Sophos Cloud Optix
Last night the malware authors behind the Mac Guard fake anti-virus changed their methods again to bypass the updates Apple released yesterday afternoon to protect OS X Snow Leopard users.
Apple fired back shortly after 2 p.m. Pacific Daylight Time today with a new update to XProtect. Computers that have Apple update 2011-003 for Snow Leopard now check for updates every 24 hours.
As the cat-and-mouse game continues it will be interesting to see how the attackers proceed. The major change to bypass Apple’s detection yesterday was to use a small downloader program to do the initial infection, then have that program retrieve the actual malware payload.
This approach may be successful as it will be easier for the malware authors to continually make small changes to the downloader program to evade detection while leaving the fake anti-virus program largely unchanged.
Why is this important? Apple’s XProtect is not a full anti-virus product with on-access scanning. XProtect only scans files that are marked by browsers and other tools as having been downloaded from the internet.
If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program. Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions.
Apple now detects this malware as OSX.MacDefender.C. Sophos Anti-Virus for Mac detects individual components of this malware as OSX/FakeAV-DWK, OSX/FakeAV-DWN, OSX/FakeAvDl-A and OSX/FakeAVZp-C.
It also appears that this malware is using the tried-and-true affiliate distribution method. The writers recruit other people to perform black-hat SEO, infect web pages and post blog spam and assign each one a unique affiliate ID to use in the URL for their traffic.
This allows the criminals to track which affiliate referred the victim and pay them a commission upon purchase of the fake software, enabling the criminals to cast a much wider net by sharing a portion of the profits with their “affiliates.”
Considering that XProtect only updates once a day, and only on OS X 10.6 Snow Leopard, I recommend users install a proper anti-virus tool. If you want to make sure Apple’s solution is up to date you can open a terminal on your Mac and type the following command:
sudo /usr/libexec/XProtectUpdater
Even if I didn’t work for a security company, I would install a proper anti-virus tool rather than hope that Apple provides an update every time a new threat appears. We make our Sophos Anti-Virus for Mac Home Edition available absolutely free. No registrations, no email, just free protection.
Thank you to Naked Security reader Patrick Fergus for the tip about Apple’s update to XProtect and Mrs. W. for carving our delicious apple with a perfect X.
I love most of your articles, as they always seem to be quite objective and informative, but the past week has seen a steady stream of "new attacks target macs!" and titles like "Malware on your Mac? Don't expect AppleCare to help you remove it". All of these are good and important, but to immediately follow up Apple's reply with "apple finally responds, BUT WILL IT BE ENOUGH?" is just a cheesy scare tactic. If you cry wolf too much people will stop listening. This was a good opportunity to throw in a positive article about Apple finally attempting to thwart these attacks, even if the last paragraph does still need to address cases where it might not be enough. Maybe it's just me, but I've come to expect more.
I don't believe that this is a cheesy "scare tactic." – "WILL IT BE ENOUGH?" is actually a realistic question to ask. Apple may be finally addressing this concern due to security experts (like Sophos) staying on task and expecting accountability.
Welcome to the fight Apple. The enemy has a foot in the door and that is all it takes to set you up for a LONG battle.
at least Apple is ready with XProtect created and out there
From the information presented by Chester, one can conclude that Apple is using 2001 techniques (pattern match + black list) to fight a 2011 battle. That's useful information.
Unfortunately, organizations with a large OS X footprint will have to make up the difference with some other mitigation (3rd party AV, for example).
I've tried to get myself infected with this so I could see it, but I can't seem to find it. How much of a threat is this really?
It's a real threat — since the malware is spreading via affiliates, you can expect to see it popping up via numerous venues; the first was in poisoned image searches, and then it added Facebook. You'll probably see it hit email before too long, as well as poisoned ads.
If you're attempting to get yourself infected, please do not do so on a machine with useful data — doing so is potentially dangerous to your data.
The Apple solution is for only those that have the latest and greatest. What about all of the students, teachers, and others who are inflicted with less, those that have not updated, and the other Apple orphans that I suspect significantly outnumber the best.
Apple is evading their responsibility and the junk solution they passed out is irresponsible. They are liable for all of the PowerBooks, iBooks, iMacs, etc. that are still being used on the Internet. Considering security, Apple is LIABLE – the common law was established with Microsoft. The business model of abandonment is no longer applicable.
And then, there is the possibility of contaminating across platforms.
Chet, I am recommending to all of mine that they get yours. Do not let us down.