New Apple antivirus signatures bypassed within hours by malware authors

ZDNet ^ | May 31, 2011 | Ed Bott

[Wooly]

Update June 1, 6:00AM PDT: The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released.

On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple.

I’ve also captured a video that shows the File Quarantine feature successfully blocking an attempt to automatically install the Mac Guard malware. See below.

After a month-long Mac Defender/Mac Guard malware attack, Apple has finally released the security update it promised last week. The update takes Apple one step closer to turning an obscure security feature into something very close to full-fledged antivirus software.

[for-q-clinton]

No password is needed IF the user is running as an administrator account. If the user is running as a Standard account, it requires both an administrator name and password. Without both, it's stopped dead in its tracks.

More caveats. I guess people could say the same about most of the malware on windows--even windows XP. Yes if the user wasn't logged in as an admin that malware never would have been installed on the users machine. I remember Microsoft tried to use that line before...it resulted in them revamping their security system because they knew that was a load of garbage answer.

[for-q-clinton]

What, exactly, is closed about a certified UNIX™ system that will run 100% of your Windows software as well as all of its own OSX software,

I heard if you replace a hard drive you need a special connector and when OSX detects it's not Apples version of the harddrive your computer case fans make all kinds of noise running at top speed. If so, that's not very open.

[for-q-clinton]

Actually this year I heard OSX was taken down in 5 seconds by canadians. I could be wrong, but how are canadians ex-NSA. And besides does that mean the chicoms and ruskies can’t attack it since they aren’t part of the NSA? Does only american NSA types have the ability to attack MACS?

Oh yea, 4 years running now OSX was the first one hacked! I wonder how many more are being attacked in the wild and just not reported. 4 years in a row...that’s a pretty bad record. It’s almost as if Microsoft is behind this because no way could such a secure OS be the first to fall 4 years in a row without the big bad Microsoft being behind it. I bet that’s the excuse next year when OSX loses again.

[for-q-clinton]

There you go...3 clicks means it doesn’t count! What if the malware writer gets it down to 2 or 1 clicks...does that malware count now?

I just think everyone should take apples advice and install a 3rd party AV product on their machines. Or are you suggesting Apple is wrong when they suggest 3rd party AV?

[TXnMA]

"...user education is the key because without that...no computer is safe."

Right on!

Put a mark on the calendar! Finally -- a statement by 4qc with which we can all agree! '-)

[WVKayaker]

Do you have diarrhea of the hands? Four straight posts and you can't even finish a thought chain. You must have a bad case of anti's! and a wish to be combative.

I run my Macs without third party AV stuff because they won't be as quick to fix a problem as Apple, nor as diligent. I also know better than to listen to people with an axe to grind, and you are at the top of that list.

I've trusted SM for a long time on FR and his advice has given me the ability to know how to avoid such attacks. You usually add nothing to conversation, but complaints about Apple folk and products.

I detest mosquitos because they are irritants, without benefit... and you fall under them in rank!

[Swordmaker]

This is what I meant by " too many folks who make this into their own little cult!"

I see... You made the claim that the Mac is a "closed" system. When I pointed out that you were in error... and that the Mac is actually UNIX™, one of the four so entitled to bear that trade mark, you attack me and go on to show you ARE closed minded about it. My point is that you refuse to consider the actual facts. You have made up your mind. UNIX, and all of its customizable tweaking and programing power, and exactly two clicks away from the desk top, but YOU refuse to find out. That's why I questioned your openness. You on the other hand, insult Mac users.

[Swordmaker]

however, if I want a certified Unix based system, why not just go with Red Hat Linux? It's a heck of a lot cheaper.

Red Hat Linux is not a certified Unix™ system and can never be. Do you understand what certified UNIX™ means?

[Swordmaker]

There you go...3 clicks means it doesn’t count! What if the malware writer gets it down to 2 or 1 clicks...does that malware count now?

"What ifs" haven't happened. All this does is launch the standard installer... IF you have "Open 'safe' files after download" checked in Safari's preferences checked. Uncheck that and it will not even go that far. Malware cannot cause clicks to happen, or even invoke scripts in a downloaded file on a Mac.

[DesScorp]

"True. But in fairness, how many Mac users run their systems with administrative priv? 80% or better is my guess."

Doesn't matter. Installation of anything still requires an admin login and password. Even if your account has admin privileges, installing anything still requires you to confirm the login, every time, for every single package installed.

[brytlea]

The real question is, why does this please a few PC users so greatly? They are ecstatic about someone else’s misfortune? That seems a little sick to me.

[brytlea]

I didn’t know to do that until I learned it here.

[brytlea]

I really don’t understand what you mean by cult. I like my mac, but define cult for me.

[chris_bdba]

OK well perhaps there are poeople who allow everything to automatcally download and open? I changed mine the first day and did the same thing with all of the windows machines I’ve ever owned,just .ike being more in control of things I guess?

[chris_bdba]

OK well perhaps there are more people who allow everything to automatcally download and open than I thought? I changed mine the first day and did the same thing with all of the windows machines I’ve ever owned,just .ike being more in control of things I guess?

[itsahoot]

but I am glad that this should shut the idiots up. However, it won’t.

Speaking of idiots.....

[for-q-clinton]

Ok, so I agree with Apple and you don’t. They recommend a 3rd party AV, which was able to identify and isolate the latest “viruses” on the Mac much quicker than Apple did.

So if you trust Apple you’d probably be wise to take their advice and get a 3rd party AV. Or you can defy the genius of Apple and not follow their advice.

Choice is yours.

[for-q-clinton]

Ok, so I agree with Apple and you don’t. They recommend a 3rd party AV, which was able to identify and isolate the latest “viruses” on the Mac much quicker than Apple did.

So if you trust Apple you’d probably be wise to take their advice and get a 3rd party AV. Or you can defy the genius of Apple and not follow their advice.

Choice is yours.

[brytlea]

I don’t download much (mostly my son walks me thru anything I download). I am mostly a non-clicker.

[for-q-clinton]

Maybe the Macdefender I passed on to the authorities with active IP trace was not the social engineering malware you keep screaming about. Is that possible?

Yep macdefender is different than mac guard. Mac Defender needs the password where as Mac Guard does not. So no the version of the malware that your wife attracted wasn't the more harsh variety of Mac Defender.