New Apple antivirus signatures bypassed within hours by malware authors


Ed Bott

Update June 3, 5:00AM PDT: The cat-and-mouse game continues. Apple has now released the fourth update to its XProtect definitions list covering all five known versions of the Mac Defender software. (The latest release uses the name Mac Shield and is detected as OSX.MacDefender.E.) Here’s a snippet from the latest definition file:

Update June 1, 6:00AM PDT: The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released.

On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple.

Update June 2, 4:45AM PDT: Apple has updated its XProtect signatures to address the most recent version of Mac Defender. The signatures, which began being pushed out via the new automatic update mechanism sometime on June 1, now include three variants of the malware. Here’s the detection result for the third variant, OSX.MacDefender.C:

It’s worth noting that the automatic updater runs at startup or every 24 hours. On my test system, I had to force a manual update before the new signatures were available. Had I not done so, I would have had to wait until the 24-hour clock expired.

I’ve also captured a video that shows the File Quarantine feature successfully blocking an attempt to automatically install the Mac Guard malware. See below.

After a month-long Mac Defender/Mac Guard malware attack, Apple has finally released the security update it promised last week. The update takes Apple one step closer to turning an obscure security feature into something very close to full-fledged antivirus software.

Security Update 2011-003 includes changes to the File Quarantine feature, which beginning with Snow Leopard also includes antimalware checks for files downloaded through web browsers, e-mail, and other common paths. This update includes definitions for Mac Defender and its known variants, as well as an automated removal tool. It works only with the most recent version of Snow Leopard, 10.6.7. Earlier versions of OS X are apparently not included.

main page ATTRITION feedback