Last night, we reported Apple issued a Security Update for Snow Leopard users to update the OS X malware definitions, enhance File Quarantine’s functionalities and, more importantly, automatically find and remove known variants of the Mac Defender malware that’s been spreading among Mac users in the past month. By enabling OS X to update definitions daily in the background with a new daemon, Apple is taking the necessary measures to make sure new versions of Mac Defender and, overall, malware targeting Mac machines in the future can be removed safely and quickly a few hours / days after they’re discovered. As reported by Ed Bott at ZDNet, a new variant of Mac Defender coming with a new installer package has already been released, and it’s capable of circumventing Apple’s new security update and work exactly like Mac Defender and Mac Guard used to until yesterday.
The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.
The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released. On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.
Bott suggests this “cat and mouse” game is just the beginning, and Apple will have to begin addressing new variants that are discovered every day. The system put in place by Apple to provide updated definitions for easy removal of malware should allow users to prevent computer infections by automatically finding suspicious packages downloaded from the Internet. [via MacRumors]
The promised software update to automatically find and remove known variants of the Mac Defender malware has just been released by Apple and it’s now available in the Software Update panel or Downloads website. The KB article HT4657 explains Apple has added a “OSX.MacDefender.A” definition to the malware check within File Quarantine. On Mac OS X 10.6.7, the installation process of the security update “will search for and remove known variants of the MacDefender malware”. Users will also be notified after a MacDefender variant is removed, and Apple offers more details and information in this article as well.
Mac OS X malware list is now updated daily in the background without the need of a manual software update:
Apple maintains a list of known malicious software that is used during the safe download check to determine if a file contains malicious software. The list is stored locally, and with Security Update 2011-003 is updated daily by a background process.
Security Update 2011-003 provides additional protection by checking for the MacDefender malware and its known variants. If MacDefender malware is found, the system will quit this malware, delete any persistent files, and correct any modifications made to configuration or login files. After MacDefender is identified and removed, the message below will be displayed the next time an administrator account logs in.
Mac OS X 10.6.8 was rumored to be the software update to include a fix for Mac Defender, but it’s likely that Apple also pushed a security update for users that will keep running the older 10.6.7 Snow Leopard version, with 10.6.8 getting the Mac Defender fix built-in. (more…)
According to the release notes of the latest build of Mac OS X 10.6.8 seeded to developers on Friday, the upcoming upgrade will contain improvements for Preview, VPN and IPv6, but more importantly it will make changes to the Mac App Store application in order to get it ready for Lion’s digital distribution this summer. As noted by 9to5mac, the installer of build 10K531 reports 10.6.8 will “enhance the Mac App Store to get your Mac ready to upgrade to Mac OS X Lion”, as well as “identify and remove known variants of Mac Defender.” Last week, Apple indeed updated a support document related to the Mac Defender malware promising that “in the coming days” a Mac OS X software update would be released to automatically find and remove Mac Defender and its known variants. At this point, it appears Apple is getting ready to release Mac OS X 10.6.8 relatively soon, perhaps even ahead of the WWDC that kicks off on June 6.
As for Lion’s release, latest rumors indicated that after widespread internal testing Apple could release the OS sooner than initially expected — not in July or August, maybe at the WWDC. A WWDC release, however, would appear strange considering Lion Developer Preview 3 still has several bugs to fix and a GM build hasn’t been seeded yet. Apple is undoubtedly “enhancing” the Mac App Store’s underlying code to make the transition to Lion easier and the download process as smooth as possible, though it seems likely that the company will also sell boxed copies (DVDs or portable USB keys, as many suggested) for those users unable to download gigabytes of data from the App Store.
A new support document surfaced on Apple’s website today reveals the company will release a Mac OS X software update in the next few days (likely a security update) that will automatically find, block and remove the popular Mac Defender malware from infected OS X machines.
A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender “anti-virus” software to solve the issue. This “anti-virus” software is malware (i.e. malicious software). Its ultimate goal is to get the user’s credit card information which may be used for fraudulent purposes. The most common names for this malware are MacDefender, MacProtector and MacSecurity.
In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.
Whilst an internal AppleCare document leaked last week suggested Apple was telling employees not to remove the Mac Defender malware from users’ computers (also telling the same employees to redirect users to the Mac App Store to find proper antivirus software), it appears the company is taking the necessary steps to make sure Mac Defender won’t spread even further — they’re also offering in the same support document updated today a handy removal guide to manually find and delete the malicious application. Mac Defender began spreading quickly in early May, when hundreds of users reported online they discovered a malware-scanning utility on their computers that they did not want to have installed. It turned out Mac Defender still required a manual installation to be activated, though downloads effectively happened without a user’s consent when visiting certain webpages, often linked on Google Image Search. [via]
MAC Defender has changed everything,” one Apple Store Genius, who requested to remain anonymous (we’ll call him Lenny) told Ars. “We probably get 3 or 4 people with this per day. Most of them only got as far as installing the program and haven’t entered their credit card details.”
Lenny went on. “This always sparks a debate at the bar on whether antivirus software is necessary on the Mac. This is difficult, as the store sells several antivirus products implying that Apple supports the idea, but as many customers point out, the sales guys aren’t shy in making the claims for Mac OS X’s security. Internally, Apple’s [IT] department mandates the use of Norton Antivirus on company machines.
Following the controversy that sparkled after the large diffusion of MAC Defender (covered here) that rose (again) the inevitable question as to whether being scared of malware on a Mac is nothing but crying wolf, Ars Technica takes a step back and tries to analyze the situation interviewing Apple employees, Geniuses, and various representatives of antivirus / security companies. Whilst it’s kind of obvious that antivirus makers will always recommend their products because you have to keep your machine secure, the takeaway from support specialists is interesting: there’s no need to panic, but people are undoubtedly coming over asking for help with this recent malware.
Of course, the peculiar nature of Mac Defender (it’s a “scanning software” that asks for your credit card details, and it’s downloaded through a malicious script from certain websites and Google Image Search) raises another issue: users are installing the software by manually going through an installer and giving it their passwords — this shouldn’t happen. Anyone who’s a little skilled in computing should know that stuff you didn’t want to download shouldn’t be granted permission to run in the first place. And MAC Defender comes as a whole installer. On the other hand, I don’t think it’s really about crying wolf (though some people like to run overly sensationalistic headlines), as much as it’s about the fact that this malware ultimately exists. Fact.
An internal AppleCare document posted earlier this week reveals that Apple is investigating ‘Mac Defender’ – a recently unleashed malicious application that pretends to be an anti-virus application when users download it. The document, which Apple clearly notes is for internal use only, tells its employees not to confirm or deny whether the application has been installed on a users computer, not to attempt to remove it or escalate the issue.
The bizarre document, which is posted in full after the break, seems to be instructing Apple employees to take no part in resolving malware issues on a users computer.
AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer’s Mac is infected or not.
However, the document does tell employees to instruct customers that if the Mac Defender installer pops up on their screen, to cancel the installer and delete the installer immediately. Whilst if the application is already installed they are told to tell the customer to make sure all security updates have been installed with Software Update and then direct them to the “What is Malware?” document. But the document is clear in saying that Apple doesn’t deal with malware – even recommending anti-virus software in the Mac App Store.
Explain that Apple does not make recommendations for specific software to assist in removing malware. The customer can be directed to the Apple Online Store and the Mac App Store for antivirus software options.