Apple Security Update Addresses MacDefender

Discussion of general issues, not related to a specific Mac or iDevice operating system.
Post Reply
User avatar
Stephen Hart
Forum Member - Level 5
Forum Member - Level 5
Posts: 3043
Joined: Thu Apr 07, 2011 10:09 am

Apple Security Update Addresses MacDefender

Post by Stephen Hart » Tue May 31, 2011 4:57 pm

From Macintouch:
(Get it through Software Update.)
Apple issued Security Update 2011-003 for Snow Leopard today with some anti-malware mechanisms specific to Snow Leopard:

The OSX.MacDefender.A definition has been added to the File Quarantine.
The system will check daily for updates to the File Quarantine malware definition list. An opt-out capability is provided via the "Automatically update safe downloads list" checkbox in [System Preferences > Security > General].
The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed.
This update downloads quickly and doesn't require a restart. DO IT NOW!
"Design is not just what it looks like and feels like. Design is how it works."
Steve Jobs

User avatar
Ray Bentsen
Administrator
Posts: 356
Joined: Fri Apr 01, 2011 8:22 pm
Location: Sequim, WA

Re: Apple Security Update Addresses MacDefender

Post by Ray Bentsen » Tue May 31, 2011 10:08 pm

I had never even heard about "File Quarantine" in Snow Leopard.

There is a well written article about File Quarantine and the Security Update here .
;)
An old Norse adage: Change is inevitable, except from a vending machine.

User avatar
Stephen Hart
Forum Member - Level 5
Forum Member - Level 5
Posts: 3043
Joined: Thu Apr 07, 2011 10:09 am

Re: Apple Security Update Addresses MacDefender

Post by Stephen Hart » Wed Jun 01, 2011 5:47 am

And here are the Apple pages relevant to this malware:

File Quarantine: http://support.apple.com/kb/HT3662

Malware Detection: http://support.apple.com/kb/HT4651

How To Remove MacDefender: http://support.apple.com/kb/HT4650
"Design is not just what it looks like and feels like. Design is how it works."
Steve Jobs

User avatar
bluesky
Forum Member - Level 3
Forum Member - Level 3
Posts: 114
Joined: Tue Apr 12, 2011 7:03 am
Location: Sequim-Port Angeles
Contact:

Re: Apple Security Update Addresses MacDefender

Post by bluesky » Wed Jun 01, 2011 11:39 am

Apple's Security fixes have been bypassed already... the SAME evening as they were released.

http://www.macnn.com/articles/11/06/01/ ... n.updates/
"All computers wait at the same speed."

User avatar
Stephen Hart
Forum Member - Level 5
Forum Member - Level 5
Posts: 3043
Joined: Thu Apr 07, 2011 10:09 am

Re: Apple Security Update Addresses MacDefender

Post by Stephen Hart » Wed Jun 01, 2011 2:27 pm

bluesky wrote:Apple's Security fixes have been bypassed already... the SAME evening as they were released.

http://www.macnn.com/articles/11/06/01/ ... n.updates/
OK, but that inspires me to repeat, once again (deja vu anyone?), that there is no way for any computer maker or OS maker to protect you against a scam that can only succeed by asking you to perform several risky actions and then asking you for your credit card number. Any file, of any type, that you download from any source, can contain malware code that can direct you to a web site asking for your credit card number. There is no malware-detection software that can protect you against trojan horse malware except after it's been recognized and added to a database.

This particular scam is nearly identical to one that's rampant on Windows computers. It's not very sophisticated.

It requires you to do four things without paying any attention:

1. Click to download software (Except where Google's image search is still compromised, in which case a download can start automatically. That's Google's problem, and only they can solve it.)
2. Open a downloaded file (Except if you have Safari's prefs set to open safe files after downloading. Apple could address this by removing this option, though that would probably enrage a lot of users who think they don't need babysitting.)
3. Not notice the very strange behavior of your Mac while the bogus warning boxes are popping up (Any time anything strange happens on your Mac, stop and think.)
4. Fill in your credit information in a form after all this

Just don't do any of those four things and the scam can't work. Better yet, follow the advice SMUG members have given above.

Oh, and by the way, you just have to love this sentence, which implies that we'd be safer if only OS X were less safe:
The trouble may, ironically, be based in part on Mac OS' relative safety, as some victims assumed that software being pushed to them was coming from Apple.
Note:
Be sure to uncheck this option in Safari Preferences:
Attachments
dontcheck.jpg
dontcheck.jpg (11.3 KiB) Viewed 1279 times
"Design is not just what it looks like and feels like. Design is how it works."
Steve Jobs

User avatar
bluesky
Forum Member - Level 3
Forum Member - Level 3
Posts: 114
Joined: Tue Apr 12, 2011 7:03 am
Location: Sequim-Port Angeles
Contact:

Re: Apple Security Update Addresses MacDefender

Post by bluesky » Fri Jun 03, 2011 12:24 pm

The cat n mouse game goes on....
New Mac Defender variant already being blocked by Mac OS X
updated 12:30 pm EDT, Thu June 2, 2011

Snow Leopard Definitions updating silently

A newer variant of Mac Defender which bypassed Security Update 2011-003 on Tuesday has in turn been defeated by a definition update, an Italian website notes. A check of Snow Leopard's XProtect.plist file should now show an entry for "OSX.MacDefender.C." Definitions for A and B variants of the malware were included with the Security Update.
The PLIST file reveals that Apple is indeed doing silent updates of Snow Leopard's antivirus protection, rather than notifying people of changes. The Security Update introduced automatic definition updates to the OS, similar to systems employed by third-party AV tools. By building definitions to update without formal patches, Apple should be able to more rapidly respond to the growing number of Mac security threats.


Read more: http://www.macnn.com/articles/11/06/02/ ... z1OFLRUdMZ
"All computers wait at the same speed."

User avatar
Stephen Hart
Forum Member - Level 5
Forum Member - Level 5
Posts: 3043
Joined: Thu Apr 07, 2011 10:09 am

Re: Apple Security Update Addresses MacDefender

Post by Stephen Hart » Fri Jun 03, 2011 2:57 pm

One is tempted to imagine what would happen if Windows trojan horses were covered in the same way. All the content of all the online computer sites would be filled with nothing more than news of the latest Windows trojan horse mutants. Probably the New York Times too!

Clearly there are some things Apple could do. I'd like to see them lead the way with Safari (like they have with Flash on the iOS). One thing is to eliminate the possibility for javascript to take control of a browser. (Apparently that's why one has to force quit Safari after the MacDefender popup appears.) There should be no need for add-ons. Safari could use crowd sourcing, with a "Junk" button you click every time something evil this way comes. And downloading of "safe" files can go away. No downloading ever without explicit permission of the user, says I.

Web 2.0 and browser "skins" and online games are all very well, but for my money, I'll give up those conveniences in exchange for some structural changes that attack malware at the root. In the windows world, malware is a billion-dollar industry--and that may not even be counting the anti-malware subindustry. Remember that MacDefender and its Windows ilk are trying to skim cash from this particular cow.

I'm no programmer, but I imagine that Safari could log details every time any site even comes close to taking over the browser, then send that info (anonymously) to Apple. The receiving computer could generate a block and immediately propagate it. Maybe sites that appear legit but are flirting with disaster would get one warning.

And what about Google? Why is Google getting a pass for its security problems with image search?

Finally, if online businesses complain that they can't make the big bucks with all these impediments, let them solve the problem. Then Apple and other browser makers can loosen up.
"Design is not just what it looks like and feels like. Design is how it works."
Steve Jobs

User avatar
bluesky
Forum Member - Level 3
Forum Member - Level 3
Posts: 114
Joined: Tue Apr 12, 2011 7:03 am
Location: Sequim-Port Angeles
Contact:

Re: Apple Security Update Addresses MacDefender

Post by bluesky » Tue Jun 21, 2011 8:53 am

Just a quick update and a heads up. So far I have had to remove this chameleon of a trojan from six Macs.

The names I have seen it pose as are:
MacDefender
MacGuard
MacProtect
MacShield
MacScan
MacKeeper

Note that MacShield, MacScan and MacKeeper are also the names of legitimate software.

this article is worth reading...
http://reviews.cnet.com/8301-13727_7-20068726-263.html
"All computers wait at the same speed."

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest