New Apple antivirus signatures bypassed within hours by malware authors

ZDNet ^ | May 31, 2011 | Ed Bott

[Wooly]

Update June 1, 6:00AM PDT: The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released.

On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple.

I’ve also captured a video that shows the File Quarantine feature successfully blocking an attempt to automatically install the Mac Guard malware. See below.

After a month-long Mac Defender/Mac Guard malware attack, Apple has finally released the security update it promised last week. The update takes Apple one step closer to turning an obscure security feature into something very close to full-fledged antivirus software.

[for-q-clinton]

right, because a targetted attack could never work against a mac. See this is the crap we are talking about. Macbots just don't get it. They swear better security and make outrageious claims (like your Iranian nuke plant claim). As if using Macs would have prevented the targetted atttack. Maybe you should read about the pwn2own contest where OSX has lost the contest easily for not 2, not 3, but 4 yes 4 years in a row! Macbot excuse 1st year: Everyone wants a mac so they only focussed on cracking the mac. Macbot excuse 2nd year: Everyone wants a mac so they only focussed on cracking the mac, plus it was a pre-staged attack so that doesn't count. Macbot excuse 3rd year: It was a pre-staged attack from a computer genius and ex-NASA employee. No one else in the world could accomplish such an attack. Macbot excuse 4th year: I have yet to hear one as it was a Canadian that cracked OSX in 5 seconds.

[AppyPappy]

One of our biggest virus problems is Macs. Mac users don’t scan their thumb drives but share them with PC users, spreading the virus.

[LearnsFromMistakes]

Maybe you should read about the pwn2own contest

I have seen your posts before, so I know about the contest...incessantly. Every year, 1 mac is hacked. I get it.

[for-q-clinton]

Not just that 1 mac is hacked. 1 mac is hacked first. Before a single windows machine or Linux machine is hacked.

[LearnsFromMistakes]

Every year, 1 mac is hacked first(before the Windows pc).

Fixed it. Better?

Not sure exactly what you want to hear on these threads. Mac users (like other users) can be fooled into installing software that they shouldn't?

As far as my 'outrageous' claim that I was glad the Iranian nuke folks didn't use macs. I thought it was kinda clever...Can you imagine malware inside that plant? 'Click here to install that upgrade that you didn't know you needed - your centrifuge is at risk'. Never would have happened.

[ShadowAce]

Can you imagine malware inside that plant? 'Click here to install that upgrade that you didn't know you needed - your centrifuge is at risk'. Never would have happened.

Well, if you had phrased it the proper way, it could have happened--Click here to allow the Mahdi to return.

[chris_bdba]

It can’t do anything if you change the default to not allowing things to automatically open.I did that the first day I got my mac and when I did run into this I just forced quit to get out of it.Nothing happened period.

[for-q-clinton]

Too funny!

[for-q-clinton]

But what about the literally hundreds of hundreds of other mac users that haven’t done that? OSX should be secure by default.

[chris_bdba]

I personally don’t know anyone who didn’t change that when the computer came out of the box.I suppose there may be someone out there who wouldn’t know?Do all windows user allow everything to automatically open?

[Johnny B.]

One of our biggest virus problems is Macs. Mac users don’t scan their thumb drives but share them with PC users, spreading the virus.

So it's the responsibility of Mac users to make up for the shoddy quality of Windows?

I doubt that many Mac users intentionally copy a Windows virus onto their thumb drives. If a thumb drive contains a Windows virus, it was most likely put there by an infected Windows PC.

[for-q-clinton]

With XP yes they had everything open and it was up to the user to lock it down. We see how that turned out.

[AppyPappy]

No the Mac users download the virus but it doesn’t affect them because no one writes viruses for Macs.

[Swordmaker]

MacDefender authors update their malware to get around Apple's defense... sort of. It still requires THREE separate clicks of the user's mouse to install—ignoring the warnings—but it WILL start the installer IF, and ONLY IF, you are running as an Administrator, and IF, and ONLY IF, you still have "Open 'safe' files after downloading" checked in Safari preferences!—PING!

Apple Security Ping!

Please, No Flame Wars.
Discuss technical issues, software, and hardware.
Don't attack people!
Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

What happens if a Mac user is logged in as a Standard User, rather than an admin? I would think that there’s no way it would install without prompting the user to enter the admin user name and password.

You are right... it can't. This can only happen if the user is running as an Administrator.

[Swordmaker]

Read again. No password needed :-)

Period.

No password is needed IF the user is running as an administrator account. If the user is running as a Standard account, it requires both an administrator name and password. Without both, it's stopped dead in its tracks.

[PA Engineer]

"get a virus."

Save your sweat tea, it is not a virus.

[Swordmaker]

True. While I like the fact that Apple is competition to Windows, I've never been enamored with them -- they're too closed for a person who likes to tinker. Also I've been turned off by too many folks who make this into their own little cult!

What, exactly, is closed about a certified UNIX™ system that will run 100% of your Windows software as well as all of its own OSX software, and 100% of Linux software as well, not to mention a host software from dozens of other operating systems... simultaneously? Perhaps the thing that is closed is your mind?

[PA Engineer]

Read again. No password needed :-)

Period.

That is interesting. My Wife's computer had the pop up that froze Safari. She called me and I grabbed the IP for my own fun and hit force quit. No install. Could you please tell me why that was? Maybe you discussed it in one of you 7 previous cage rattling threads.

Maybe the Macdefender I passed on to the authorities with active IP trace was not the social engineering malware you keep screaming about. Is that possible?

[PA Engineer]

See I can stick my head in the sand just as easily as you can.

How about telling is about Windows 8 rollout preview today? I have both systems. You seem to be an expert on all things windows.