass the new malware-blocking code made available by Apple. That update for Mac OS X, Security Update 2011-003, was released on Tuesday.

"The file has a date and time stamp from last night at 9:24PM Pacific time," Bott wrote. That's less than 8 hours after Apple's security update was released. On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

"As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple."

Security Update 2011-003 included changes to the File Quarantine feature found in Mac OS X 10.6 Snow Leopard. It includes anti-malware definitions within the operating system itself, and examines external files downloaded within Mail, iChat, Safari, or other quarantine-aware applications.

The MACDefender malware first gained attention in early May, when it was spotted by an antivirus company. The program automatically downloads in Web browsers through JavaScript and originally required users to enter an administrator password, but a more recent variant does not ask for a password.



Some reports have suggested that the "MAC Defender" malware has spread quickly, with Bott earlier citing an anonymous AppleCare representative that apparently said the "overwhelming majority" of recent calls to Apple were related to the malware. Last week, Apple posted instructions on its site informing users on how to remove the malware.
post #2 of 120
This sh script has been shared around between apple specialists, it removes all forms of this malware (even this latest version):

http://www.2shared.com/file/1pW0x9Pv...eDefender.html
post #3 of 120
It's a mug's game playing cat and mouse with these people, a waste of resources.

I think downloaded files (ones with the Safari download extended attributes) should not be able to be run ever, unless a security preferences override is set.

I'm sorry for people who sell their software through the web, but you chose to use an insecure deployment platform when the App Store was available.
post #4 of 120
ten years in the slammer for anybody convicted of hacking commercial sites.

one conviction and the rats will be off the ship in a heartbeat.

btw, 10 years without parole as federal laws dictate.
post #5 of 120
Anyone really surprised by this?

Does Apple, or any other anti-virus software, in any way hide or encrypt how they identify the malware? If the signature they use to ID the threat is easily discovered, it's trivial for the malware to be modified to avoid detection. I don't think Apple's Software Update mechanism is up to the task of distributing updated definitions effectively enough to address any serious threats. Too much user involvement in the process.

I never let SU automatically install anything because I'm paranoid and let all the rest of you test Apple's updates for me before I install them.
post #6 of 120
I doubt the security update blocks re-installation of said malware. It probably removes the newest version if rerun.
post #7 of 120
If you're ignorant enough to install something on you computer that just 'pops up', then you deserve the outcome. What boggles my mind is how people get crap on their Macs ... YOU HAVE TO INSTALL IT! It's not like Window's where crap can seep through from many holes.

Don't EVER install anything you didn't initiate and all is good in the world of Mac.
post #8 of 120
Quote:
Originally Posted by ascii View Post

It's a mug's game playing cat and mouse with these people, a waste of resources.

I think downloaded files (ones with the Safari download extended attributes) should not be able to be run ever, unless a security preferences override is set.

I'm sorry for people who sell their software through the web, but you chose to use an insecure deployment platform when the App Store was available.

That's all well-and-good...unless your software doesn't meet Apple's guidelines for software in the Mac App Store. There is plenty of legit, useful software that simply can not be distributed via the App Store because of Apple's rules.
post #9 of 120
Quote:
Originally Posted by Wiggin View Post

Anyone really surprised by this?

Does Apple, or any other anti-virus software, in any way hide or encrypt how they identify the malware? If the signature they use to ID the threat is easily discovered, it's trivial for the malware to be modified to avoid detection. I don't think Apple's Software Update mechanism is up to the task of distributing updated definitions effectively enough to address any serious threats. Too much user involvement in the process.

I never let SU automatically install anything because I'm paranoid and let all the rest of you test Apple's updates for me before I install them.

Which is why the Security Update added the option in Security pane of System Preferences to automatically update the list without Software Update (and it's checked by default). Apple doesn't need to push out a new Software Update to update their database anymore.

Perhaps Apple should put another check in for Installer during install? Detect if the installer is writing certain files or will be running a process of a certain name. Not sure I'd like that, but other than doing the cat and mouse database updating, what else can they do?
post #10 of 120
As I understood it, after update Safari regularly checks back with Apple for new descriptions. I would think Apple will address this new variant quietly by these means.
A.k.a. AppleHead on other forums.
Reply
A.k.a. AppleHead on other forums.
Reply
post #11 of 120
Walled garden is looking better and better. Maybe give consumer a preference on/off switch that allows block of any install unless it comes through App Store.
A.k.a. AppleHead on other forums.
Reply
A.k.a. AppleHead on other forums.
Reply
post #12 of 120
Quote:
Originally Posted by Wiggin View Post

I don't think Apple's Software Update mechanism is up to the task of distributing updated definitions effectively enough to address any serious threats. Too much user involvement in the process.

Isn't that what new Security Update has done?

Quote:
Originally Posted by Pennywse View Post

If you're ignorant enough to install something on you computer that just 'pops up', then you deserve the outcome. What boggles my mind is how people get crap on their Macs ... YOU HAVE TO INSTALL IT! It's not like Window's where crap can seep through from many holes.

Don't EVER install anything you didn't initiate and all is good in the world of Mac.

That's a shortsighted and ignorant comment. Do you really expect people not to use PCs until they are experts at using PCs?
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #13 of 120
Quote:
Originally Posted by Wiggin View Post

Anyone really surprised by this?

Does Apple, or any other anti-virus software, in any way hide or encrypt how they identify the malware? If the signature they use to ID the threat is easily discovered, it's trivial for the malware to be modified to avoid detection. I don't think Apple's Software Update mechanism is up to the task of distributing updated definitions effectively enough to address any serious threats. Too much user involvement in the process.

I never let SU automatically install anything because I'm paranoid and let all the rest of you test Apple's updates for me before I install them.

Indeed. OSX should allow Apple to send updates to the definitions database directly without a software update. A just saw a Macworld article where they said that's how it works now. If so, then that's being a bit more reactive, if not actually proactive.

Also, OSX should be re-designed so the malware removal does not need to be updated as uninstalling any software should be a single button click for the user and therefore a single operation for OSX.

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply
post #14 of 120
Quote:
Originally Posted by Robin Huber View Post

Walled garden is looking better and better. Maybe give consumer a preference on/off switch that allows block of any install unless it comes through App Store.

I think the Mac App Store should remain as Apple's own storefront, but there should be a way for developers registered in Apple's developer program to whitelist their own software, which is then recognised by OSX on install by checking back with the registered copy. I'm thinking of going beyond certificates and instead hash-coding the actual code for each released version. This would allow 3rd parties to distribute software from any website or install from disk images passed around some other way. It is not a cure, but for average consumers buying mainstream software I think this could be made to work.

The rest is about making sure the process is in the user's face. Computers are the ideal teaching tool and there's no excuse for putting up an approval dialog designed by geeks and expecting people to know what the consequences are. There are no novice users; they are customers.

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply
post #15 of 120
Quote:
Originally Posted by Wiggin View Post

That's all well-and-good...unless your software doesn't meet Apple's guidelines for software in the Mac App Store. There is plenty of legit, useful software that simply can not be distributed via the App Store because of Apple's rules.

The only major *technical* restrictions on App Store apps are no access to system folders and no kernel extensions. Heck, they can even install background processes as long as they ask the user first. So I think in terms of native Mac apps, the vast majority should be compatible with the app store.

As for licensing issues, Apple insists on per user licenses, not per-machine. In a commercial/server-side setting per-machine makes sense, but for consumers I think per-machine is BS. And free apps are allowed on the App Store for open source apps whose license doesn't allow charging.

There is loads of great software you can install with MacPorts that would be incompatible. But people who are technically savvy enough to be installing and compiling open source apps probably wouldn't fall for a malware web page, so they can safely switch on the hypothetical install-from-anywhere security setting.

I just think, on balance, given how trusting a lot of people are, it might be better to only allow installing from physical media or the App Store unless explicitly overridden. Then Apple wouldn't have to waste time and resources playing cat and mouse with Russian scammers.
post #16 of 120
Quote:
Originally Posted by PUFF_DADDY View Post

Very Vegas punt swordplay! Strange graphics and profound.
Really Vegas crippled playact! Confusing art class and sound.

Nice poetry. Get bent.

What's so mind-blowing about malware that you must consciously install and then consciously give your credit card number?

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
post #17 of 120
Quote:
Originally Posted by ascii View Post

I think downloaded files (ones with the Safari download extended attributes) should not be able to be run ever, unless a security preferences override is set.

I'm sorry for people who sell their software through the web, but you chose to use an insecure deployment platform when the App Store was available.

lol. Your "insecure deployment platform" is also called the internet, which relies on downloading to do anything for anyone. Web pages? Downloaded. Email? Downloaded. Chat? Downloaded. Draconian security measures like locking out the entire internet are what they do in China. Here, I actually want to be able to run what I download.

And if you think the App Store keeps you safe, wait till hackers create poisoned apps that after you install bypass app store restrictions.

You are "saved" by using your mind and THINKING before you install something, not by apple putting you behind a walled garden.
post #18 of 120
Quote:
Originally Posted by ascii View Post

The only major *technical* restrictions on App Store apps are no access to system folders and no kernel extensions. Heck, they can even install background processes as long as they ask the user first. So I think in terms of native Mac apps, the vast majority should be compatible with the app store.

As for licensing issues, Apple insists on per user licenses, not per-machine. In a commercial/server-side setting per-machine makes sense, but for consumers I think per-machine is BS. And free apps are allowed on the App Store for open source apps whose license doesn't allow charging.

There is loads of great software you can install with MacPorts that would be incompatible. But people who are technically savvy enough to be installing and compiling open source apps probably wouldn't fall for a malware web page, so they can safely switch on the hypothetical install-from-anywhere security setting.

I just think, on balance, given how trusting a lot of people are, it might be better to only allow installing from physical media or the App Store unless explicitly overridden. Then Apple wouldn't have to waste time and resources playing cat and mouse with Russian scammers.

That makes sense.
post #19 of 120
Quote:
Originally Posted by enjourni View Post

lol. Your "insecure deployment platform" is also called the internet, which relies on downloading to do anything for anyone. Web pages? Downloaded. Email? Downloaded. Chat? Downloaded. Draconian security measures like locking out the entire internet are what they do in China. Here, I actually want to be able to run what I download.

And if you think the App Store keeps you safe, wait till hackers create poisoned apps that after you install bypass app store restrictions.

You are "saved" by using your mind and THINKING before you install something, not by apple putting you behind a walled garden.

I like the walled garden approach. I think the benefits outweigh the downsides for me.
post #20 of 120
Quote:
Originally Posted by enjourni View Post

You are "saved" by using your mind and THINKING before you install something, not by apple putting you behind a walled garden.

You are saved by *someone* thinking before you install something. But that doesn't have to be you. It could be an App Store reviewer who is a professional at checking apps, with a bunch of malware scanners and other tools at his disposal.
post #21 of 120
The real problem here is Google's search results being poisoned by black hat SEO's (search engine optimisation), which affect Windows, Mac and other users alike.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #22 of 120
Quote:
Originally Posted by Tallest Skil View Post

Nice poetry. Get bent.

What's so mind-blowing about malware that you must consciously install and then consciously give your credit card number?

Once the software was installed, it could have done anything.

Imagine if it had held the user's photos for ransom, deleting an album per day until they pay, or anything other nasty thing you can imagine.

In some ways, the scariest thing about this malware is its naivety. It means the really experienced scumbags have not yet tried on Macs.

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply
post #23 of 120
deleted
post #24 of 120
Quote:
Originally Posted by MacRulez View Post

Indeed it will be: within three years it will be somewhere between extremely difficult and impossible to install software on a Mac from any source other than the Apple store.

I would have guessed OS X 10.8, but with these scammers getting aggressive I'm hoping they'll bring it forward.
post #25 of 120
Quote:
Originally Posted by magicj View Post

LOL! Do you honestly believe not installing software you know nothing about is anything more than basic common sense?

Agreed. Honestly sometimes I think there should be a "computer test" similar to drivers test that forces you to learn basic computer knowledge before you go complaining that you're not being protected, when really you just did something stupid. Everyone needs to learn how to avoid scams on the internet, and to be cautious of all downloads. And that software from apple only comes through software update.

If this software installed automatically, as drive-by downloads do on PCs, THEN I could understand the complaint. But you agreed to infect yourself by installing something you didn't know what it was. End of story.

The irony of this is that people are so used to viruses on PCs that the trick of telling you your mac is infected worked. If people understood that their mac is protected, then they wouldn't have thought they needed any anti-virus software and would have canceled the install.
post #26 of 120
Quote:
Originally Posted by Robin Huber View Post

Walled garden is looking better and better. Maybe give consumer a preference on/off switch that allows block of any install unless it comes through App Store.

completely agree.. Virus/malware checkers on each computer is a waste of CPU and is doomed to failure. Learn from history people.
"Building for the future?! They should be running around reacting to the present!" -John Moltz
Reply
"Building for the future?! They should be running around reacting to the present!" -John Moltz
Reply
post #27 of 120
Quote:
Originally Posted by adonissmu View Post

i like the walled garden approach. I think the benefits outweigh the downsides for me.

godwin invoked.
post #28 of 120
Quote:
Originally Posted by magicj View Post

LOL! Do you honestly believe not installing software you know nothing about is anything more than basic common sense?

common to what kind of demographics.. common to your grandma?
"Building for the future?! They should be running around reacting to the present!" -John Moltz
Reply
"Building for the future?! They should be running around reacting to the present!" -John Moltz
Reply
post #29 of 120
Quote:
Originally Posted by Robin Huber View Post

Walled garden is looking better and better. Maybe give consumer a preference on/off switch that allows block of any install unless it comes through App Store.

Exactly. For normal users, send them to the App Store.

For downloaded files, the 'This file was downloaded...' message they have may be enough, for apps put up a BIG: 'This application was downloaded from an unknown source. If you install it, it will have full access to your personal files. Malware is spread through downloads like this. Unless you have intentionally decided to install this software, it is suggested you move it to the trash bin now. THIS APPLICATION DID NOT COME FROM APPLE.'

It isn't going to stop me from updating apps I know about, but it might stop people from being stupid*.

* When installing unknown software on their computers anyway. Uh, won't stop me from being stupid, either.
post #30 of 120
Quote:
Originally Posted by magicj View Post

LOL! Do you honestly believe not installing software you know nothing about is anything more than basic common sense?

There are plenty of people with lots of common sense who get all flustered and make the wrong choice when computers are involved. I know many older people who are quite wise, and just want to use their computer for a few basic tasks like reading email, web browsing, and shopping a bit. When they encounter a PayPal phishing scam they sometimes fail to realize what's happening and make a mistake. Most of us geeks can recognize a phishing scam, but that doesn't mean that a less experienced person lacks common sense or is an idiot.

In any case, even people who are not smart don't deserve to be taken advantage of. I see so many posts that begin with "if you're stupid enough to...then you deserve..." People who can't see a problem with that attitude may lack a moral compass.
post #31 of 120
Quote:
Originally Posted by enjourni View Post

Giving up your right to download does not make you any safer. You're living a dream world.

I didn't say that. I said there are benefits to apple's walled garden approach. Apple strikes a balance with its approach to tablets and computers. If you want to get around their walled garden there is always the web. So try again. Additionally, the hitler reference is offensive. Maybe you could use a less offensive analogy to make a point or (in this case) not make a point.
post #32 of 120
Quote:
Originally Posted by hill60 View Post

The real problem here is Google's search results being poisoned by black hat SEO's (search engine optimisation), which affect Windows, Mac and other users alike.

Once again...

1. This problem is NOT specific to Google. ANY search engine is equally as susceptible.

2. http://www.google.com/support/webmas...y?answer=35291

http://www.google.com/safebrowsing/d...site=apple.com
http://www.google.com/safebrowsing/d...pleinsider.com
http://www.google.com/safebrowsing/d...te=youtube.com
http://www.google.com/safebrowsing/d...?site=bing.com
http://www.google.com/safebrowsing/d...site=yahoo.com
http://www.google.com/safebrowsing/d...ite=google.com

Google is not responsible for user ignorance, carelessness or inexperience
post #33 of 120
Quote:
Originally Posted by enjourni View Post

Giving up your right to download does not make you any safer. You're living a dream world.

Godwin's law! too funny.
"Building for the future?! They should be running around reacting to the present!" -John Moltz
Reply
"Building for the future?! They should be running around reacting to the present!" -John Moltz
Reply
post #34 of 120
Quote:
Originally Posted by enjourni View Post

Giving up your right to download does not make you any safer. You're living a dream world.

Godwin's Law. You've lost this argument. Your point is invalid.

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
post #35 of 120
Quote:
Originally Posted by AdonisSMU View Post

I didn't say that. I said there are benefits to apple's walled garden approach. Apple strikes a balance with its approach to tablets and computers. If you want to get around their walled garden there is always the web. So try again. Additionally, the hitler reference is offensive. Maybe you could use a less offensive analogy to make a point or (in this case) not make a point.

I'm sorry to be offensive, but I have a real problem with people giving up their rights in defense of security. It's happens over and over again in history, and the outcome is always bad.

All I'm trying to say is, downloading is a basic right in a free and open internet. There are benefits to using the App Store for downloads, but I would rather apple just implement a basic malware scanner that works system-wide (as it looks like they are trying to do), rather then force people to download through only one method.

Until:

(1) Every mac app is available in the app store
(2) Apple drops the whole commission thing, which is squeezing developers out of the store (like Adobe is going to drop 30% of their profits on photoshop?)

the the app store idea is a poor approach. Maybe at some point it make sense, but we're not there yet.
post #36 of 120
Quote:
Originally Posted by Tallest Skil View Post

Godwin's Law. You've lost this argument. Your point is invalid.

Ha I just googled it, thank you lol!

Ok guys, you win
post #37 of 120
Maybe if Apple took security a little more seriously, the entire internet wouldn't be laughing at Apple right now over this. OS X, is the most insecure OS. Not Windows, sorry folks but these are facts. Only reason OS X isn't a target is because we have such little market share, security by obscurity is not a good model. Apple needs to stop with the smug attitude, so do it's users.

"You should have to take a computer test"
"Common sense tells you blah blah blah"
"Walled gardens are better!"

First of all if you think walled gardens are better, just leave America and move to China because obviously you need someone to hold your hand and think for you. Look at what happens throughout history when you give up rights for a false sense of security, you get screwed. We Americans are learning this since 9/11. Second is Microsoft, for all it's faults, actually does take security seriously. If you look at the alerts, more attacks are done on Windows through Adobe products, why? Because Microsoft started taking security seriously in their software. Apple on the other hand treats it like it's a joke, taking months to respond to issues, something leaving patches wide open. I really, REALLY hope Apple gets a brutal virus to slap the smug out of Steve Jobs mouth. He, and a lot of other Apple users, really make me see why people don't like the stereotypical Apple user.
post #38 of 120
How does a user know if the "Automatically update safe downloads list" feature is working? Does it show when it was last updated? Is there a way to run a manual check?
post #39 of 120
Hmm, I installed the security update, but the 'open "safe" files after downloading' preference is still there in Safari.
post #40 of 120
Quote:
Originally Posted by IVK View Post

Maybe if Apple took security a little more seriously, the entire internet wouldn't be laughing at Apple right now over this. OS X, is the most insecure OS. Not Windows, sorry folks but these are facts. Only reason OS X isn't a target is because we have such little market share, security by obscurity is not a good model. Apple needs to stop with the smug attitude, so do it's users.

"You should have to take a computer test"
"Common sense tells you blah blah blah"
"Walled gardens are better!"

First of all if you think walled gardens are better, just leave America and move to China because obviously you need someone to hold your hand and think for you. Look at what happens throughout history when you give up rights for a false sense of security, you get screwed. We Americans are learning this since 9/11. Second is Microsoft, for all it's faults, actually does take security seriously. If you look at the alerts, more attacks are done on Windows through Adobe products, why? Because Microsoft started taking security seriously in their software. Apple on the other hand treats it like it's a joke, taking months to respond to issues, something leaving patches wide open. I really, REALLY hope Apple gets a brutal virus to slap the smug out of Steve Jobs mouth. He, and a lot of other Apple users, really make me see why people don't like the stereotypical Apple user.


it's not a virus, it's not malware and it in no way harms your computer. it's a phishing scam.

Apple have responded within five days.

You're talking out of an orifice other than your mouth.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › MAC Defender variant quickly thwarts Apple's Mac OS X security update