Apple releases a security upgrade that adds the MacDefender definition to File Quarantine along with an update feature that will refresh malware definitions to keep up with emerging threats and a malware removal tool.
Apple rolled out its MacDefender
removal tool in its latest security update to detect and remove the fake
antivirus for Mac OS X from affected systems.
The OSX.MacDefender.A definition was
added to the quarantine list in Apple's Security
Update 2011-003, released May 31. Once the update has been
installed, the system will search for and remove known variants for the
MacDefender malware, including MacDefender, MacProtector, MacSecurity and
MacGuard. If a known variant is found and deleted, the user will be notified
via an alert after the update finishes installation.
After almost three weeks of
near-silence as fake antivirus programs targeting Mac OS X first emerged in
early May, Apple acknowledged the problem and provided instructions on how to manually remove scareware in a support note on
May 24. The company also promised an automatic malicious software removal tool,
which was included in this security update.
Beginning with Snow Leopard, Apple
included a way to block "unsafe file types" and malicious software via its File
Quarantine feature. When the user opens or downloads a file, the system quickly
checks the list of known malicious software to determine if the file contains
known malicious software, according to a support note. Up until now, the list
was stored locally and updated infrequently.
With the latest update, Apple has added
an auto-update capability that runs in the background. The system will check
daily for updates to the File Quarantine malware definition list. Users can opt
out of the scan by unchecking the "Automatically update safe downloads list"
option in Security Preferences.
Even if a user didn't have MacDefender
installed initially, File Quarantine will kick in and block the program from
being downloaded if the user happens to come across it at a later time.
Considering that fake AV scams tend to change their names and user interface
almost continuously, Apple will have to regularly update File Quarantine to
ensure it stays ahead of future MacDefender variants.
The scam has been pretty widespread,
with poisoned links appearing on Google image searches and other legitimate
pages, although it appears that Google has been able to track down and remove a
number of malicious links. ZDNet's Ed Bott estimated that the total number of
customers affected could be between 60,000 and 125,000, "and
When users stumble upon MacDefender
rogue sites, their computers display a window that resembles a Finder window
that claims to be "scanning" their system. Then the site warns users
that their Macs have been infected and they should download an antivirus scanner
to clean the infection. The scareware also launches pop-up windows with adult
content ads every few minutes to perpetuate the impression that the user has
been infected. Users are scammed into providing a credit card number to
purchase the antivirus software.
There are several variants currently in
circulation, with names such as MacDefender, MacProtector, MacSecurity and
Apple Security Center. MacGuard was a late addition and was able to install
itself onto the Mac without requiring the user to enter an administrator
password. MacGuard exploited the "Open -safe' files after downloading" option
in Safari, which allowed the program to run automatically without any user
Apple made a "poor decision" by
enabling this option by default and should consider turning it off in future
versions, said Graham Cluley, senior technology consultant at Sophos. Apple did
not address Safari in this Security Update.
The 2.1MB update is available via
Software Update or from Apple Downloads. File Quarantine is available for
the most recent versions of OS X 10.6.7 (Snow Leopard). Earlier versions of Mac
OS X are not included in this update.