Apple and 'Mac Defender' Malware Authors Continue Cat-and-Mouse Game

Monday June 20, 2011 8:54 AM PDT by Eric Slivka
It has been seven weeks since the "Mac Defender" malware first gained significant publicity, and we've seen Apple in response step up its anti-malware efforts with the release of a security update late last month that not only addressed the known Mac Defender variants at that time but also introduced daily checks for new malware definitions. The action significantly expanded the rudimentary anti-malware capabilities introduced with the launch of Mac OS X Snow Leopard.

The creators of the "Mac Defender" malware have not, however, given up in the face of Apple's increased defenses, moving within hours to release a new variant evading detection. Apple responded quickly, however, adding new definitions to detect the variant within a day.


That cat-and-mouse game has continued for the past three weeks, with Apple issuing new malware definitions on a nearly daily basis and the File Quarantine functionality defined by Apple's updated Xprotect.plist file now detecting 15 different variants of Mac Defender. While reports of users falling for the ruse and installing Mac Defender have declined in recent weeks as increasing numbers of users have installed the security update and had their anti-malware definitions updated, some users are still reporting difficulties stemming from the software.

Consequently, it seems reasonable to conclude that Apple has significantly eaten into the profitability of the existing Mac Defender scam, but it is unclear whether the malware writers will simply continue to slightly tweak the existing implementation and infect however many computers they can before Apple quickly updates the definitions or if they (and undoubtedly others) have broader plans in mind now that they have determined how Apple is addressing the threat.

45 comments


Top Rated Comments

(View all)
Avatar
dukebound85
108 months ago

Yes, OS X is more secure than Windows, but it will only be a matter of time before we will get many more virusses on OS X.

The virusses will be harder to make of course, but it's a logical result of the popularity of the mac platform.


I don't think you know what a virus is if you think macdefender is one
Rating: 17 Votes
Avatar
notjustjay
108 months ago
OK, so at this point, aren't we solving the wrong problem?

Someone is out there, continually writing and rewriting variants of MacDefender to overcome each of Apple's moves to block it.

Why are we not able to find them and arrest them?

Presumably this is not some teenage hacker looking for fame and glory. There is an actual attempt to profit from this scam by "selling" MacDefender services, right? That means credit cards and bank accounts, right? Doesn't that mean they can be traced?
Rating: 4 Votes
Avatar
kolax
108 months ago
This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.
Rating: 3 Votes
Avatar
NAG
108 months ago

That's just not true. How many times did an app (for iOS) included an unadvertised feature and got through the review? Just last week, this guy who said he 'just' collected passwords, set for his applications (without IP or other user information; we can be sure that not advertising the IP is ********). And about the jailbreaks? How many exploits aren't know to the public you think? The same goes for OS X.


Compared to how many trojans in the various Android marketplaces? Like it or not, curation significantly decreases malware. Openness (or whatever it is that Google is selling) can't protect someone who is not as computer savvy.

I don't think anyone is arguing that the various Apple app stores are completely safe. Apple obviously isn't going through the programs line by line and doing a full audit before publishing an app to the store. They could do better too (too many SEO apps in the store preying on people who just do a simple search). I feel it is a better environment for most users, though.

Essentially, Apple should get rid of that stupid open "safe" preference (ignoring how it is default for some stupid reason) and default new installs to only let you get apps from the app store with a preference somewhere for you to let you use apps from elsewhere. I.E. make people show they have sufficient skill to not fall prey to trojans that go after low hanging fruit.
Rating: 3 Votes
Avatar
euphlyusUNO
108 months ago

So you're saying that Apple is behind this malware and is using it as a way to scare people into only installing software via the Mac App Store??? :eek:
I'm kidding, of course, but let's see how many down arrows this post'll get.

Plenty of other file types will still need to be downloaded and double clicked and the contents of a DMG can contain executables alongside other files. Maybe more context about the opening a file and what it can do would be useful in the password challenge boxes that OS X shows would help.



The way I see it, there are two major threats\entry points which expose a Mac to malware: Apps & Safari (or any other browser). If Apple has more control over the apps (through Mac App Store), and works MORE (a lot more actually) on Safari's security, then I think the Mac will be a more secure system.
Rating: 2 Votes
Avatar
andys53
108 months ago
But

The way I see it, there are two major threats\entry points which expose a Mac to malware: Apps & Safari (or any other browser). If Apple has more control over the apps (through Mac App Store), and works MORE (a lot more actually) on Safari's security, then I think the Mac will be a more secure system.


It's already perfectly secure, users maybe aren't but you can't blame Apple for that.
Rating: 2 Votes
Avatar
justinfreid
108 months ago

The way I see it, there are two major threats\entry points which expose a Mac to malware: Apps & Safari (or any other browser). If Apple has more control over the apps (through Mac App Store), and works MORE (a lot more actually) on Safari's security, then I think the Mac will be a more secure system.


Sure, those are two of the most important vectors, but I think you also have to consider USB memory sticks and network based file sharing, especially with the addition of AirDrop in Lion, as sources of infection.
Apple seems to have chosen to maintain an ever growing blacklist to keep known malware out of OS X. That's a pretty tall order, but hopefully they can stay ahead of the game.
Rating: 2 Votes
Avatar
justinfreid
108 months ago
Cat vs. Cat?

This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.


So you're saying that Apple is behind this malware and is using it as a way to scare people into only installing software via the Mac App Store??? :eek:
I'm kidding, of course, but let's see how many down arrows this post'll get.

Plenty of other file types will still need to be downloaded and double clicked and the contents of a DMG can contain executables alongside other files. Maybe more context about the opening a file and what it can do would be useful in the password challenge boxes that OS X shows would help.
Rating: 1 Votes
Avatar
interrobang
108 months ago

OK, so at this point, aren't we solving the wrong problem?

Someone is out there, continually writing and rewriting variants of MacDefender to overcome each of Apple's moves to block it.

Why are we not able to find them and arrest them?

Presumably this is not some teenage hacker looking for fame and glory. There is an actual attempt to profit from this scam by "selling" MacDefender services, right? That means credit cards and bank accounts, right? Doesn't that mean they can be traced?


They're typically in Russia, China, Vietnam, or another country that doesn't care what its nationals do to foreigners over the Internet and won't extradite or prosecute. Sometimes they're westerners who set up accounts and fronts overseas.

They're traceable, sure, but there's nothing you can do when you find them. And they're small-time enough that the FBI just shakes its bureaucratic head and says, "Hope you learned your lesson, be more careful next time."
Rating: 1 Votes
Avatar
morespce54
108 months ago

This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.


The MAS may be a good idea but it's far from perfect. First off, apps and extensions like Little Snitch, Perian, Mac Fuse, Quicksilver and so on will never be available through the MAS (with the current rules) but they're essential tools for a lot of us...
Rating: 1 Votes
[ Read All Comments ]