Apple isn't sharing malware definitions with third-party antivirus firms, new analysis sug...
A fresh look at malware intended to spy on people in the Middle East indicates that Apple isn't sharing definitions of existing threats with third-party antivirus (AV) companies, at least not consistently.
In publishing an analysis of "Meeting_Agenda.zip," a file containing the malware, Mac security specialist Patrick Wardle noted that only two antivirus providers, Kaspersky and ZoneAlarm, were able to properly flag it. Searching for related files on VirusTotal -- a site commonly used by security professionals -- Wardle uncovered four more, but three weren't detected by any AV platforms and the last was caught by just two.
"The fact that the signing certificate(s) of all the samples are revoked (CSSMERR_TP_CERT_REVOKED) means that Apple knows about this certificate... and thus surely this malware as well...yet the majority of the samples (3, of 4) are detected by zero anti-virus engines on VirusTotal," Wardle wrote.
Based on this, it's believed that Apple isn't sharing data according to standard industry practices. macOS has had its own anti-malware defenses since an update to 2009's Snow Leopard, but providing definitions to third parties increases the chances of catching and killing code, preventing its spread.
The malware analyzed by Wardle is neutered, Ars Technica commented, as even if a Mac is infected the control servers the software tries to reach are no longer online. When it was active, it would attempt to bypass macOS defenses to steal documents or screenshots for a group known as Windshift.
In publishing an analysis of "Meeting_Agenda.zip," a file containing the malware, Mac security specialist Patrick Wardle noted that only two antivirus providers, Kaspersky and ZoneAlarm, were able to properly flag it. Searching for related files on VirusTotal -- a site commonly used by security professionals -- Wardle uncovered four more, but three weren't detected by any AV platforms and the last was caught by just two.
"The fact that the signing certificate(s) of all the samples are revoked (CSSMERR_TP_CERT_REVOKED) means that Apple knows about this certificate... and thus surely this malware as well...yet the majority of the samples (3, of 4) are detected by zero anti-virus engines on VirusTotal," Wardle wrote.
Based on this, it's believed that Apple isn't sharing data according to standard industry practices. macOS has had its own anti-malware defenses since an update to 2009's Snow Leopard, but providing definitions to third parties increases the chances of catching and killing code, preventing its spread.
The malware analyzed by Wardle is neutered, Ars Technica commented, as even if a Mac is infected the control servers the software tries to reach are no longer online. When it was active, it would attempt to bypass macOS defenses to steal documents or screenshots for a group known as Windshift.
Comments
Go figure Apple rolled their own.
For iOS 13 and MacOS 'Bakersfield' all Apple products will be anonymous to miscreants including Google, Facebook, twitter and all third part Apps that harvest data!
You heard it here first!
Best.
This article proves well and truly why we shouldn't buy virus checkers. In fact the number one thing I tell people who buy Windows machines is to uninstall the 3rd party virus checker installed on their new machines because A) they'll kill the machine when their licence has expired - dick move virus checker manufacturers, why the hell kill the freaking printer ball bags? they're not even needed when the ones built into the OS are actually great, don't suck the life out of the machine, and don't nag you all the time either?
I'm glad Apple doesn't share because there should be no virus checking software on a Mac. Who cares if we share viruses with Windows, their stupid fault for buying a Windows machine in the first place.
1)
2)OSX/MaMi
3) OSX/Dok
4)MacDownloader
5)OSX/Pirrit
6)Meltdown
7)Spectre
8)XAgent
... so exploits happen. Gatekeeper is great of course at keeping the bad stuff out, but not foolproof
https://www.wired.com/story/mac-malware-hide-code-signing/
There's always going to be a way in.