Apple releases update to protect against MacDefender

Filed Under: Apple, Featured, Malware, OS X

Apple has released security update 2011-003 to address the recent increase in malware targeting Mac OS X.

Mac update 2011-003

It updates the included XProtect program to detect scareware variants we have seen attacking Mac users, including MacDefender, Mac Guard and Mac Security. It seems to still have the restriction of only working through the LSQuarantine library.

Once installed it will now check for updates to the XProtect list on a daily basis. This can be disabled in the Security preferences pane by unchecking the box "Automatically update safe downloads list".

Security preferences pane

Upon installation this update will check for existing infections of known malware and remove it from the system if present. Additional checks are performed when an administrative user logs into the system.

I did some testing this afternoon and was able to confirm that it works. Using Safari, I visited the infected site Graham mentioned from the link spreading on Facebook.

I immediately received a warning that OS X had detected OSX.MacDefender.B, and yet it prompted to allow me to open the file. This is one of the limitations of LSQuarantine, but it is a very bad behavior. If you know something is malicious, don't let people continue on infecting themselves...

XProtect detection dialog

To test the cleanup functionality I infected a system that had not applied the update. I proceeded to apply 2011-003 and nothing happened. I'm not sure how it is supposed to work, but it didn't alert me nor remove Mac Guard.

I rebooted my Mac and logged in as an administrative user and within a moment or two the new removal functionality kicked in. A dialog box popped up stating:

"Malware was found and removed from your computer. The 'MacGuard' malware was found and removed."

Mac malware removed

My impressions? A good reaction from Apple in a short amount of time. They are making the best of what is available in the OS X platform at this time. Unfortunately it falls short in many respects.

The biggest problem is the lack of an on-access scanning component. While LSQuarantine works to protect against downloads in most browsers, it doesn't prevent infections through USB drives, BitTorrent downloads and other applications.

Daily updates are a good start, but it remains to be seen how frequently the criminals may release new variants. If they start moving in a polymorphic direction similar to the one the Windows malware writers have gone, XProtect will have issues.

Of course this update only applies to OS X 10.6 "Snow Leopard," so older Mac users are left unprotected.

OS X 10.6 users should apply this update as soon as possible, and I recommend installing a more fully featured anti-virus solution like our free Sophos Anti-Virus for Mac Home Edition. It's totally free; we don't even ask you for your name or email.

, , , , , , ,

You might like

6 Responses to Apple releases update to protect against MacDefender

  1. Tyw7 · 1239 days ago

    One question you did not make clear in your post is that is the removal only occurs when an admin logs in?

    It's another card of too little too late. As with other antimalware actions that Apple have taken, it arrives too late and ultimately falls shorts. Also what if the malware blocks internet traffic to prevent updates? And does the security update use heuristic methods or just plain definition?

  2. easyosx · 1239 days ago

    Another reason while I've used an antivirus on my Mac from day one. Sophos is still my favorite free AV for Mac and is what I use. Thanks for the product!

  3. MAC POWERPC · 1239 days ago

    I'm using anti-virus a long time, I was a windows user so I get used to. Anyways, Sophos is one of my favorites to keep my Mac safe, pay more attention before download and make sure what you are doing is a good start.

  4. Nick · 1238 days ago

    This is B.S.! As a Windows user I'm appalled that your company gives away a completely free anti-virus solution to Mac users, and not the users that enabled you to even exist! In a competitive market with many other respectable companies giving away free anti-virus solutions, you forget about the users that made you and give a gift to Mac users. I love Avira for their free offerings, but I hate the annoying update pop-up. I also love Comodo's solution, but only use it for the firewall and defense plus (HIPS+) functionality. Though, one annoying thing about Comodo is the fact that it totally breaks my airport express music streaming capability.

  5. Tim Gowen · 1238 days ago

    The Sophos product found a Windows virus in an e-mail backup, which is the only time I've noticed it running. These social engineering malware issues - where the user is presented with an alert screen that seems authentic - happen all the time on Windows machines and it's almost impossible to get rid of them. It takes a lot of work. So it sounds like Apple's solution is better.

    • How is Apple's solution better? Apple does not have heuristic to detect new viruses without definitions. How many people would go undefended while Apple writes the virus definition. They certainly could use with a heuristic to detect "suspecious behavior" and delete or block all detected threats.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.