Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

New Variant of 'Mac Defender' Quickly Evades Apple's Security Update as Cat-and-Mouse Game Begins

sillypooh said:
Seriously? A name change evades Apple's detection tools? I'm sure there's more to that... However, it looks like Apple's detection mechanism is very loose. 8 hours and already a new strand?? Waw! :eek:
Click to expand...

Agreed, almost kind of scary how easy it was. Let's face it, to this point Apple hasn't needed to pay a whole lot of attention to security. They scoffed at Microsoft when it went through it's big ordeal years ago in dealing with malware.

I just hope that Apple is going to be very proactive in dealing with this.(I'm sure they will) They tend to take user privacy and user rights very seriously and I hope they start to pursue legitimate ways of keeping everyone's macs safe. Because this first attempt got an A for being proactive but overall the fix was pretty weak sauce if you ask me...
 
AlligatorBloodz said:
This game of Cat and Mouse will end rather quickly when the Lion shows up...
Click to expand...

Well you are sort of right - it will turn into a game of Lion and Mouse :cool:


snberk103 said:
My thinking is that now Apple has addressed this particular malware, it will soon (matter of weeks) fade away.

I don't know why it took Apple as long as it did to roll out the MacDefender defense, but... now that it's been released they can updated the signature quickly.

So, over the next couple of weeks all the vulnerable Macs are updated with this security update. Over the same time period the malware authors change the package to avoid detection. To be effective they need to change the package, and seed the new package to their poisoned websites. Then they have to wait for an unpatched Mac to happen on the poisoned link.

However, Apple is now updating all the of patched Macs daily, and each day their are more Macs patched. The window of opportunity for being infected is the time between Apple updates - about 24 hours for the package change and then the seeding. How many Macs are going to hit the poisoned link in that window?

I suspect that at some point the returns will not justify the work necessary. At the moment they've got a fairly clear field. Soon, their really going to have to work for the payoff.
Click to expand...


Following that logic, there shouldn't be any viruses/malware/... for windows anymore.

The game has just started and will continue forever. Now even Mac Users have to be more careful what to click on. Even if Apple updates the database as fast as they can, there will always be a 'lead' by malware programmers, it first has to show up in the wild until the signature can be put in the database.
 
DanMan93 said:
If I don't run in admin mode and run in standard mode instead, will I be safe from the malware? Also will installing iAntivirus help at all? :confused:
Click to expand...

The malware cannot install itself. It can start the installer, and then _you_ have to click on an "Ok" button instead of "Cancel". If _you_ don't give it permission to install, nothing can happen.

And this malware is trying to persuade you to give them your credit card number. If you don't give them your credit card number, they won't hurt you, even if the malware gets installed. It is also very easy to uninstall. (However, it would be quite possible for future malware to do damage to your computer).

As always, you should have a Time Machine backup of your computer, and not much can hurt you, only inconvenience you.

iWinning said:
Hes actually probably still laughing his ass off after getting a new version out only 8 hours after the security patch release. Apple needs something better than strict anti-malware definitions.
Click to expand...

That malware was prepared long before Apple released the update, and only had to be uploaded to many infected servers. (Makes you wonder what OS these servers are running, allowing malware like that to be uploaded). I'd hope for updated virus definitions tomorrow; and then Apple should be able to recognize the whole family of software. At some point they won't make money with this software anymore.
 
Last edited:
AidenShaw said:
Is it better to keep editing configuration files, if you can find them?
Click to expand...

yes. the benefit of individual config files is that you can leverage way more general purpose tools for stuff like this, and the systems i can think of that use individual configuration files have a well structured file system behavior (which the registry adds an unnecessary layer on top of). some of this doesn't apply to some of os x's plist or xmls as they've been turned into binary files, but general purpose OS X/*nix/bsd configs can be piped in and out of a wide array of general purpose tools. from a malware perspective, it mitigates threats as you have a complete separation of access controls between system-level and user-level configuration. from a purely stability and user perspective, configuration becomes more resilient to failure and easily redistributable.

i mean, it's kind of the same reason why, if you're coding a major program, you don't just put everything into one flat file filled with GOTO [line number] statements.

By the way, in regards to malware you should read up on the virtualized registry and virtualized filesystem in current Windows system. Some of your comments are not applicable to the current version of Windows.
Click to expand...

i'm aware that ms has increased security and access controls in the registry. some of what i've said i've prefaced with a "back in the day" and "may not be true anymore". all of this in general has been part of a general increase in security that MS has implemented across the board; i'm not arguing that they haven't. but i still maintain that the registry possesses a lot of systems design problems, along with other MS ideas-that-sounded-good-back-in-the-90s, that predispose it to stability/security issues. many of their "solutions" are like transitory steps to move away from the fundamental architecture decisions that they had in the first place: virtualized registry access is basically recognizing that having one gigantic binary flat file was a bad idea and now it's emulating having separate configuration files with separate access levels.

i'm not quite sure what virtualized filesystems have to do with security/stability, though if you would enlighten me i'd appreciate it.
 
0815 said:
WRONG - people should 'cancel' any installer that pops up unexpected. Simple rule: if you didn't initiate the install, don't install.
Click to expand...

hehehe.. i agree

is that you agent 0815....... err....... steve....... err...... ballmer?

i'm sure HE is behind it............ all, and what...... NO rapture?

:p

quite re-assuring to see apple launch a 2.1ish meg security update to cope with this non- issue, as far as i am concerned....

too little aapl news, far too much press coverage

let's move on........... mind the gap!

take care out there!

francois
 
GFLPraxis said:
I'm amazed people are still stupid enough to manually download and run this considering all the press coverage it has received.
Click to expand...

wtf? You never got it, did you? IT DOWNLOADS ITSELF. It keeps doing it on my system, and I have to catch it and ditch it.
 
Themaeds said:
You provided a well written opposing view point. You are obviously a troll

*Sarcasm alert
Click to expand...

Well written? He started his post out by congratulating the sleezeballs who are creating this crap for circumventing Apple's security. Then goes on to praise MS. The guys had an account for 2 weeks. Sounds like a troll to me.

Lesser Evets said:
You never got it, did you? IT DOWNLOADS ITSELF. It keeps doing it on my system, and I have to catch it and ditch it.
Click to expand...

True, but it doesn't install itself, does it? :D
 
BLACKFRIDAY said:
Props to those guys beating Apple at this.

As much as you can hate windows, MS has been very serious about security on Windows with a much tighter security system in Windows 7. Not saying that they had already not needed that, but they have been very careful and have come strong on viruses and malware.

Apple, you need to tighten up here.
Click to expand...

How could you actually encourage or support people creating Malware? That is absolutely terrible. Whether or not Apple should "tighten up" is debatable, but the fact that those creating malware are doing a bad thing should not be.
 
Take down/corrupt the registry and down goes the whole OS.

Mac OS X apps are self contained, no need for a registry.


Benjy91 said:
Stating Microsoft take security seriously is a troll attempt? And what do you have against the registry, I'd prefer an easily searchable central registry of files rather than a million .ini files scattered the length and breadth of my hard drive.
Click to expand...
 
0815 said:
WRONG - people should 'cancel' any installer that pops up unexpected. Simple rule: if you didn't initiate the install, don't install.
Click to expand...

As has been posted, one user was working with multiple tabs, and did download software in one tab. Another tab hit the malware, and when the install dialog appeared he authorized it.

Even careful, knowledgeable people can be bit by this.


TheLee said:
yes. the benefit of individual config files is that you can leverage way more general purpose tools for stuff like this
Click to expand...

Any registry operation is scriptable - you never need to run regedit.


TheLee said:
i'm not quite sure what virtualized filesystems have to do with security/stability, though if you would enlighten me i'd appreciate it.
Click to expand...

If malware creates files in %SystemRoot%\System32 or other system directories, they are actually created in a virtualized filesystem that only the malware program can see. The files are not visible to other users, nor to system programs.

True administrator access (e.g. a popup that asks for the Administrator password) is needed to change the real on-disk files.

Clearly, preventing malware from modifying the global filesystem is a good thing for security/stability.


z3r0 said:
Take down/corrupt the registry and down goes the whole OS.
Click to expand...

Have you ever seen a registry that's been corrupted or "taken down".

Why do Apple users so often say "trash the plists" when a problem occurs?

How is a valid registry that contains evil data different from plist files that contain evil data?
 
Lesser Evets said:
wtf? You never got it, did you? IT DOWNLOADS ITSELF. It keeps doing it on my system, and I have to catch it and ditch it.
Click to expand...

'catch it' makes it sound like a lot of complicated work that only experts can do. I haven't had it yet - but to my understanding it will download to your download folder (and assuming you are not using Safari with open unsafe feature) it will just sit there doing nothing. They only work involved on your side should be to check that folder every once in a while and delete everything in there (which is anyway a good practice to do, too many [good] installers are collecting in there over time and take up too much disk space.
 
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5)

Troll... You love to be the first to write that word.
 
Lion should fix things with sandboxing.

http://cocoaheads.tumblr.com/post/3483212346/lion-sandboxing-and-privilege-separation

I'm hoping its a direct port of FreeBSD Jails. Capsicum (more here) and PF would be a welcome as well. PF could be used to set up incoming and outgoing firewall rules.


macnchiefs said:
Agreed, almost kind of scary how easy it was. Let's face it, to this point Apple hasn't needed to pay a whole lot of attention to security. They scoffed at Microsoft when it went through it's big ordeal years ago in dealing with malware.

I just hope that Apple is going to be very proactive in dealing with this.(I'm sure they will) They tend to take user privacy and user rights very seriously and I hope they start to pursue legitimate ways of keeping everyone's macs safe. Because this first attempt got an A for being proactive but overall the fix was pretty weak sauce if you ask me...
Click to expand...
 
batchtaster said:
Search for "Mothers Day Poems" on Google Images. Command-click each result (into a new tab). One of them will eventually redirect to a poison website with a fake "scanner", and trigger a file download. The redirect will happen on its own, so you can close all the non-poison hits. You may have to go through 30 or 40 results. Caveat emptor.

P.S. While you're doing that, feel free to report blogspot.com pages which pretend to have a "sexy girl" in your area wanting to talk to you. Hit the Report Blog button in the top of the toolbar.
Click to expand...

Awesome, thanks!

I saw one that showed searching for Osama Bin Laden gave it, but tried a bunch of different stuff and haven't been able to find it.
 
DanMan93 said:
If I don't run in admin mode and run in standard mode instead, will I be safe from the malware?
Click to expand...
It makes no difference if you run in standard or admin mode. The only way to be safe from Mac OS X malware is to use your head: don't install software that you didn't intend to install, and only get software from reputable, trusted sources.
DanMan93 said:
Also will installing iAntivirus help at all? :confused:
Click to expand...
It's not necessary and I wouldn't trust it. AntiVirus makes inaccurate claims about the existence of Mac malware, in order to hype the need for their product. This post will give details.
Amory said:
I work for Apple
Click to expand...
I seriously doubt that.
 
Reach9 said:
Is this the beginning of the end for the Mac's malware protection? :eek:
Click to expand...
No, it isn't. Mac's best malware protection has been the same for the past 10 years: an informed, prudent user who thinks before doing anything, especially when choosing and installing software. That's all that's required.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back