Last night, we reported Apple issued a Security Update for Snow Leopard users to update the OS X malware definitions, enhance File Quarantine’s functionalities and, more importantly, automatically find and remove known variants of the Mac Defender malware that’s been spreading among Mac users in the past month. By enabling OS X to update definitions daily in the background with a new daemon, Apple is taking the necessary measures to make sure new versions of Mac Defender and, overall, malware targeting Mac machines in the future can be removed safely and quickly a few hours / days after they’re discovered. As reported by Ed Bott at ZDNet, a new variant of Mac Defender coming with a new installer package has already been released, and it’s capable of circumventing Apple’s new security update and work exactly like Mac Defender and Mac Guard used to until yesterday.
The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.
The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released. On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.
Bott suggests this “cat and mouse” game is just the beginning, and Apple will have to begin addressing new variants that are discovered every day. The system put in place by Apple to provide updated definitions for easy removal of malware should allow users to prevent computer infections by automatically finding suspicious packages downloaded from the Internet. [via MacRumors]