Apple Responds Quickly to Evolving 'Mac Defender' Threat With Updated Malware Definitions

[joelovesapple]

I haven't seen this reported anywhere. Is that how these scumbags are hijacking websites? Through rogue ads that detect when the visitor is using a Mac? That would make sense. I wonder if changing the User-Agent in the browser would avoid the problem, too?

I wondered that too... but then you'd probably get a Windows fake dialogue popup instead asking you for your details...

 

[arkmannj]

just bring mac app store for default way of installing software and problem solved i know it's not gonna happen but it works fine on iOS devices - no malware

You can already use parental controls to basically lock users down to the App store, this seems good enough for me. I do not want all of my software to have to come through the App Store.

 

[KnightWRX]

TODAY there no VIRUSES for Mac OS X - it's a fact TODAY and it was a fact since 2001 every day.

A fact I never questionned (though a few would with OSX/Leap-A, a worm that targetted a flaw in iChat), so... why exactly are you arguing with me ?

It's just an app in an pkg installer, it doesn't auto launch after download nor auto install.
Safari just auto-extracts a zip; whoopty****ingdoo.

Actually, no, Safari also launches into the installer automatically. You still need to complete the install wizard, but it does auto-launch the installer.

 

[joelovesapple]

You can already use parental controls to basically lock users down to the App store, this seems good enough for me. I do not want all of my software to have to come through the App Store.

You can also use Opendns. www.opendns.com

It provides free internet filtering (at it's most basic level - paid versions are also available) without any software required.

 

[Ger Teunis]

Actually, no, Safari also launches into the installer automatically. You still need to complete the install wizard, but it does auto-launch the installer.

Really, have any valid sources?
Or is it your unarchiver doing that? Does the default unarchiver do this?
That would be an extremely bad decision by apple.

 

[KnightWRX]

Really, have any valid sources?
That would be an extremely bad decision by apple.

Hum, go through all the stories posted in the last few days ? It's all there.

 

[mijail]

Yeah, you're right. Except software engineers aren't neurosurgeons. I know I've written faulty code, and most certainly kernel extension developers have too... certain nVidia drivers on my old linux machines come to mind on that one.

The point was that a kext can do damage, and nothing will save you against that. In the same way that someone reaching into your brain can do damage, and nothing will save you agains that. Solution? Don't let some random person reach into your brain nor kernel .

Apart from the fact that mixing kext talk with the MacDefender saga is rather absurd, or worse.

 

[mijail]

Hum, go through all the stories posted in the last few days ? It's all there.

There are disk images that, when opened, do launch the contained installer (if I remember correctly).
I guess you can chain that to the auto-opening of the disk image by Safari.

But of course NOT all disk images do that; rather I'd say I have found a handful of those in my years using OS X.

 

[Casiotone]

One would think that the attackers could make a password-requiring variant of the trojan that replaces or removes the Xprotect.plist file from the operating system.

This doesn't make sense. If a variant can start the installer and ask for your password without a warning, then it's not in the Xprotect.plist file, so why would it need to delete the file?

 

[KnightWRX]

There are disk images that, when opened, do launch the contained installer (if I remember correctly).
I guess you can chain that to the auto-opening of the disk image by Safari.

But of course NOT all disk images do that; rather I'd say I have found a handful of those in my years using OS X.

The MacDefender ones are.

 

[kalsta]

They are exploiting the same issue. While they are making Apple look stupid, you can bet your house they have found other vulnerabilities in OS X. These guys are pro's and will continue to move the goal posts.

They are only making Apple look stupid to those who are completely ignorant of the facts — a group which you have thus identified yourself with.

Apple is not responsible for all the apps a user chooses to download and install on their Mac. Apple could have simply tried to educate users, but they have gone the extra step of providing what is essentially a 'get out of jail free' card for those silly enough to fall for the scam.

I know some of you don't like Apple, but for goodness sakes give them credit where credit is due.

 

[KnightWRX]

Apple is not responsible for all the apps a user chooses to download and install on their Mac. Apple could have simply tried to educate users, but they have gone the extra step of providing what is essentially a 'get out of jail free' card for those silly enough to fall for the scam.

Exactly, this isn't some kind of software that uses an exploit to gain access to the system.

Though it could be argued that Safari's "Open Safe files" feature should be disabled by default and maybe just completely removed.

 

[saoir]

Impressive response by Apple. So happy not to be a windowz user

 

[bearcatrp]

Bravo apple. Wish windows would follow apple's lead here. Don't have to pay for a fix either. Anyone know if this affects iOS devices too or just OS X?

 

[Tastic Bycrom]

The point was that a kext can do damage, and nothing will save you against that. In the same way that someone reaching into your brain can do damage, and nothing will save you agains that. Solution? Don't let some random person reach into your brain nor kernel .

Apart from the fact that mixing kext talk with the MacDefender saga is rather absurd, or worse.

I really wasn't mixing kext talk with MacDefender. Completely separate. It was in response to other posts.

 

[gnasher729]

What I worry about is someone is going to figure out how to once it is installed it the trogan is going to make a bigger hole that allows much more lower system access where a lot more damaging things can be done. There are a lot of places for malware of any type to hide once you get access to more root level stuff.

But now we are talking about something completely different. MacDefender attacks the biggest vulnerability: The one sitting at the other end of the keyboard. What you are talking about is vulnerabilities in the OS itself. Guest accounts _should_ be safe, but letting known malware playing around in a guest account and hoping for the best is obviously a stupid move.

However, we can assume that in most cases MacDefender will be installed in a user account with some significant amount of user data. So _if_ MacDefender did something malicious beyond asking for your credit card details, then it _could_ do significant amount of damage. Like deleting or modifying all the files in your user account.

So in summary, voluntarily letting malware run in a guest account is not exactly clever. Voluntarily letting malware run in any normal user account is incredibly stupid.

The thing is not that clear-cut, and in fact security researchers plainly recommend not to use the guest account in OS X (at least in Leopard, I don't know how the thing evolved in Snow Leopard).

These "security researchers" are actually quite clueless. Yes, giving a malicious person access to a guest account on your Mac is dangerous. But then a malicious person with access to a guest account on my MacBook could just grab the MacBook and run away. Or put the MacBook on the floor and jump on it with both feet. Or remove the hard drive, plug it into another computer, and copy it. Or do any amount of other things that are damaging. You need to keep some perspective on risks. I can hand my MacBook switched to a guest account to the grandchildren, and I know that they won't delete all my files by accident (friend of mine lost significant amounts of music in iTunes to his then three year old granddaughter), or on purpose.

 

[GGJstudios]

Wonder if there will be a permanent fix in Lion.

I already have the permanent fix... and it works on any version of Mac OS X. I have this cool little attachment for my Mac that thwarts all Mac OS X malware that exists in the wild ... me! The permanent fix is an informed, prudent user who THINKS before doing anything, especially selecting and installing software. That will eliminate 100% of all existing Mac OS X malware that any user can encounter today.

Does the security update run on it's own or do I have to launch it to scan and/or receive the updates?

And is this security software located in the Applications folder or somewhere else? I didn't see where it installed last night, wasn't at the machine.

The initial Software Update activates daily updating of threat definitions. There's nothing you need to do ongoing to make that happen. No, there's nothing in the Applications folder related to the malware protection.

XProtect.plist is gonna get awfully large.

What makes you think so? There is still only a handful of trojans that can affect Mac OS X. It's not a long list.

I hope in Lion they disable opening downloaded files automatically. It's the largest security hole ever in an operating system.

I agree. No files should download or open without deliberate user action.

THERE IS NO VIRUS FOR MAC OSX, NOR WILL THERE EVER BE ONE!

While none exist, that doesn't mean there won't be any in the future.

Yes, and it does have flaws like any other software, but as far as viruses go, it's practically imune

False. No OS, including Mac OS X, is immune to malware or viruses.

Did they though? Or was it the fact that the user is running as an administrator rather than a standard user?

Running as an admin or standard user makes no difference.

And so it came to pass, on June 2nd 2011, that OS X did cease to exist.

Unless your post is sarcasm, do you have any idea how ridiculous it sounds? I would be embarrassed, if I were you.

...Why would anyone have downloaded it in the first place?

The download is automatic, not requiring the user's approval.

This being malware as opposed to a virus, it's authors have nothing to gain simply by being a step ahead. If they're not getting credit card info etc. They aren't making any money, which is the entire point of something like this.

Have you been reading these threads? They ARE getting credit card info. Also, malware includes viruses, trojans, worms, etc.

Anything that i install or even update on my mac, because im a standard user it always asks for an admin name and password.

Whether you're a standard or admin user makes no difference. The admin password is required if the app requires privilege escalation. You can run some apps directly from the Downloads folder or your desktop, without requiring any password, even as a standard user.

Oh give me a break. I can repeat Mac OS, prior Mac OS X, had hubdreds of viruses

No, there were never "hundreds of viruses" for Mac OS 9 and earlier. There were some viruses, but not nearly that many.

no but it prevents others from installing things on your computer just because it is logged into the admin account.

Admin or standard user: it makes no difference.

The fix is AdBlock or NoScript, and Apple can't do that.

That's not the fix. People have encountered MacDefender, even with adblockers. And for the record, Apple can build adblockers into Safari. The "fix" is informed, prudent users who think before they act.

I think the damage has been done already as the reputation of virus/malware-free is ruined for the mac platform

Mac OS X has never been malware-free. No OS is. And Mac OS X is still virus-free.

A fact I never questionned (though a few would with OSX/Leap-A, a worm that targetted a flaw in iChat)

Those that argue that Leap-A was a virus are those that don't understand the difference between a virus, a trojan and a worm.

You can also use Opendns.

That makes no difference. You can still encounter MacDefender with OpenDNS, because it's not a DNS issue.

Really, have any valid sources?
Or is it your unarchiver doing that? Does the default unarchiver do this?
That would be an extremely bad decision by apple.

Unarchiver is irrelevant, because the downloaded file isn't an archive. It's an installer app.

 

[ten-oak-druid]

I posted the other day that I wondered whether this malware was related to some of the current malware on Windows. Of course a bunch of Windows fanboys rated that negative as though that wasn't a legitimate consideration.

Turns out MS thinks it is possible.

Microsoft Links Fake Mac AV to Windows Scareware Gang

 

[TwoBytes]

This is an attack from MS to ruin the news on monday. Good timing, isn't is suspicious?

Not only WWDC but the announcement of windows 8 make this suspicious..

 

[ten-oak-druid]

Exactly, this isn't some kind of software that uses an exploit to gain access to the system.

Though it could be argued that Safari's "Open Safe files" feature should be disabled by default and maybe just completely removed.

It is almost as bad as MS having password autofill enabled on IE as a default.

 

[milo]

Trojans like this are the equivalent of leaving a gun on the ground with a note that says "Urgent! Point at head and pull trigger!"

There's only so much you can do to protect people from their own stupidity.

 

[faroZ06]

Wonder if there will be a permanent fix in Lion.


Well the current fix is to not install this BS in the first place.

Where do you even download it FROM?

Really, have any valid sources?
Or is it your unarchiver doing that? Does the default unarchiver do this?
That would be an extremely bad decision by apple.

Yes, it opens by default if you enable it to do so. I enabled it because I'm not stupid enough to fall for random installers that pop up

Source: me using a Mac...

I think the damage has been done already as the reputation of virus/malware-free is ruined for the mac platform. Hopefully, we don't see these on iPod/iPad anytime soon.

There was already malware on pirated versions of iWork. No viruses so far (or anytime in the future).

One would think that the attackers could make a password-requiring variant of the trojan that replaces or removes the Xprotect.plist file from the operating system.

Yeah, but wouldn't the next security update fix it?
Or Apple could have some checksum to prevent tampering with it.
Hopefully not, I want to add "Acrobat" to the list of malware

But if Apple stays only one step behind and closes the holes within 24 hours each time, the attackers will soon learn that there isn't that much to be gained by the effort. They'll have to try another approach.

You know, this relatively benign malware is, on balance, a good thing. This will educate Mac users not to click OK on software they did not choose to install. So that when something really serious shows up, they will know better thanks to this mild version that is merely annoying.

Like Acrobat. I know people who installed Acrobat from eMails with PDFs saying that you need Acrobat to view them. Inexperienced users don't know that Preview and Safari can already read PDFs, so they install it. It installs the updater for Acrobat, which is SUPER glitchy. Then, you can't view PDFs in Safari, they open in Acrobat...

 

[KnightWRX]

No viruses so far (or anytime in the future).

You have a Delorean ? Can you bring me back a floating skateboard next time you use it ?

No one can predict the future.

 

[mac9000]

You have a Delorean ? Can you bring me back a floating skateboard next time you use it ?

No one can predict the future.

Not accurately, but you can. Considering how secure UNIX is, a real virus for Mac seems impossible. Even if someone figured out how to make one, viruses are kinda obsolete anyway. They're just annoying and don't make any cash.

 

[GGJstudios]

Not accurately, but you can. Considering how secure UNIX is, a real virus for Mac seems impossible.

It's not impossible at all. No OS is immune, including Unix, Linux, Mac OS X, Windows, etc.

Even if someone figured out how to make one, viruses are kinda obsolete anyway. They're just annoying and don't make any cash.

Viruses are far from obsolete. Where are you getting this nonsense about them not making money?