Apple releases Mac OS X update to catch MAC Defender malware

Posted:
in macOS edited January 2014
Apple has released Security Update 2011-003, which adds malware detection and removal for the "MAC Defender" scam and delivers a daily update mechanism for updating subsequent malware definitions.



The security update for Mac OS X 10.6.7 is available from Software Update or the company's Downloads page. Installing the update does not require a system reboot.



The update adds malware discovery and removal for MAC Defender and all of its known variants, using the simple malware file quarantine feature that was first added to Mac OS X 10.6 Snow Leopard.



The Mac OS X file quarantine feature examines external files downloaded within Mail, iChat, Safari or other file quarantine-aware applications, warning users of downloads that match the definition of malware.







In addition to adding a definition for the latest "MAC Defender" trojan horse to warn users that the download should be deleted, the new security update adds a daily malware definitions check to make subsequent malware attempts even easier for Apple to protect it users from.



Users can opt out of the daily malware definitions update check by unchecking the new "Automatically update safe downloads list" checkbox in Security Preferences.







«134

Comments

  • Reply 1 of 76
    bsgincbsginc Posts: 78member
    Just like Windows.... Oh, wait, I mean, just like Windows could have done and should have done years ago.



    FTR, why don't Google, Bing and other search sites quarantine sites which enable malware like this. Particularly when the sites allow themselves to be a regular transport mechanism for malware. As long as search sites like Google, Bing and others don't help to stop it, more people will continue to visit these same sites over and over and over again. By helping to stop it, instead of making it easier, search sites can make distribution of malware more difficult.



    It won't solve the problem, but anything that makes it more difficult for malware or educates users to be more careful makes it better for the rest of us.
  • Reply 2 of 76
    suddenly newtonsuddenly newton Posts: 13,819member
    Hooray! Although I've already turned off the "automatically open safe file types" option in Safari. Google should be ashamed of itself for allowing SEO poisoning, BTW. As far as I'm concerned, Google Image Search is more or less overrun by content farms and phishing servers.
  • Reply 3 of 76
    gatorguygatorguy Posts: 24,641member
    Quote:
    Originally Posted by Suddenly Newton View Post


    Hooray! Although I've already turned off the "automatically open safe file types" option in Safari. Google should be ashamed of itself for allowing SEO poisoning, BTW. As far as I'm concerned, Google Image Search is more or less overrun by content farms and phishing servers.



    It's not a problem specific to Google. Any search engine can deliver "poisoned" results.



    http://www.sophos.com/security/techn...o-insights.pdf
  • Reply 4 of 76
    Quote:
    Originally Posted by Gatorguy View Post


    It's not a problem specific to Google. Any search engine can deliver "poisoned" results.



    http://www.sophos.com/security/techn...o-insights.pdf



    I don't think anyone was implying it was specific to Google.
  • Reply 5 of 76
    melgrossmelgross Posts: 33,640member
    It's nice that Apple has finally gotten proactive. Even though we only seem to get less than one piece of malware a year, Apple should be dealing with it in a rapid way. Hopefully this will be that way.
  • Reply 6 of 76
    asciiascii Posts: 5,936member
    Since it's not viruses that Mac gets but just trojans installed by the unwary, this File Quarantine is perfect.



    Instead of a full-on performance draining virus checker running 24/7, it now simply has a file-download blacklist that Safari, Mail and iChat reference.



    It has already had this for some time, the difference now is it checks in with Apple daily for updates to the blacklist.

    "About file quarantine in Mac OS X v10.5 and v10.6"

    http://support.apple.com/kb/HT3662



    Edit: Cool. It not only checks when you download files but when you open them too, so people using Firefox should be covered. But Safari users will catch it sooner.
  • Reply 7 of 76
    melgrossmelgross Posts: 33,640member
    Quote:
    Originally Posted by ascii View Post


    Since it's not viruses that Mac gets but just trojans installed by the unwary, this File Quarantine is perfect.



    Instead of a full-on performance draining virus checker running 24/7, it now simply has a file-download blacklist that Safari, Mail and iChat reference.



    It has already had this for some time, the difference now is it checks in with Apple daily for updates to the blacklist.

    "About file quarantine in Mac OS X v10.5 and v10.6"

    http://support.apple.com/kb/HT3662



    I have to admit that I use the Symantic suite for Mac, and I've been using their predecessors for quite some time, since System 8. While with System 7, 8, and 9, we did get a few virii a year, and some few pieces of malware, we haven't had any actual problems with OS X. But, I do get Windows junk. Since I don't want to pass that on to my Windows using friends(yes, I do have some), I use this to mainly eradicate those. But better safe than sorry. The way I have it set, it doesn't slow the machine down.
  • Reply 8 of 76
    asciiascii Posts: 5,936member
    Quote:
    Originally Posted by melgross View Post


    I have to admit that I use the Symantic suite for Mac, and I've been using their predecessors for quite some time, since System 8. While with System 7, 8, and 9, we did get a few virii a year, and some few pieces of malware, we haven't had any actual problems with OS X. But, I do get Windows junk. Since I don't want to pass that on to my Windows using friends(yes, I do have some), I use this to mainly eradicate those. But better safe than sorry. The way I have it set, it doesn't slow the machine down.



    That's the only reason I can think of to install a virus checker - to protect Windows users. Especially after today. But virus checkers remain a big seller on the App Store so I guess a lot of people think like you, or they just assume you have to have one.
  • Reply 9 of 76
    sheffsheff Posts: 1,407member
    I have ClamX just for funsies, but have not updated that thing in months. Use it to check USB sticks that are given to me, mostly from Windows Users. I dunno, it sucks that someone released this in the wild, on the other hand it is so easy to neutralize it almost does not count.
  • Reply 10 of 76
    I actually had a toothy grin on my face when I saw the "daily malware definitions check".



    If its kept squeaky clean and up to date with as many malware definitions as possible, then even the opening of safe files automatically from Safari will be of very little security risk. It'll just flag a warning and dump it to the trash. Although I think the dialogue box should've read "it will be moved to the trash", rather than asking for confirmation.
  • Reply 11 of 76
    bilbo63bilbo63 Posts: 285member
    Security is one area that I hope Apple is on top of. The Mac community has had a pretty easy go thus far in the virus and malware department.



    In twenty-one years the only issue that I recall having to deal with was the Auto-Start worm back in 1998. (if I recall correctly)



    It actually wasn't a problem for me as I was running virus protection with up-to-date definitions. It saved my bacon when a client sent me files on a zip disk. It caught the virus and spit out the disk.



    I was lucky because I had just installed virus protection software about a week earlier.
  • Reply 12 of 76
    Quote:
    Originally Posted by ascii View Post


    Edit: Cool. It not only checks when you download files but when you open them too, so people using Firefox should be covered. But Safari users will catch it sooner.



    I think it's Apple's answer to Sophos' "On Access" scanning. The ONLY thing I hope Apple do differently to Sophos is have it not check already installed and previously used Applications. Sophos' On Access scanner caused large applications like Fireworks and Dreamweaver, Word, Eclipse (etc.) to take a fair few minutes to open, rather than thirty seconds. On a Notebook it was even worse because it hammered on the CPU and Hard Disk like no tomorrow, using more battery life than it really should.
  • Reply 13 of 76
    jmgregory1jmgregory1 Posts: 474member
    Ran the update and it corrupted my security settings in system prefs. It actually crashes system prefs when I click on security. Did a restart but to no avail. Any thoughts?
  • Reply 14 of 76
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by jmgregory1 View Post


    Ran the update and it corrupted my security settings in system prefs. It actually crashes system prefs when I click on security. Did a restart but to no avail. Any thoughts?



    Remove com.apple.preference.security.plist from ~/Library/Preferences.
  • Reply 15 of 76
    solipsismsolipsism Posts: 25,726member
    When the latest 10.6.8 beta appeared with the MAC Defender check and removal I thought it odd this wasn't part of a Security Update. Are we to assume that those 10.6.8 developers were not aware of the impending Security Update or that 10.6.8 will just be a backup measure for those that oddly don't get the Security Update?
  • Reply 16 of 76
    nomadmacnomadmac Posts: 96member
    I ran software update. Restarted my Mac as the installer states an admin has to log in to make the Security Update effective.



    I launch avSetup.pkg which opens up to installer that says "Install Mac Guard Setup" at the top of the installer window but it isn't flagged by the OS.



    It's an assumption but I thought this variant would be included in the definitions.



    Any thoughts?
  • Reply 17 of 76
    suddenly newtonsuddenly newton Posts: 13,819member
    Quote:
    Originally Posted by thenewperson View Post


    I don't think anyone was impplying it was specific to Google.



    Yes, the word Google has replaced "search engine". I should have said "search engine". I just happen to use Google for everything, but I was lamenting that SEO poisoning is out of control. I won't image search on anything popular.
  • Reply 18 of 76
    infodaveinfodave Posts: 31member
    Today, for the first time in history, Apple has begin to actively maintain a virus database and quarantine software that is download.



    It seems like a big deal to me.
  • Reply 19 of 76
    jbrunijbruni Posts: 29member
    The plural of virus is viruses. There is no such word as virii.



  • Reply 20 of 76
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by InfoDave View Post


    Today, for the first time in history, Apple has begin to actively maintain a virus database and quarantine software that is download.



    It seems like a big deal to me.



    I seem to recall Mac OS keeping a local DB as far back as Leopard, the difference being that it's "actively," as you stated, doing so indepedently of Mac OS and standard security updates.
Sign In or Register to comment.