Mac OS Update Detects, Kills MacDefender Scareware

CWmike writes "Apple released an update for Snow Leopard on Tuesday that warns users that they've downloaded fake Mac security software and scrubs already-infected machines. Chet Wisniewski, a security researcher with Sophos, confirmed that the update alerts users when they try to download any of the bogus MacDefender antivirus software. Wisniewski had not yet tested the malware cleaning functionality of the update, but was confident that it would work. 'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.' The update, labeled 2011-003, adds a new definition to the rudimentary antivirus detection engine embedded in Mac OS X 10.6, aka Snow Leopard, and also increases the frequency with which the operating system checks for new definitions to daily."

Re:So Mac Users should expect this?

[ninetyninebottles]

The Mac scanner only scans for Trojans at this point (3 of them including MacDefender), not viruses. Apple has typically left virus scanning up to 3rd parties, while taking a more active role in alerting users about phishing and malware up front.

Ummm, what viruses would it be looking for? There aren't any real, in the wild Mac viruses unless you count Mac Guard, which barely qualifies and is only delivered via trojan that happens to spawn a separate app at run time.

Re:So Mac Users should expect this?

[ninetyninebottles]

There have been some actual viruses in the wild for Mac, but the vulnerabilities are quickly patched, effectively preventing the viruses from spreading on any up-to-date system. http://www.scmagazineus.com/second-mac-virus-in-the-wild/article/32987/ [scmagazineus.com] [scmagazineus.com]

Despite the misleading claims in the article you cite, according to F-Secure, "Inqtana.A has not been met in the wild and has internal counter that prevents it's operation after 24. February 2006. So it is unlikely that this variant would be a threat to Mac Users." It was an academic proof of concept, not an in the wild spreading virus and I've seen no reports of it in the wild. Sadly, people writing articles parrot terms like "in the wild" "zero day" and "virus" without understanding what the terminology actually means.

Re:So Mac Users should expect this?

[DJRumpy]

No, that was just an example (of which 4 variants of Inqtana were found). Go farther back and you'll also find reports for Mac OS Classic (ranging anywhere from 4 to 60 some odd viruses depending on your source). Contrast that to the 100,000+ that have been found for a Windows based PC over the years and the comparison takes on new meaning but it does not mean that OS X will always be invulnerable. It is typically one of the first to fall in White Hat conventions, which of course leads to quick patches to close any vulnerabilities.

Even knowing this I still don't use a virus scanner at present as I simply don't see a need. That said I am not foolish enough to believe that it will remain Virus free indefinitely.

Re:So Mac Users should expect this?

[dgatwood]

No, it doesn't matter when it comes to logging your keystrokes and obtaining your credit card numbers/banking info/passwords.

Actually, on Mac OS X, it does matter.

• If the app is written properly and uses EnableSecureEventInput while the user is entering passwords (as recommended in TN2150), then event taps won't get you passwords.
• Only processes running as root can seize keyboards as of 10.5, preventing password capture down at the device access level as well.
• Only processes running as root can load kernel extensions, preventing it at the driver level.

Thus, to my knowledge, unless you exploit a bug in the OS, it should not be possible to sniff passwords in Mac OS X unless an app is running as root.

That's not to say that it can't steal passwords in other ways—spoofing password dialogs, stealing your Safari cookie files, reading your Safari bookmarks and pretending to be Safari while it displays your bank's website, etc.—but it should not be able to capture passwords that you enter in other applications. Thus, root matters. A lot.

Re:So Mac Users should expect this?

[node 3]

First off (and I only make this point because you seem to be trying to make this distinction), there are absolutely NO viruses for Mac OS X. None.

Second, there were plenty of viruses for classic Mac OS. This, however, has absolutely nothing to do with whether Mac OS X has viruses (for the rest of this post, I'm using a more broad term for virus, to include trojans and worms, and the like).

Third, there is a small handful of malware for the Mac, including (almost exclusively) trojans. No one is claiming otherwise, not even the people you are replying to.

Fourth, in White Hat conventions, *ALL* the systems fall. They tend to fall after certain restrictions have been removed. Macs often fall first (by mere seconds) because people want to win the Mac more than they want to win the PC.

Even knowing this I still don't use a virus scanner at present as I simply don't see a need. That said I am not foolish enough to believe that it will remain Virus free indefinitely.

Who is this imaginary person you think is saying that Macs will remain "virus free indefinitely"? This last line pretty much describes every single Mac user, from those that worry the Virus Armageddon is pending, and those that think they have nothing to worry about. No one claims this is a permanent state of things, just that it's how it is now, and tomorrow is another day.