MAC Defender variant quickly thwarts Apple's Mac OS X security update [u]
Update: Quickly after the variant was released, Apple responded in kind in the ongoing cat-and-mouse game and updated its anti-malware definitions to address the latest version of the software.
As first reported by Ed Bott at ZDNet, the new variation of MAC Defender, named "Mdinstall.pkg," has been crafted to bypass the new malware-blocking code made available by Apple. That update for Mac OS X, Security Update 2011-003, was released on Tuesday.
"The file has a date and time stamp from last night at 9:24PM Pacific time," Bott wrote. That's less than 8 hours after Apple's security update was released. On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.
"As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple."
Security Update 2011-003 included changes to the File Quarantine feature found in Mac OS X 10.6 Snow Leopard. It includes anti-malware definitions within the operating system itself, and examines external files downloaded within Mail, iChat, Safari, or other quarantine-aware applications.
The MACDefender malware first gained attention in early May, when it was spotted by an antivirus company. The program automatically downloads in Web browsers through JavaScript and originally required users to enter an administrator password, but a more recent variant does not ask for a password.
Some reports have suggested that the "MAC Defender" malware has spread quickly, with Bott earlier citing an anonymous AppleCare representative that apparently said the "overwhelming majority" of recent calls to Apple were related to the malware. Last week, Apple posted instructions on its site informing users on how to remove the malware.
123 Comments
This sh script has been shared around between apple specialists, it removes all forms of this malware (even this latest version):
http://www.2shared.com/file/1pW0x9Pv...eDefender.html
It's a mug's game playing cat and mouse with these people, a waste of resources.
I think downloaded files (ones with the Safari download extended attributes) should not be able to be run ever, unless a security preferences override is set.
I'm sorry for people who sell their software through the web, but you chose to use an insecure deployment platform when the App Store was available.
ten years in the slammer for anybody convicted of hacking commercial sites.
one conviction and the rats will be off the ship in a heartbeat.
btw, 10 years without parole as federal laws dictate.
Anyone really surprised by this?
Does Apple, or any other anti-virus software, in any way hide or encrypt how they identify the malware? If the signature they use to ID the threat is easily discovered, it's trivial for the malware to be modified to avoid detection. I don't think Apple's Software Update mechanism is up to the task of distributing updated definitions effectively enough to address any serious threats. Too much user involvement in the process.
I never let SU automatically install anything because I'm paranoid and let all the rest of you test Apple's updates for me before I install them.
I doubt the security update blocks re-installation of said malware. It probably removes the newest version if rerun.