It’s a game of whack-a-mole.
Apple pushed out a security update that could detect and remove known MacDefender variants from Mac OS X (Snow Leopard) on May 31. A new version of the fake antivirus that could get past Apple’s File Quarantine was spotted in the wild less than eight hours later.
The latest version of MacDefender is called Mdinstall.pkg, and tricks users into installing the scareware. Like its predecessors, it nags users with pop-ups and fake alerts until they enter a credit card number to remove the supposed infection. It bypassed Apple’s detection by using a small downloader program to trick the user into thinking there was malware. The program then downloaded the actual rogue software.
Apple added an auto-mechanism to File Quarantine so that the company can push out new malware definitions every 24-hours without having to roll out a new security update each time. Here is to hoping that Apple is going to move quickly on the updated signature to protect users from this and other variants that is sure to pop up in the coming days. Apple needs to acknowledge that Macs aren’t bullet-proof and act quickly to protect their customers.
UPDATED June 2, 9:28am: Apple has updated File Quarantine with OSX.MacDefender.C to address the latest mutation. It may be worth running a manual update instead of waiting for the 24-hour update window.
This approach may be successful as it will be easier for the malware authors to continually make small changes to the downloader program to evade detection while leaving the fake anti-virus program largely unchanged, according to Chester Wisniewski, a senior security advisor at Sophos. “If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program,” Wisniewski said.
Apple users need to stop thinking that Macs are innately more secure and adopt basic security practices, such as installing and maintaining security software and being careful when downloading applications.
While Apple’s XProtect feature (using File Quarantine) can detect MacDefender, it’s not a full antivirus. It only scans files that are marked by browsers after being downloaded and doesn’t do real-time scanning. Its rudimentary signature-based scanner that cannot handle sophisticated generic update definitions, Wisniewski said.