Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit

tywebb13 said:
The link I put there was from apple's server swcdn.apple.com and it is easy to verify that this is from apple.

So if you are accusing me of putting a fake link up here, you'll have to do better than that.
Click to expand...

ok. perhaps i didn't put it in terms you could understand.

don't post your "helpful" links in online forums. no one is going to click on your unverified link, even if it has "apple" in the url.
 
One more question

Thanks for all the useful info. I also found this article which someone may find it useful.

http://www.macastic.com/os-x-10-6/apple-xprotect/

I could not find a place where to enable and disable the protect.

One more thing...

How do I check if the Xprotect daemon is running? I want to be 100% sure that Xprotect is running all the time.

mba:Resources root# ps -aef | grep -i prot
0 55971 55532 0 9:18PM ttys000 0:00.00 grep -i prot
mba:Resources root#

Thanks in advance.
 
tywebb13 said:
You can download the xprotect update here: http://swcdn.apple.com/content/down...5ijzzxg85kb7jxa07/XProtectPlistConfigData.pkg
Click to expand...

tywebb13, there has been another update on October 23rd. One of my macs has it and the other is still on Oct 4th.

Can you post how you obtain the update link?

I noted comments about direct downloading from an unknown source, and while I trust you (did download the above, but found it was Oct 4th) I would be happier knowing more.

Thanks
 
tywebb13 said:
Well thanks for that. I didn't know there was a new one. I checked it out and found that it applies to mavericks and yosemite. I'm still running mavericks on one of my main computers and the new xprotect didn't install automatically on it. But after confirming that the update does apply to it, I forced it to install by downloading it from the direct link from apple's server at

http://swcdn.apple.com/content/down...rhaa7ka4dzhm8mm1z/XProtectPlistConfigData.pkg

in the hope that it might have included a quarantine for the D variant of iworm. But it didn't!

This raises more questions than it answers. It may not have anything to do with iworm. If that is the case then what is it?
Click to expand...

Thanks for quick response, that has indeed updated my mac to 23rd Oct update.

For my benefit in the future, and others, can you share where you get this from on the Apple servers?
 
tywebb13 said:
in the hope that it might have included a quarantine for the D variant of iworm. But it didn't!

This raises more questions than it answers. It may not have anything to do with iworm. If that is the case then what is it?
Click to expand...
It only changed the minimum FlashPlayer versions to 13.0.0.250 and 15.0.0.189.

What’s this about a D variant of iWorm?
 
Last edited:
tywebb13 said:
Apple have only quarantined 3 variants - even with this new xprotect. That doesn't mean there ARE only 3 variants. I am convinced a D variant exists and suspect there may be more.
Click to expand...
Well, since sample collection is something I do for the benefit of the community (to include submission of them to Apple Product-Security) I’m only aware of two true variants and many other files. Apple only deals with things that can be quarantined, so it does not search for any of the additional files that are non-executible deployed files that A-V software vendors incude in their definitions. So when BitDefender, for example, says they have five definitions for iWorm, that doesn’t necessarily mean their are five variants.
 
tywebb13 said:
Well if there are really only 2 why would apple quarantine 3?
Click to expand...
As I said before, the definitions are for an install process that appears to be common to both variants and two different postflight scripts. I’ve speculated that one changes the hosts file to block Software Update while the other one does not. In any case all three files appear to come from two different installer apps.

All of the installers that were obtained from Adobe files posted by a single user to PirateBay appear to be identical, so the other must have come from a different spot.

Two or three users have reported that they believe they were infected by a fake FlashPlayer update while downloading torrent video’s, so that could be where the second postflight is coming from or it might be a third variant. That’s the one I’ve been trying to get my hands on.
 
I'm just wondering ... what is this "Cloudflare" thing? Can it be used if one does not have a "website"?
 
XProtect was updated today 6th Nov. One of my Macs has updated but not the other. Any offers to supply the link to the Apple direct download again?
....or better still educate me how to find it myself.
 
tywebb13 said:
OK. Here it is:

http://swcdn.apple.com/content/down...qau4bm67zk97oilk6/XProtectPlistConfigData.pkg

OSX.Machook.A is the wirelurker blocked by the new xprotect.

You may run these 2 commands in terminal to see if you are infected with wirelurker:

Code: 
curl -O https://raw.githubusercontent.com/PaloAltoNetworks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py

Code: 
python WireLurkerDetectorOSX.py

It may take a few minutes.
Click to expand...

Thanks! Actually XProtect updated itself yesterday so I didn't need to use the link, but thanks anyway.

No infections found from the Terminal scans.
 
Thanks tywebb13, great service!

One of my machines has updated itself and will give the other a chance before doing it manually.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back