MAC Defender variant quickly thwarts Apple's Mac OS X security update

Posted:
in macOS edited January 2014
A day after Apple released a security update for Mac OS X to address the "MAC Defender" malware, a new variant of the bogus antivirus software has been spotted in the wild [update: Apple has quickly responded, too].



Update: Quickly after the variant was released, Apple responded in kind in the ongoing cat-and-mouse game and updated its anti-malware definitions to address the latest version of the software.



As first reported by Ed Bott at ZDNet, the new variation of MAC Defender, named "Mdinstall.pkg," has been crafted to bypass the new malware-blocking code made available by Apple. That update for Mac OS X, Security Update 2011-003, was released on Tuesday.



"The file has a date and time stamp from last night at 9:24PM Pacific time," Bott wrote. That's less than 8 hours after Apple's security update was released. On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.



"As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple."



Security Update 2011-003 included changes to the File Quarantine feature found in Mac OS X 10.6 Snow Leopard. It includes anti-malware definitions within the operating system itself, and examines external files downloaded within Mail, iChat, Safari, or other quarantine-aware applications.



The MACDefender malware first gained attention in early May, when it was spotted by an antivirus company. The program automatically downloads in Web browsers through JavaScript and originally required users to enter an administrator password, but a more recent variant does not ask for a password.







Some reports have suggested that the "MAC Defender" malware has spread quickly, with Bott earlier citing an anonymous AppleCare representative that apparently said the "overwhelming majority" of recent calls to Apple were related to the malware. Last week, Apple posted instructions on its site informing users on how to remove the malware.
«134567

Comments

  • Reply 1 of 123
    enjournienjourni Posts: 254member
    This sh script has been shared around between apple specialists, it removes all forms of this malware (even this latest version):



    http://www.2shared.com/file/1pW0x9Pv...eDefender.html
  • Reply 2 of 123
    asciiascii Posts: 5,936member
    It's a mug's game playing cat and mouse with these people, a waste of resources.



    I think downloaded files (ones with the Safari download extended attributes) should not be able to be run ever, unless a security preferences override is set.



    I'm sorry for people who sell their software through the web, but you chose to use an insecure deployment platform when the App Store was available.
  • Reply 3 of 123
    ezduzitezduzit Posts: 158member
    ten years in the slammer for anybody convicted of hacking commercial sites.



    one conviction and the rats will be off the ship in a heartbeat.



    btw, 10 years without parole as federal laws dictate.
  • Reply 4 of 123
    wigginwiggin Posts: 2,265member
    Anyone really surprised by this?



    Does Apple, or any other anti-virus software, in any way hide or encrypt how they identify the malware? If the signature they use to ID the threat is easily discovered, it's trivial for the malware to be modified to avoid detection. I don't think Apple's Software Update mechanism is up to the task of distributing updated definitions effectively enough to address any serious threats. Too much user involvement in the process.



    I never let SU automatically install anything because I'm paranoid and let all the rest of you test Apple's updates for me before I install them.
  • Reply 5 of 123
    eriamjheriamjh Posts: 1,631member
    I doubt the security update blocks re-installation of said malware. It probably removes the newest version if rerun.
  • Reply 6 of 123
    pennywsepennywse Posts: 155member
    If you're ignorant enough to install something on you computer that just 'pops up', then you deserve the outcome. What boggles my mind is how people get crap on their Macs ... YOU HAVE TO INSTALL IT! It's not like Window's where crap can seep through from many holes.



    Don't EVER install anything you didn't initiate and all is good in the world of Mac.
  • Reply 7 of 123
    wigginwiggin Posts: 2,265member
    Quote:
    Originally Posted by ascii View Post


    It's a mug's game playing cat and mouse with these people, a waste of resources.



    I think downloaded files (ones with the Safari download extended attributes) should not be able to be run ever, unless a security preferences override is set.



    I'm sorry for people who sell their software through the web, but you chose to use an insecure deployment platform when the App Store was available.



    That's all well-and-good...unless your software doesn't meet Apple's guidelines for software in the Mac App Store. There is plenty of legit, useful software that simply can not be distributed via the App Store because of Apple's rules.
  • Reply 8 of 123
    Quote:
    Originally Posted by Wiggin View Post


    Anyone really surprised by this?



    Does Apple, or any other anti-virus software, in any way hide or encrypt how they identify the malware? If the signature they use to ID the threat is easily discovered, it's trivial for the malware to be modified to avoid detection. I don't think Apple's Software Update mechanism is up to the task of distributing updated definitions effectively enough to address any serious threats. Too much user involvement in the process.



    I never let SU automatically install anything because I'm paranoid and let all the rest of you test Apple's updates for me before I install them.



    Which is why the Security Update added the option in Security pane of System Preferences to automatically update the list without Software Update (and it's checked by default). Apple doesn't need to push out a new Software Update to update their database anymore.



    Perhaps Apple should put another check in for Installer during install? Detect if the installer is writing certain files or will be running a process of a certain name. Not sure I'd like that, but other than doing the cat and mouse database updating, what else can they do?
  • Reply 9 of 123
    robin huberrobin huber Posts: 3,949member
    As I understood it, after update Safari regularly checks back with Apple for new descriptions. I would think Apple will address this new variant quietly by these means.
  • Reply 10 of 123
    robin huberrobin huber Posts: 3,949member
    Walled garden is looking better and better. Maybe give consumer a preference on/off switch that allows block of any install unless it comes through App Store.
  • Reply 11 of 123
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by Wiggin View Post


    I don't think Apple's Software Update mechanism is up to the task of distributing updated definitions effectively enough to address any serious threats. Too much user involvement in the process.



    Isn't that what new Security Update has done?



    Quote:
    Originally Posted by Pennywse View Post


    If you're ignorant enough to install something on you computer that just 'pops up', then you deserve the outcome. What boggles my mind is how people get crap on their Macs ... YOU HAVE TO INSTALL IT! It's not like Window's where crap can seep through from many holes.



    Don't EVER install anything you didn't initiate and all is good in the world of Mac.



    That's a shortsighted and ignorant comment. Do you really expect people not to use PCs until they are experts at using PCs?
  • Reply 12 of 123
    pxtpxt Posts: 683member
    Quote:
    Originally Posted by Wiggin View Post


    Anyone really surprised by this?



    Does Apple, or any other anti-virus software, in any way hide or encrypt how they identify the malware? If the signature they use to ID the threat is easily discovered, it's trivial for the malware to be modified to avoid detection. I don't think Apple's Software Update mechanism is up to the task of distributing updated definitions effectively enough to address any serious threats. Too much user involvement in the process.



    I never let SU automatically install anything because I'm paranoid and let all the rest of you test Apple's updates for me before I install them.



    Indeed. OSX should allow Apple to send updates to the definitions database directly without a software update. A just saw a Macworld article where they said that's how it works now. If so, then that's being a bit more reactive, if not actually proactive.



    Also, OSX should be re-designed so the malware removal does not need to be updated as uninstalling any software should be a single button click for the user and therefore a single operation for OSX.
  • Reply 13 of 123
    pxtpxt Posts: 683member
    Quote:
    Originally Posted by Robin Huber View Post


    Walled garden is looking better and better. Maybe give consumer a preference on/off switch that allows block of any install unless it comes through App Store.



    I think the Mac App Store should remain as Apple's own storefront, but there should be a way for developers registered in Apple's developer program to whitelist their own software, which is then recognised by OSX on install by checking back with the registered copy. I'm thinking of going beyond certificates and instead hash-coding the actual code for each released version. This would allow 3rd parties to distribute software from any website or install from disk images passed around some other way. It is not a cure, but for average consumers buying mainstream software I think this could be made to work.



    The rest is about making sure the process is in the user's face. Computers are the ideal teaching tool and there's no excuse for putting up an approval dialog designed by geeks and expecting people to know what the consequences are. There are no novice users; they are customers.
  • Reply 14 of 123
    magicjmagicj Posts: 406member
    Quote:
    Originally Posted by solipsism View Post


    That's a shortsighted and ignorant comment. Do you really expect people not to use PCs until they are experts at using PCs?



    LOL! Do you honestly believe not installing software you know nothing about is anything more than basic common sense?
  • Reply 15 of 123
    asciiascii Posts: 5,936member
    Quote:
    Originally Posted by Wiggin View Post


    That's all well-and-good...unless your software doesn't meet Apple's guidelines for software in the Mac App Store. There is plenty of legit, useful software that simply can not be distributed via the App Store because of Apple's rules.



    The only major *technical* restrictions on App Store apps are no access to system folders and no kernel extensions. Heck, they can even install background processes as long as they ask the user first. So I think in terms of native Mac apps, the vast majority should be compatible with the app store.



    As for licensing issues, Apple insists on per user licenses, not per-machine. In a commercial/server-side setting per-machine makes sense, but for consumers I think per-machine is BS. And free apps are allowed on the App Store for open source apps whose license doesn't allow charging.



    There is loads of great software you can install with MacPorts that would be incompatible. But people who are technically savvy enough to be installing and compiling open source apps probably wouldn't fall for a malware web page, so they can safely switch on the hypothetical install-from-anywhere security setting.



    I just think, on balance, given how trusting a lot of people are, it might be better to only allow installing from physical media or the App Store unless explicitly overridden. Then Apple wouldn't have to waste time and resources playing cat and mouse with Russian scammers.
  • Reply 16 of 123
    tallest skiltallest skil Posts: 43,388member
    Quote:
    Originally Posted by PUFF_DADDY View Post


    Very Vegas punt swordplay! Strange graphics and profound.

    Really Vegas crippled playact! Confusing art class and sound.



    Nice poetry. Get bent.



    What's so mind-blowing about malware that you must consciously install and then consciously give your credit card number?
  • Reply 17 of 123
    enjournienjourni Posts: 254member
    Quote:
    Originally Posted by ascii View Post


    I think downloaded files (ones with the Safari download extended attributes) should not be able to be run ever, unless a security preferences override is set.



    I'm sorry for people who sell their software through the web, but you chose to use an insecure deployment platform when the App Store was available.



    lol. Your "insecure deployment platform" is also called the internet, which relies on downloading to do anything for anyone. Web pages? Downloaded. Email? Downloaded. Chat? Downloaded. Draconian security measures like locking out the entire internet are what they do in China. Here, I actually want to be able to run what I download.



    And if you think the App Store keeps you safe, wait till hackers create poisoned apps that after you install bypass app store restrictions.



    You are "saved" by using your mind and THINKING before you install something, not by apple putting you behind a walled garden.
  • Reply 18 of 123
    adonissmuadonissmu Posts: 1,776member
    Quote:
    Originally Posted by ascii View Post


    The only major *technical* restrictions on App Store apps are no access to system folders and no kernel extensions. Heck, they can even install background processes as long as they ask the user first. So I think in terms of native Mac apps, the vast majority should be compatible with the app store.



    As for licensing issues, Apple insists on per user licenses, not per-machine. In a commercial/server-side setting per-machine makes sense, but for consumers I think per-machine is BS. And free apps are allowed on the App Store for open source apps whose license doesn't allow charging.



    There is loads of great software you can install with MacPorts that would be incompatible. But people who are technically savvy enough to be installing and compiling open source apps probably wouldn't fall for a malware web page, so they can safely switch on the hypothetical install-from-anywhere security setting.



    I just think, on balance, given how trusting a lot of people are, it might be better to only allow installing from physical media or the App Store unless explicitly overridden. Then Apple wouldn't have to waste time and resources playing cat and mouse with Russian scammers.



    That makes sense.
  • Reply 19 of 123
    adonissmuadonissmu Posts: 1,776member
    Quote:
    Originally Posted by enjourni View Post


    lol. Your "insecure deployment platform" is also called the internet, which relies on downloading to do anything for anyone. Web pages? Downloaded. Email? Downloaded. Chat? Downloaded. Draconian security measures like locking out the entire internet are what they do in China. Here, I actually want to be able to run what I download.



    And if you think the App Store keeps you safe, wait till hackers create poisoned apps that after you install bypass app store restrictions.



    You are "saved" by using your mind and THINKING before you install something, not by apple putting you behind a walled garden.



    I like the walled garden approach. I think the benefits outweigh the downsides for me.
  • Reply 20 of 123
    asciiascii Posts: 5,936member
    Quote:
    Originally Posted by enjourni View Post


    You are "saved" by using your mind and THINKING before you install something, not by apple putting you behind a walled garden.



    You are saved by *someone* thinking before you install something. But that doesn't have to be you. It could be an App Store reviewer who is a professional at checking apps, with a bunch of malware scanners and other tools at his disposal.
Sign In or Register to comment.