Apple and 'Mac Defender' Malware Authors Continue Cat-and-Mouse Game

[MacRumors]

It has been seven weeks since the "Mac Defender" malware first gained significant publicity, and we've seen Apple in response step up its anti-malware efforts with the release of a security update late last month that not only addressed the known Mac Defender variants at that time but also introduced daily checks for new malware definitions. The action significantly expanded the rudimentary anti-malware capabilities introduced with the launch of Mac OS X Snow Leopard.

The creators of the "Mac Defender" malware have not, however, given up in the face of Apple's increased defenses, moving within hours to release a new variant evading detection. Apple responded quickly, however, adding new definitions to detect the variant within a day.




That cat-and-mouse game has continued for the past three weeks, with Apple issuing new malware definitions on a nearly daily basis and the File Quarantine functionality defined by Apple's updated Xprotect.plist file now detecting 15 different variants of Mac Defender. While reports of users falling for the ruse and installing Mac Defender have declined in recent weeks as increasing numbers of users have installed the security update and had their anti-malware definitions updated, some users are still reporting difficulties stemming from the software.

Consequently, it seems reasonable to conclude that Apple has significantly eaten into the profitability of the existing Mac Defender scam, but it is unclear whether the malware writers will simply continue to slightly tweak the existing implementation and infect however many computers they can before Apple quickly updates the definitions or if they (and undoubtedly others) have broader plans in mind now that they have determined how Apple is addressing the threat.

Article Link: Apple and 'Mac Defender' Malware Authors Continue Cat-and-Mouse Game

[iekozz]

Yes, OS X is more secure than Windows, but it will only be a matter of time before we will get many more virusses on OS X.

The virusses will be harder to make of course, but it's a logical result of the popularity of the mac platform.

[Kilamite]

This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.

[justinfreid]

Quote:

Originally Posted by Kilamite

This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.

So you're saying that Apple is behind this malware and is using it as a way to scare people into only installing software via the Mac App Store???
I'm kidding, of course, but let's see how many down arrows this post'll get.

Plenty of other file types will still need to be downloaded and double clicked and the contents of a DMG can contain executables alongside other files. Maybe more context about the opening a file and what it can do would be useful in the password challenge boxes that OS X shows would help.

[dukebound85]

Quote:

Originally Posted by iekozz

Yes, OS X is more secure than Windows, but it will only be a matter of time before we will get many more virusses on OS X.

The virusses will be harder to make of course, but it's a logical result of the popularity of the mac platform.

I don't think you know what a virus is if you think macdefender is one

[euphlyusUNO]

It's good to see Apple is taking the Malware seriously and reacting fast, but I wonder how long will they be able to keep up with such attacks? Will we also have to deal with the madness of third-party anti-malware\virus softwares? I hope not!

@iekozz: I wouldn't say OS X is secure, I'd rather say it's safe (if you knw what i mean)

[C00rDiNaT0r]

Can't Apple build some kind of sandbox mechanism that simulates an install and scan for text strings like "credit card" from the app's popup dialog boxes? That way they can warn the users before they actually install the app.

[euphlyusUNO]

Quote:

Originally Posted by justinfreid

So you're saying that Apple is behind this malware and is using it as a way to scare people into only installing software via the Mac App Store???
I'm kidding, of course, but let's see how many down arrows this post'll get.

Plenty of other file types will still need to be downloaded and double clicked and the contents of a DMG can contain executables alongside other files. Maybe more context about the opening a file and what it can do would be useful in the password challenge boxes that OS X shows would help.

The way I see it, there are two major threats\entry points which expose a Mac to malware: Apps & Safari (or any other browser). If Apple has more control over the apps (through Mac App Store), and works MORE (a lot more actually) on Safari's security, then I think the Mac will be a more secure system.

[nerdo]

The most confusing part in all of this is the mac defender advertising from macupdate.

[Sjhonny]

Quote:

Originally Posted by Kilamite

This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.

That's just not true. How many times did an app (for iOS) included an unadvertised feature and got through the review? Just last week, this guy who said he 'just' collected passwords, set for his applications (without IP or other user information; we can be sure that not advertising the IP is ********). And about the jailbreaks? How many exploits aren't know to the public you think? The same goes for OS X.

[NAG]

Quote:

Originally Posted by Sjhonny

That's just not true. How many times did an app (for iOS) included an unadvertised feature and got through the review? Just last week, this guy who said he 'just' collected passwords, set for his applications (without IP or other user information; we can be sure that not advertising the IP is ********). And about the jailbreaks? How many exploits aren't know to the public you think? The same goes for OS X.

Compared to how many trojans in the various Android marketplaces? Like it or not, curation significantly decreases malware. Openness (or whatever it is that Google is selling) can't protect someone who is not as computer savvy.

I don't think anyone is arguing that the various Apple app stores are completely safe. Apple obviously isn't going through the programs line by line and doing a full audit before publishing an app to the store. They could do better too (too many SEO apps in the store preying on people who just do a simple search). I feel it is a better environment for most users, though.

Essentially, Apple should get rid of that stupid open "safe" preference (ignoring how it is default for some stupid reason) and default new installs to only let you get apps from the app store with a preference somewhere for you to let you use apps from elsewhere. I.E. make people show they have sufficient skill to not fall prey to trojans that go after low hanging fruit.

[notjustjay]

OK, so at this point, aren't we solving the wrong problem?

Someone is out there, continually writing and rewriting variants of MacDefender to overcome each of Apple's moves to block it.

Why are we not able to find them and arrest them?

Presumably this is not some teenage hacker looking for fame and glory. There is an actual attempt to profit from this scam by "selling" MacDefender services, right? That means credit cards and bank accounts, right? Doesn't that mean they can be traced?

[justinfreid]

Quote:

Originally Posted by euphlyusUNO

The way I see it, there are two major threats\entry points which expose a Mac to malware: Apps & Safari (or any other browser). If Apple has more control over the apps (through Mac App Store), and works MORE (a lot more actually) on Safari's security, then I think the Mac will be a more secure system.

Sure, those are two of the most important vectors, but I think you also have to consider USB memory sticks and network based file sharing, especially with the addition of AirDrop in Lion, as sources of infection.
Apple seems to have chosen to maintain an ever growing blacklist to keep known malware out of OS X. That's a pretty tall order, but hopefully they can stay ahead of the game.

[morespce54]

Quote:

Originally Posted by Kilamite

This is why the Mac App Store is good.

Ok, you have to be an idiot to install this malware, but if all the main pieces of software for the Mac were available through the Mac App Store, then there wouldn't be a worry. For now.

The MAS may be a good idea but it's far from perfect. First off, apps and extensions like Little Snitch, Perian, Mac Fuse, Quicksilver and so on will never be available through the MAS (with the current rules) but they're essential tools for a lot of us...

[derbothaus]

Too bad it is setup in redirects on Google Images. I have had it download at least 10-15 times in the last week. I have all previous 212.x.x.x redirected but they keep switching up the originating IP's.

[andys53]

Quote:

Originally Posted by euphlyusUNO

The way I see it, there are two major threats\entry points which expose a Mac to malware: Apps & Safari (or any other browser). If Apple has more control over the apps (through Mac App Store), and works MORE (a lot more actually) on Safari's security, then I think the Mac will be a more secure system.

It's already perfectly secure, users maybe aren't but you can't blame Apple for that.

[interrobang]

Quote:

Originally Posted by notjustjay

OK, so at this point, aren't we solving the wrong problem?

Someone is out there, continually writing and rewriting variants of MacDefender to overcome each of Apple's moves to block it.

Why are we not able to find them and arrest them?

Presumably this is not some teenage hacker looking for fame and glory. There is an actual attempt to profit from this scam by "selling" MacDefender services, right? That means credit cards and bank accounts, right? Doesn't that mean they can be traced?

They're typically in Russia, China, Vietnam, or another country that doesn't care what its nationals do to foreigners over the Internet and won't extradite or prosecute. Sometimes they're westerners who set up accounts and fronts overseas.

They're traceable, sure, but there's nothing you can do when you find them. And they're small-time enough that the FBI just shakes its bureaucratic head and says, "Hope you learned your lesson, be more careful next time."

[dolph0291]

Quote:

Originally Posted by notjustjay

OK, so at this point, aren't we solving the wrong problem?

Someone is out there, continually writing and rewriting variants of MacDefender to overcome each of Apple's moves to block it.

Why are we not able to find them and arrest them?

Presumably this is not some teenage hacker looking for fame and glory. There is an actual attempt to profit from this scam by "selling" MacDefender services, right? That means credit cards and bank accounts, right? Doesn't that mean they can be traced?

Don't worry, there are a lot of people working on doing that right now, I am sure. I ran a small commerce website that was under a DoS attach by someone trying to gain free services... anyway, the FBI was all over it and caught and arrested the guy, who was in the Caribbean. We were small time. I could only imagine what kind of power is working on Apple's behalf.

[dolph0291]

Quote:

Originally Posted by interrobang

They're typically in Russia, China, Vietnam, or another country that doesn't care what its nationals do to foreigners over the Internet and won't extradite or prosecute. Sometimes they're westerners who set up accounts and fronts overseas.

They're traceable, sure, but there's nothing you can do when you find them. And they're small-time enough that the FBI just shakes its bureaucratic head and says, "Hope you learned your lesson, be more careful next time."

You have to be kidding. Credit card fraud, especially on this level, is never small-time in the FBI's eyes. The RIAA has been successful in getting Russian MP3 sites closed, what makes you think the FBI won't be successful here?

[munkery]

Quote:

Originally Posted by nerdo

The most confusing part in all of this is the mac defender advertising from macupdate.

I am pretty MACDefender is not being advertised on MacUpdate.

Are you sure that it is not Mac Keeper being advertised?

[euphlyusUNO]

Quote:

Originally Posted by andys53

It's already perfectly secure, users maybe aren't but you can't blame Apple for that.

Firstly, I'm not blaming Apple, actually, I'm not "blaming" anyone.

Next, can you define the word "perfectly secure"? I would say that's a gross overstatement. There's no software in this world that's "perfectly secure".

Apple releases "patches" which fix "exploits". Exploits are ways in which hackers/programs can bypass a security provision, like MacDefender which bypasses the admin password requirement (http://www.itechgiz.com/2011/05/mac-...d-requirements). I can give you several other examples where exploits have been written to undermine OS X's security (the iPhone/safari jail-break thing)

That said, I still think OS X is safer than Windows, and I think Apple has created a platform from where it can build to actually become a more secure system.

[ten-oak-druid]

I really think Apple has to remove the Safari preference to open trusted files after download. That seems to be the problem for people getting hit by this. Although it is not clear why these files would be "trusted". Perhaps it isn't a big deal but I think Apple should remove that anyway.

It certainly isn't as a big a problem as internet explorer on Windows having password autofill on as default. I luckily found that out when having to use a Windows machine. I was careful and checked after logging out on a public machine and had to get help disabling that feature. The guy maintaining the machines only had a few to keep running and was an Apple user so he never guessed such a thing would be the case. After that it became part of his routine to disable that when setting up machines.

This is particular malware on the Mac is just the decennial malware. It is a good time for the anti-Apple crowd. They get to believe they can finally say Apple isn't safe. Of course it won;t last long.

[res1233]

Quote:

Originally Posted by munkery

I am pretty MACDefender is not being advertised on MacUpdate.

Are you sure that it is not Mac Keeper being advertised?

Reading comprehension fail. MacDefender advertising FROM macupdate, not ON macupdate. macupdate has always seemed a bit shady to me tbh, but not THAT shady.

[Dr Kevorkian94]

its funny yesterday i searched star treck idk y i just was watching it lol, and i got some mac defender all up in my grillz but i been smart and was like aight and i closed my internet.

translation: i actually found it and then just quit safari.

[munkery]

Quote:

Originally Posted by res1233

Reading comprehension fail. MacDefender advertising FROM macupdate, not ON macupdate. macupdate has always seemed a bit shady to me tbh, but not THAT shady.

I think you mean to say that it was a grammar fail on the part of the other uninformed poster.

On what webpages has MacUpdate advertised MACDefender?

Unless, the poster was referring to Mac Keeper which is not malware or related to MACDefender.