Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,290
30,364



It has been seven weeks since the "Mac Defender" malware first gained significant publicity, and we've seen Apple in response step up its anti-malware efforts with the release of a security update late last month that not only addressed the known Mac Defender variants at that time but also introduced daily checks for new malware definitions. The action significantly expanded the rudimentary anti-malware capabilities introduced with the launch of Mac OS X Snow Leopard.

The creators of the "Mac Defender" malware have not, however, given up in the face of Apple's increased defenses, moving within hours to release a new variant evading detection. Apple responded quickly, however, adding new definitions to detect the variant within a day.

macdefender_definitions_061911.jpg



That cat-and-mouse game has continued for the past three weeks, with Apple issuing new malware definitions on a nearly daily basis and the File Quarantine functionality defined by Apple's updated Xprotect.plist file now detecting 15 different variants of Mac Defender. While reports of users falling for the ruse and installing Mac Defender have declined in recent weeks as increasing numbers of users have installed the security update and had their anti-malware definitions updated, some users are still reporting difficulties stemming from the software.

Consequently, it seems reasonable to conclude that Apple has significantly eaten into the profitability of the existing Mac Defender scam, but it is unclear whether the malware writers will simply continue to slightly tweak the existing implementation and infect however many computers they can before Apple quickly updates the definitions or if they (and undoubtedly others) have broader plans in mind now that they have determined how Apple is addressing the threat.

Article Link: Apple and 'Mac Defender' Malware Authors Continue Cat-and-Mouse Game
 

iekozz

macrumors member
Nov 9, 2009
36
21
Amsterdam
Yes, OS X is more secure than Windows, but it will only be a matter of time before we will get many more virusses on OS X.

The virusses will be harder to make of course, but it's a logical result of the popularity of the mac platform.
 

kolax

macrumors G3
Mar 20, 2007
9,181
115
This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.
 

justinfreid

macrumors 6502a
Nov 24, 2009
501
23
NEW Jersey / USA
Cat vs. Cat?

This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.

So you're saying that Apple is behind this malware and is using it as a way to scare people into only installing software via the Mac App Store??? :eek:
I'm kidding, of course, but let's see how many down arrows this post'll get.

Plenty of other file types will still need to be downloaded and double clicked and the contents of a DMG can contain executables alongside other files. Maybe more context about the opening a file and what it can do would be useful in the password challenge boxes that OS X shows would help.
 
Last edited:

dukebound85

macrumors Core
Jul 17, 2005
19,118
4,096
5045 feet above sea level
Yes, OS X is more secure than Windows, but it will only be a matter of time before we will get many more virusses on OS X.

The virusses will be harder to make of course, but it's a logical result of the popularity of the mac platform.

I don't think you know what a virus is if you think macdefender is one
 

euphlyusUNO

macrumors member
Jun 16, 2011
84
0
It's good to see Apple is taking the Malware seriously and reacting fast, but I wonder how long will they be able to keep up with such attacks? Will we also have to deal with the madness of third-party anti-malware\virus softwares? I hope not!

@iekozz: I wouldn't say OS X is secure, I'd rather say it's safe (if you knw what i mean)
 

C00rDiNaT0r

macrumors 6502
Jan 12, 2006
254
49
New York, New York
Can't Apple build some kind of sandbox mechanism that simulates an install and scan for text strings like "credit card" from the app's popup dialog boxes? That way they can warn the users before they actually install the app.
 

euphlyusUNO

macrumors member
Jun 16, 2011
84
0
So you're saying that Apple is behind this malware and is using it as a way to scare people into only installing software via the Mac App Store??? :eek:
I'm kidding, of course, but let's see how many down arrows this post'll get.

Plenty of other file types will still need to be downloaded and double clicked and the contents of a DMG can contain executables alongside other files. Maybe more context about the opening a file and what it can do would be useful in the password challenge boxes that OS X shows would help.


The way I see it, there are two major threats\entry points which expose a Mac to malware: Apps & Safari (or any other browser). If Apple has more control over the apps (through Mac App Store), and works MORE (a lot more actually) on Safari's security, then I think the Mac will be a more secure system.
 

Sjhonny

macrumors 6502
Feb 25, 2011
287
0
The land of the cucumbers
This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.

That's just not true. How many times did an app (for iOS) included an unadvertised feature and got through the review? Just last week, this guy who said he 'just' collected passwords, set for his applications (without IP or other user information; we can be sure that not advertising the IP is ********). And about the jailbreaks? How many exploits aren't know to the public you think? The same goes for OS X.
 

NAG

macrumors 68030
Aug 6, 2003
2,821
0
/usr/local/apps/nag
That's just not true. How many times did an app (for iOS) included an unadvertised feature and got through the review? Just last week, this guy who said he 'just' collected passwords, set for his applications (without IP or other user information; we can be sure that not advertising the IP is ********). And about the jailbreaks? How many exploits aren't know to the public you think? The same goes for OS X.

Compared to how many trojans in the various Android marketplaces? Like it or not, curation significantly decreases malware. Openness (or whatever it is that Google is selling) can't protect someone who is not as computer savvy.

I don't think anyone is arguing that the various Apple app stores are completely safe. Apple obviously isn't going through the programs line by line and doing a full audit before publishing an app to the store. They could do better too (too many SEO apps in the store preying on people who just do a simple search). I feel it is a better environment for most users, though.

Essentially, Apple should get rid of that stupid open "safe" preference (ignoring how it is default for some stupid reason) and default new installs to only let you get apps from the app store with a preference somewhere for you to let you use apps from elsewhere. I.E. make people show they have sufficient skill to not fall prey to trojans that go after low hanging fruit.
 

notjustjay

macrumors 603
Sep 19, 2003
6,056
167
Canada, eh?
OK, so at this point, aren't we solving the wrong problem?

Someone is out there, continually writing and rewriting variants of MacDefender to overcome each of Apple's moves to block it.

Why are we not able to find them and arrest them?

Presumably this is not some teenage hacker looking for fame and glory. There is an actual attempt to profit from this scam by "selling" MacDefender services, right? That means credit cards and bank accounts, right? Doesn't that mean they can be traced?
 

justinfreid

macrumors 6502a
Nov 24, 2009
501
23
NEW Jersey / USA
The way I see it, there are two major threats\entry points which expose a Mac to malware: Apps & Safari (or any other browser). If Apple has more control over the apps (through Mac App Store), and works MORE (a lot more actually) on Safari's security, then I think the Mac will be a more secure system.

Sure, those are two of the most important vectors, but I think you also have to consider USB memory sticks and network based file sharing, especially with the addition of AirDrop in Lion, as sources of infection.
Apple seems to have chosen to maintain an ever growing blacklist to keep known malware out of OS X. That's a pretty tall order, but hopefully they can stay ahead of the game.
 

morespce54

macrumors 65816
Apr 30, 2004
1,331
11
Around the World
This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.

The MAS may be a good idea but it's far from perfect. First off, apps and extensions like Little Snitch, Perian, Mac Fuse, Quicksilver and so on will never be available through the MAS (with the current rules) but they're essential tools for a lot of us...
 

derbothaus

macrumors 601
Jul 17, 2010
4,093
30
Too bad it is setup in redirects on Google Images. I have had it download at least 10-15 times in the last week. I have all previous 212.x.x.x redirected but they keep switching up the originating IP's.
 

andys53

macrumors member
Jun 29, 2009
45
0
U.K.
But

The way I see it, there are two major threats\entry points which expose a Mac to malware: Apps & Safari (or any other browser). If Apple has more control over the apps (through Mac App Store), and works MORE (a lot more actually) on Safari's security, then I think the Mac will be a more secure system.

It's already perfectly secure, users maybe aren't but you can't blame Apple for that.
 

interrobang

macrumors 6502
May 25, 2011
369
0
OK, so at this point, aren't we solving the wrong problem?

Someone is out there, continually writing and rewriting variants of MacDefender to overcome each of Apple's moves to block it.

Why are we not able to find them and arrest them?

Presumably this is not some teenage hacker looking for fame and glory. There is an actual attempt to profit from this scam by "selling" MacDefender services, right? That means credit cards and bank accounts, right? Doesn't that mean they can be traced?

They're typically in Russia, China, Vietnam, or another country that doesn't care what its nationals do to foreigners over the Internet and won't extradite or prosecute. Sometimes they're westerners who set up accounts and fronts overseas.

They're traceable, sure, but there's nothing you can do when you find them. And they're small-time enough that the FBI just shakes its bureaucratic head and says, "Hope you learned your lesson, be more careful next time."
 

dolph0291

macrumors member
Feb 16, 2011
92
2
OK, so at this point, aren't we solving the wrong problem?

Someone is out there, continually writing and rewriting variants of MacDefender to overcome each of Apple's moves to block it.

Why are we not able to find them and arrest them?

Presumably this is not some teenage hacker looking for fame and glory. There is an actual attempt to profit from this scam by "selling" MacDefender services, right? That means credit cards and bank accounts, right? Doesn't that mean they can be traced?

Don't worry, there are a lot of people working on doing that right now, I am sure. I ran a small commerce website that was under a DoS attach by someone trying to gain free services... anyway, the FBI was all over it and caught and arrested the guy, who was in the Caribbean. We were small time. I could only imagine what kind of power is working on Apple's behalf.
 

dolph0291

macrumors member
Feb 16, 2011
92
2
They're typically in Russia, China, Vietnam, or another country that doesn't care what its nationals do to foreigners over the Internet and won't extradite or prosecute. Sometimes they're westerners who set up accounts and fronts overseas.

They're traceable, sure, but there's nothing you can do when you find them. And they're small-time enough that the FBI just shakes its bureaucratic head and says, "Hope you learned your lesson, be more careful next time."

You have to be kidding. Credit card fraud, especially on this level, is never small-time in the FBI's eyes. The RIAA has been successful in getting Russian MP3 sites closed, what makes you think the FBI won't be successful here?
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
The most confusing part in all of this is the mac defender advertising from macupdate.

I am pretty MACDefender is not being advertised on MacUpdate.

Are you sure that it is not Mac Keeper being advertised?
 
Last edited:

euphlyusUNO

macrumors member
Jun 16, 2011
84
0
It's already perfectly secure, users maybe aren't but you can't blame Apple for that.

Firstly, I'm not blaming Apple, actually, I'm not "blaming" anyone.

Next, can you define the word "perfectly secure"? I would say that's a gross overstatement. There's no software in this world that's "perfectly secure".

Apple releases "patches" which fix "exploits". Exploits are ways in which hackers/programs can bypass a security provision, like MacDefender which bypasses the admin password requirement (http://www.itechgiz.com/2011/05/mac-defender-malware-bypass-admin-password-requirements). I can give you several other examples where exploits have been written to undermine OS X's security (the iPhone/safari jail-break thing)

That said, I still think OS X is safer than Windows, and I think Apple has created a platform from where it can build to actually become a more secure system.
 
Last edited:

ten-oak-druid

macrumors 68000
Jan 11, 2010
1,980
0
I really think Apple has to remove the Safari preference to open trusted files after download. That seems to be the problem for people getting hit by this. Although it is not clear why these files would be "trusted". Perhaps it isn't a big deal but I think Apple should remove that anyway.

It certainly isn't as a big a problem as internet explorer on Windows having password autofill on as default. I luckily found that out when having to use a Windows machine. I was careful and checked after logging out on a public machine and had to get help disabling that feature. The guy maintaining the machines only had a few to keep running and was an Apple user so he never guessed such a thing would be the case. After that it became part of his routine to disable that when setting up machines.

This is particular malware on the Mac is just the decennial malware. It is a good time for the anti-Apple crowd. They get to believe they can finally say Apple isn't safe. Of course it won;t last long.
 

res1233

macrumors 65816
Dec 8, 2008
1,127
0
Brooklyn, NY
I am pretty MACDefender is not being advertised on MacUpdate.

Are you sure that it is not Mac Keeper being advertised?

Reading comprehension fail. MacDefender advertising FROM macupdate, not ON macupdate. macupdate has always seemed a bit shady to me tbh, but not THAT shady.
 

Dr Kevorkian94

macrumors 68020
Jun 9, 2009
2,175
76
SI, NY
its funny yesterday i searched star treck idk y i just was watching it lol, and i got some mac defender all up in my grillz but i been smart and was like aight and i closed my internet.

translation: i actually found it and then just quit safari.
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
Reading comprehension fail. MacDefender advertising FROM macupdate, not ON macupdate. macupdate has always seemed a bit shady to me tbh, but not THAT shady.

I think you mean to say that it was a grammar fail on the part of the other uninformed poster.

On what webpages has MacUpdate advertised MACDefender?

Unless, the poster was referring to Mac Keeper which is not malware or related to MACDefender.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.