Forgot your password?
typodupeerror
Security Apple

New MacDefender Defeats Apple Security Update 427

Posted by samzenpus
from the +1-or-better-update-to-hit dept.
XxtraLarGe writes "Apple released a security update yesterday designed to rid Macs of the menacing MacDefender malware that has plagued users for nearly a month. But mere hours after the update, cyber-criminals released a new variant of the malware that easily defeated Apple's belated security efforts. That didn't take long."
This discussion has been archived. No new comments can be posted.

New MacDefender Defeats Apple Security Update

Comments Filter:
  • by maccodemonkey (1438585) on Wednesday June 01, 2011 @03:45PM (#36312368)

    Apple's security update include a new daily malware definitions update. So this is hardly the easy defeat that the description is hinting at. More like the beginning of a long drawn out war...

    • Re: (Score:3, Interesting)

      by i kan reed (749298)

      Welcome to the windows security world. it's the end of "it just works" and the begining of "it just works as long as you do X, Y, and Z right".

      • by maccodemonkey (1438585) on Wednesday June 01, 2011 @03:49PM (#36312464)

        So far, I'd disagree with that. The malware detection is built into the system, invisible, automatic, and self updating. So the user doesn't have to do X, Y, or even Z at all. We're still at "It just works."

        Not saying that couldn't change in the future, but we're not there yet.

        • Re: (Score:2, Insightful)

          by recoiledsnake (879048)

          That would probably happen on Windows too if Microsoft is allowed to bundle MSE into the OS over 'OMGZ ANTITRUST" shouts.

          • Re: (Score:3, Funny)

            by Altus (1034)

            Didn't the anti trust regulation period end a while back? I assume windows will become the garden of peace and prosperity any day now.

            • It only just ended 2 or 3 weeks ago (May 12)

              • Also, just because they could now bundle it in, doesn't mean it is the best option. Since they had to let other people do AV, most people have their own now. It would be a bad practice at best to make all the machines run two AV systems, and people would cry foul if the software they paid for was forcefully removed. Microsoft isn't really able to solve it at this time, but it isn't really an incompetence thing.
                • by fuzzyfuzzyfungus (1223518) on Wednesday June 01, 2011 @05:23PM (#36313480) Journal
                  Given that "Windows Security Center" already detects most remotely common AV packages and whines at you if you don't have one running and in good condition it would be simple enough to simply replace that behavior with "If 3rd party AV present, do nothing(as at present). If 3rd party AV not present or inactive, run MSE(instead of whining, as at present).

                  Doesn't change the effectively whack-a-mole nature of antivirus(particularly now that sneaky shit like kernel-mode DRM drivers and silent phoning home are features of "legitimate" software...); but it wouldn't be a significant problem in itself.
                  • by Luckyo (1726890)

                    MSE as a download seems to be an anti-piracy measure as well. You need a legit key to get it.

                • by Holi (250190)

                  From what I have seen lately, MSE seems to be the best, everyone else seems to just want to add useless features. MSE is small and out of the way and it works. Take a hint do one thing and do it well.

              • Then the next story out of Redmond was "Yay. Now we can try to restrict chipmakers to one model of computer maker!"

        • Re: (Score:2, Insightful)

          by jesseck (942036)

          So far, I'd disagree with that. The malware detection is built into the system, invisible, automatic, and self updating. So the user doesn't have to do X, Y, or even Z at all. We're still at "It just works."

          If Microsoft had it's way, the malware detection would be built into the system as well (think Microsoft Security Essentials), but anti-trust fears and a huge security software market keep that from happening. And, as with Windows, until Macs are malware-proof (which they aren't) you still need to do X, Y, and Z. Even with the latest Apple updates.

        • I like it when my Mac has a problem. It's just another excuse to get on the phone with a hot Apple Care chick.
        • by spun (1352) <loverevolutionary&yahoo,com> on Wednesday June 01, 2011 @04:21PM (#36312808) Journal

          maccodemonkey writes:

          So far, I'd disagree with that. The malware detection is built into the system, invisible, automatic, and self updating. So the user doesn't have to do X, Y, or even Z at all. We're still at "It just works."

          Not saying that couldn't change in the future, but we're not there yet.

          Okay, maccodemonkey, here's the thing: if the malware detection which is built into the system, invisible, automatic, and self updating is defeated within hours of it being release, we are no longer at "It just works." What part of "It doesn't work anymore" sounds like "It just works" to you?!?

          • Re: (Score:2, Insightful)

            Okay, maccodemonkey, here's the thing: if the malware detection which is built into the system, invisible, automatic, and self updating is defeated within hours of it being release, we are no longer at "It just works." What part of "It doesn't work anymore" sounds like "It just works" to you?!?

            Because the user experience hasn't changed. The user neither notices the viruses, or the antivirus.

            To a user, nothing has changed since before MacDefender.

            Mac OS X and Linux have a root user that protects the system against rogue processes causing too much damage. Do we call that a fault in the system because it has to exist, or do we call that a solution?

            No system is immune to trojans. Especially when users hand the trojan their root password, like what was done with MacDefender.

            • by radish (98371)

              And Windows has "Administrator" - what's the difference?

              The real issue here is that actual users care very much more about the stuff under their user account that the stuff owned by root. Installing malware as a regular user can do plenty of bad stuff without needing root.

            • by Risen888 (306092)

              Because the user experience hasn't changed. The user neither notices the viruses, or the antivirus.

              Um. Er.

              I'm pretty sure the user notices the virus, actually.

        • by toadlife (301863)

          That's funny that you think inherently reactive, definition-based anti-malware software can do a decent job of preventing infection.

      • Where X,Y,Z = "only download software from our walled-garden app store"
        *sigh* I fear this is the end of OS X as we know it....
    • by CmdrPorno (115048)

      I can't help but wonder why there appears to be preference pane for this malware program and its update process?

    • <quote><p>Apple's security update include a new daily malware definitions update. So this is hardly the easy defeat that the description is hinting at. More like the beginning of a long drawn out war...</p></quote>

      What I haven't been able to find anywhere is information on what sort of "definitions" are used.<br><br>

      The system is based on OS X's existing "file quarantine" feature, which sets a flag on files originating from safari, mail, and a few other sources, which thr
  • by jo_ham (604554) <.moc.liamg. .ta. .999mahoj.> on Wednesday June 01, 2011 @03:46PM (#36312386)

    It's a new piece of malware, as far as definitions go. It will be blocked tomorrow when the tool checks for new definitions.

    It still requires that you dismiss the "this file appears to be a file downloaded from the internet from [address], are you sure you want to run it?" dialog box. Plus, with no admin password it's local user only (which is still bad, just not root capable).

    Alas, the arms race begins. At least it's only trojans.

    • by mlts (1038732) *

      Local user can be mission accomplished very easily. For example, users with admin privs have write access to the /Applications folder. This means that malware can infect programs there with ease.

      At least Apple is one step ahead with the App Store. I can see the "file downloaded" dialog be only available to admins only in a future rev of OS X.

      • by DJRumpy (1345787)

        I don't believe so. Looking at random apps in the Applications folder, I don't own any of them. System does. Everyone else has read only access.

        • by DJRumpy (1345787)

          Actually looking a bit deeper, some do show me as owner. It appears all of the system apps are owned by System. Most apps by 3rd parties are also owned by system, but those I packaged myself into DMG files for easier backup/installation are owned by me. I suspect my use of this type of backup isn't all that common though.

    • by Angostura (703910) on Wednesday June 01, 2011 @03:52PM (#36312496)

      It will be blocked tomorrow when the tool checks for new definitions.

      That's the interesting question, isn't it - the extent to which Apple has committed the resources to block malware effectively on a daily basis. It'll be interesting to see whether they can nip things in the bud sufficiently to dissuade the bad guys.

    • by E IS mC(Square) (721736) on Wednesday June 01, 2011 @04:36PM (#36312962) Journal

      Not surprising at all. That's how Windows works too.

  • I wonder how long it will take them to patch it this time. It almost seems like the creators of the malware were prepared and had something ready to go even before it was fixed.
    • by toadlife (301863)

      I think having something ready to go ahead of time would be a potential waste of effort, since the new definitions might, by chance, detect it too.

      Most of these malware apps are spread via hacked ad servers, which allows authors to touch millions of potential "customers" in a matter of hours with their new wares, so I suspect the most cost effective thing to do is to wait for a new definition update and then write and test new versions of the malware against the new definitions.

  • by H0p313ss (811249) on Wednesday June 01, 2011 @03:46PM (#36312394)

    the menacing MacDefender malware that has plagued users for nearly a month

    My personal laptop is a Macbook pro, and I have only heard of this through the media. Has anyone actually seen this first hand?

    • Yes, actually, from a link on Slashdot (national geographic Area 51 article) I knew enough to get rid of it.

    • by jo_ham (604554) <.moc.liamg. .ta. .999mahoj.> on Wednesday June 01, 2011 @03:49PM (#36312446)

      I have seen it attempt to get me to download it - I got hit by a google image search result where it showed me a "Finder" in Safari, with an almost convincing progress bar etc while it "scanned for viruses".

      I didn't click the download button though.

      • by Anubis IV (1279820) on Wednesday June 01, 2011 @04:46PM (#36313098)

        Same happened to me (Google image search and all, and not even for anything that would take me to the sort of places on the 'net where I'd expect malware to reside), except that it offered no download button and instead downloaded immediately. I have my Safari set up to not automatically open "safe" files, so that's as far as it got, but it was annoying nonetheless.

      • by DeadCatX2 (950953) on Wednesday June 01, 2011 @04:54PM (#36313176) Journal

        Google Image Search is EVIL

        I was looking for a certain type of connector, so I google image'd it. While perusing results for something as totally bland as surface mount connectors, I suddenly got a UAC prompt. Even after canceling it, I got an icon in the taskbar. Thankfully the denied UAC kept it from getting its hooks in, and I promptly found and deleted the offending file.

        Now, I won't even touch Google Image Search through a remote connection to a virtual machine running Chrome in a sandbox on someone else's network.

      • MacDefender tried to install itself on my system a few days ago. Oddly enough another fake anti-virus bit of malware did the same to my Windows machine on the same day. With MacDefender nothing happened as I have the open safe files option disabled in Safari. Of course on Windows it had already installed part of itself and was spamming UAC elevation requests non-stop until I nuked it, at least it looks like I did anyway.

        I suppose it was only a matter of time until OS X became a target. Granted this isn't a
    • by ugen (93902)

      I only heard about this too. I also only heard about Windows viruses and trojans even though I also own a number of Windows machines.
      Bottom line - I don't expect my computers to ever be infected, but it's out there.

    • by DesScorp (410532) <DesScorp&Gmail,com> on Wednesday June 01, 2011 @04:11PM (#36312688) Homepage Journal

      Usually while doing a Google image search. I was searching for everything from ships to aircraft, so this doesn't appear to be just a porn/warez problem.

      Still, there's a major difference between this and Windows malware. The "Install me now" routine pops up, but you have to voluntarily enter your username and password for it to infect you on the Mac. You can become infected on Windows just by surfing the wrong website. But I suppose it's only a matter of time before the scumbag malware makers of the world find a way around that.

    • by imamac (1083405)
      I helped a few people get rid of it (very easy to do).
    • by Niris (1443675)
      I've seen probably six or seven come in to Geek Squad with it. Super easy to remove, but it's out there.
  • The rabbit... (Score:2, Insightful)

    by ugen (93902)

    Tommy: What's coursing?
    Turkish: Hare coursing. They set two lurchers – they're dogs, before you ask – on a hare. And the hare has to outrun the dogs.
    Tommy: So, what if it doesn't?
    Turkish: Well, the big rabbit gets fucked, doesn't it?
    Tommy: [pauses and thinks] Proper fucked?
    Turkish: Yeah, Tommy. Before zee Germans get there.

    It's only downhill from he

  • This just in... (Score:3, Insightful)

    by girlintraining (1395911) on Wednesday June 01, 2011 @03:49PM (#36312462)
    Once an operating system reaches a certain percentage of the market share, it becomes a viable platform for malware. In other news, I have been using computers since the 286 days and I have yet to get a virus of any kind on any of my personal machines. Why? Because I'm careful. Malware only exists because people aren't careful. No operating system can prevent people from doing something dumb, so stop ragging on Apple (or Microsoft, or IBM, or whoever else you want to crucify) -- this is a problem with people, not software. Always has been.
    • Re:This just in... (Score:5, Insightful)

      by calmofthestorm (1344385) on Wednesday June 01, 2011 @03:53PM (#36312504)

      Visiting a website shouldn't be able to install malware on my computer. Neither should opening an email, Flash applet, Java applet, Word document, etc. These are all the faults of the relevant vendors.

      Installing random unsigned binaries from the internet? That should be able to do absolutely anything -- it needs to be able to for computers to be general purpose tools. And that includes malware.

      TL;DR social engineering is the user's fault, but sec vulns do exist and are not.

      • Absolutely true, and I couldn't agree more. Remind me again how any of that applies here? None of those things you talk about have anything to do with this particular piece of malware. This malware doesn't install itself, no security vulnerabilities (aside from the user) are at play here, and Apple has responded by adding a daily auto-updating definitions file which will allow them to respond to these new variants in a timely manner without any further inconvenience to the user.

        So...remind me again?

      • by Alarash (746254)
        You know what they say. "There's no patch for stupidity" and "The problem most often lies between the chair and the computer." As long as humans will be humans, FUD will work, sex will work and "your children aren't safe" will work.
    • by Kenja (541830)
      There is also a threshold where a significant number of users are willing to type in their password whenever a pop-up dialog asks.
    • Re:This just in... (Score:4, Insightful)

      by david_thornley (598059) on Wednesday June 01, 2011 @04:19PM (#36312784)

      Right, people have been careless enough to go to a thoroughly reputable site that sells ads. People have even been so careless as to open email from frequent correspondents. (Both of those bit my wife, who's far from being ignorant or careless.)

    • by boristdog (133725)

      I have been using computers since the 286 days and I have yet to get a virus of any kind on any of my personal machines

      Obviously you don't surf the web while drunk.

      Not that I ever...uh...er...

    • by gman003 (1693318)
      Maybe, maybe not. I'm definitely careful, and common sense is always the best first line of defense, but malware still gets through sometimes. Last virus to hurt me would've done the same no matter how careful I'd been. A normally-safe and trustworthy site got hacked (smbc-comics.com, for the record), put a malicious Java applet into the page. I happened to visit in the few hours before the site manager was alerted and fixed the problem. Virus broke through whatever security Firefox and Java (both fully upd
      • by 0123456 (636235)

        Last virus to hurt me would've done the same no matter how careful I'd been. A normally-safe and trustworthy site got hacked (smbc-comics.com, for the record), put a malicious Java applet into the page.

        You run Java? In your web browser? And you're surprised your machine gets remotely pwned?

        I thought everyone who cared about security deleted the Java and PDF plugins from their web browser years ago.

    • by cpu6502 (1960974)

      >>>I have yet to get a virus of any kind on any of my personal machines

      I don't believe you. Even back in the 68000 days, Boot Sector viruses existed. All you needed to do was copy a floppy from a friend and insert it into your drive. I got my first one in 1988 on my Commodore Amiga.

      And today it's even easier, since javascripts often download payloads via advertising. You probably have a virus right now, and don't even realize it. Try running AdAware or Spybot. I'm sure they'll find at least o

      • by Dunbal (464142) *
        Hah, my first virus was given to me on a legitimate shrink wrapped copy of some Borland software. Object-Vision I think it was. This was way back in 1990 or so, when viruses were still fairly new.
    • by StikyPad (445176)

      I have been using computers since the 286 days and I have yet to get a virus of any kind.

      The only people I ever hear say something like that are people who don't install AV software and thus have no idea they're infected. They rely on the fact that their computer works to tell them that everything's honky dory. Not saying you're one of those people, but if you're not, you're the first, and I'd say your success is more attributable to luck than skill, like avoiding STDs by only having sex with people who a

  • Yeah, but .. (Score:5, Insightful)

    by n5vb (587569) on Wednesday June 01, 2011 @03:51PM (#36312478)
    .. have they figured out how to install it without asking an admin user for permission?

    Until that happens, it's not really a security issue, it's still a social engineering hack. And no platform is immune to social engineering hacks because there are always end users dumb enough to unlock the front door for whatever puts on a good show and let it walk right in and take over.

    If someone figures out a way to bypass Installer and run unsigned code without at least throwing a warning, then I'll worry ..
  • by CaptainPatent (1087643) on Wednesday June 01, 2011 @03:52PM (#36312492) Journal
    Malware is a numbers game. Windows used to be the main player by a much larger margin and criminals knew that code over a poor or rare windows exploit generally infected far more computers than even some of the worst mac exploits.

    As Mac OS gains more and more users (and similarly any other platform like IOS, Android, and *gasp* Linux) they become more and more vulnerable because rarer and rarer exploits still result in powerful botnets.

    Apple has never been "virus proof," they just never had the numbers to make a lot of exploits worth the coding time.
    • by Vokkyt (739289)

      Did Apple kind of shoot themselves in the foot with their "No Viruses/Malware" campaign? Yeah. (Nevermind that they never actually claimed you couldn't be infected...)

      Is MacDefender a portend of Malware waves upon OS X? Unlikely, and it really has nothing to do with market share. I know this is a tired argument, but the "You're day is coming OS X, just wait until you're worthwhile to hack!" idea just hasn't played out no matter how many times security researchers shout it from their blogs/websites (ofte

      • by CaptainPatent (1087643) on Wednesday June 01, 2011 @04:23PM (#36312836) Journal

        Is MacDefender a portend of Malware waves upon OS X? Unlikely, and it really has nothing to do with market share. I know this is a tired argument, but the "You're day is coming OS X, just wait until you're worthwhile to hack!" idea just hasn't played out no matter how many times security researchers shout it from their blogs/websites (often times alongside links to purchase Macintosh AV software).

        Of course it hasn't played out. Mac OS still only has a little over 7% of the market pinned down. Windows collectively (between XP, Vista and Windows 7) controls over 80% of the market. That means that besides smaller proof-of-concept exploits programed for fun, there is still very limited utility for mac malware in the wild.

        All I'm saying is that getting from 2% to 8% market share will be much easier than getting from 8% to 32% and now that they're getting to almost an 8% market share, the first signs of malware are popping up.

        I'd also like to say that while the 2nd MacDefender is indeed much more of a social engineering hack than anything, the first version did exploit a major bug which allowed root access without any additional permissions. Mac vulnerabilities are out there - and that one was a huge one so it was exploited, but look at the numbers - right now to get similar processing power or informational exploit pools, you'd have to have a hack that's literally 10 times as rampant on Mac than on PC.

        It is and always will be a numbers game.

        • by 0123456 (636235) on Wednesday June 01, 2011 @04:52PM (#36313152)

          All I'm saying is that getting from 2% to 8% market share will be much easier than getting from 8% to 32% and now that they're getting to almost an 8% market share, the first signs of malware are popping up.

          But by this defintiion of malware, Unix had malware when it had a 0.001% market share.

          echo 'Hey, dude, forward this email to everyone you know, then type sudo rm -rf /' | mail bozo@idiotsrus.com

          By the definition being used here, that's not just unix malware, it's a unix virus. Yet no-one in their right mind would be worried about it.

          • Thank you. Calling this "malware" is like calling the video of a dog I just shot on my smartphone a feature film. It's a program that asks to be downloaded and installed, then does something different than the user expected. On top of that, a few websites have been designed to make it more likely that the user will download the program. It's essentially the same as those "pages to like" on Facebook that lure people in with a semi-naked picture then post crap all over their profiles. A tax on stupidity
      • by makomk (752139)

        That's what you get to see when this RogueAV tries to get on the system. There's nothing automatic about it, there is tons of user input, and that's precisely why it's not much to get worried about as a Mac user.

        Just two clicks required to install malicious software after you've visited a hijacked site, with none of the usual warnings about downloading software from the internet that most platforms have added - with good reason, I might add? That's definitely a problem. Sure, no matter what you do there'll always be someone daft enough to jump through the hoops required to do something nasty, but making it that easy for websites to convince users to install software - and giving them that much control over the mess

    • Re: (Score:2, Insightful)

      by mario_grgic (515333)
      To be sure this is not a virus. It requires full user cooperation to get installed on the machine, user has to explicitly download it and run it.
      • While it is still a virus - I get what you're saying and the later version of MacDefender is only a social engineering exploit (Trojan) and not something that takes advantage of a legitimate exploit.

        While that may be true, the original MacDefender did take advantage of a nasty root vulnerability that Mac OS had.

        Even with that being said, Trojans are still a class of virus which will also become more popular as the market share increases. Trojans are just a phishing attack with code to allow access to
  • As far as the OS is concerned, this is just another application installer. It's a cinch to modify the installer to circumvent Apple's so-called security update for this. It really comes down to a user stupidity issue. If you're too stupid to avoid software from questionable sources you deserve what you get. No security update can protect you from yourself.

  • by mario_grgic (515333) on Wednesday June 01, 2011 @04:12PM (#36312718)
    No software can protect the user from themselves. If someone is determined to download something and install it, how do you prevent that short of locking the system like iOS? I really don't want to see that happening to OS X.
    • by 0123456 (636235)

      No software can protect the user from themselves.

      An OS which doesn't allow the user to download and install random executable files can. Of course it's also not terribly useful for most users.

      • by itsdapead (734413)

        An OS which doesn't allow the user to download and install random executable files can.

        Apple have an App for that - its called iOS.

    • Every time you make the system more idiot proof, they invent a better idiot.

  • Begun the Clone Wars have.
  • Whenever my wife entertains herself by gripping about the hassles, the bugs, the constant need to update software, I tell her that she (and most users) aren't really the intended users of personal computers. In radio terms, we're still in the early 1920's, when you had to know something about the technology to get more use than frustration out of the device.

    Thus, why most people continue to click through the warnings and admin authentications, and wonder why the work of a moment takes so much effort to undo

  • by bmo (77928) on Wednesday June 01, 2011 @06:30PM (#36314164)

    Ever.

    You can educate, but you can only put in just so many policies to prevent stupid before you turn the computer into a brick.

    The only way to stop this is for the user to stop clicking on everything in sight, like dumb Windows users have been doing for the past 15 years.

    Some people simply shouldn't have computers at all, for their own safety.

    --
    BMO

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington

Working...