New MacDefender Defeats Apple Security Update

XxtraLarGe writes "Apple released a security update yesterday designed to rid Macs of the menacing MacDefender malware that has plagued users for nearly a month. But mere hours after the update, cyber-criminals released a new variant of the malware that easily defeated Apple's belated security efforts. That didn't take long."

And this is surprising why?

[jo_ham]

It's a new piece of malware, as far as definitions go. It will be blocked tomorrow when the tool checks for new definitions.

It still requires that you dismiss the "this file appears to be a file downloaded from the internet from [address], are you sure you want to run it?" dialog box. Plus, with no admin password it's local user only (which is still bad, just not root capable).

Alas, the arms race begins. At least it's only trojans.

The rabbit...

[ugen]

Tommy: What's coursing?
        Turkish: Hare coursing. They set two lurchers – they're dogs, before you ask – on a hare. And the hare has to outrun the dogs.
        Tommy: So, what if it doesn't?
        Turkish: Well, the big rabbit gets fucked, doesn't it?
        Tommy: [pauses and thinks] Proper fucked?
        Turkish: Yeah, Tommy. Before zee Germans get there.

It's only downhill from here. Apple got itself a critical mass of un-skilled users sufficient to follow in footsteps of Microsoft. The price of popularity is quite well defined.

This just in...

[girlintraining]

Once an operating system reaches a certain percentage of the market share, it becomes a viable platform for malware. In other news, I have been using computers since the 286 days and I have yet to get a virus of any kind on any of my personal machines. Why? Because I'm careful. Malware only exists because people aren't careful. No operating system can prevent people from doing something dumb, so stop ragging on Apple (or Microsoft, or IBM, or whoever else you want to crucify) -- this is a problem with people, not software. Always has been.

Yeah, but ..

[n5vb]

.. have they figured out how to install it without asking an admin user for permission?

Until that happens, it's not really a security issue, it's still a social engineering hack. And no platform is immune to social engineering hacks because there are always end users dumb enough to unlock the front door for whatever puts on a good show and let it walk right in and take over.

If someone figures out a way to bypass Installer and run unsigned code without at least throwing a warning, then I'll worry ..

Re:Obligatory Clarification

[Anonymous Coward]

You'll always be at the nu'uh stage.

Re:This just in...

[calmofthestorm]

Visiting a website shouldn't be able to install malware on my computer. Neither should opening an email, Flash applet, Java applet, Word document, etc. These are all the faults of the relevant vendors.

Installing random unsigned binaries from the internet? That should be able to do absolutely anything -- it needs to be able to for computers to be general purpose tools. And that includes malware.

TL;DR social engineering is the user's fault, but sec vulns do exist and are not.

Re:Obligatory Clarification

[recoiledsnake]

That would probably happen on Windows too if Microsoft is allowed to bundle MSE into the OS over 'OMGZ ANTITRUST" shouts.

Re:Obligatory Clarification

[jesseck]

So far, I'd disagree with that. The malware detection is built into the system, invisible, automatic, and self updating. So the user doesn't have to do X, Y, or even Z at all. We're still at "It just works."

If Microsoft had it's way, the malware detection would be built into the system as well (think Microsoft Security Essentials), but anti-trust fears and a huge security software market keep that from happening. And, as with Windows, until Macs are malware-proof (which they aren't) you still need to do X, Y, and Z. Even with the latest Apple updates.

tempest in a teapot

[spirit_fingers]

As far as the OS is concerned, this is just another application installer. It's a cinch to modify the installer to circumvent Apple's so-called security update for this. It really comes down to a user stupidity issue. If you're too stupid to avoid software from questionable sources you deserve what you get. No security update can protect you from yourself.

Re:Mac users, start crying from nostalgia

[jo_ham]

What viruses, as a matter of interest? Or do you mean trojans, which are not the same thing at all - which are an issue for any OS, regardless of security since it's a social engineering issue (less so for Linux I would imagine, since the user base tends to be skewed towards people who can spot a trojan from a mile off).

It's hardly just "security through obscurity" - you make it sound like OS X was designed like a car with the doors and windows unlocked, when it clearly wasn't. It's not perfect, but it is pretty good, and it does receive regular security updates in anticipation of attacks against it, it's just not until now that we've seen anything widespread, and even then it's been pretty limited - an ineffective trojan that is easy to remove (takes about 3 minutes total, or less) that requires you give it your express permission to install (and your admin password). The new one is modified to be local user only, so doesn't even have root.

It's not great, clearly, since any malware targeting your platform is a pain in the ass, but you're painting it like OS X has been sitting here doing nothing for the 10 years it's been around and only escaped by standing behind Windows - the legions of security updates and software policy on the OS itself would beg to differ.

Not that even the very best and most secure OS could stop this malware (having never "seen" it before), since it's entirely a social engineering security bypass. The conman tricked his way past your security guards and is stealing your TV.

There is no protection against stupidity.

[mario_grgic]

No software can protect the user from themselves. If someone is determined to download something and install it, how do you prevent that short of locking the system like iOS? I really don't want to see that happening to OS X.

Re:Apple has to step up their game.

[mario_grgic]

To be sure this is not a virus. It requires full user cooperation to get installed on the machine, user has to explicitly download it and run it.

Re:This just in...

[david_thornley]

Right, people have been careless enough to go to a thoroughly reputable site that sells ads. People have even been so careless as to open email from frequent correspondents. (Both of those bit my wife, who's far from being ignorant or careless.)

Re:Obligatory Clarification

[spun]

maccodemonkey writes:

So far, I'd disagree with that. The malware detection is built into the system, invisible, automatic, and self updating. So the user doesn't have to do X, Y, or even Z at all. We're still at "It just works."

Not saying that couldn't change in the future, but we're not there yet.

Okay, maccodemonkey, here's the thing: if the malware detection which is built into the system, invisible, automatic, and self updating is defeated within hours of it being release, we are no longer at "It just works." What part of "It doesn't work anymore" sounds like "It just works" to you?!?

Re:Apple has to step up their game.

[CaptainPatent]

Is MacDefender a portend of Malware waves upon OS X? Unlikely, and it really has nothing to do with market share. I know this is a tired argument, but the "You're day is coming OS X, just wait until you're worthwhile to hack!" idea just hasn't played out no matter how many times security researchers shout it from their blogs/websites (often times alongside links to purchase Macintosh AV software).

Of course it hasn't played out. Mac OS still only has a little over 7% of the market pinned down. Windows collectively (between XP, Vista and Windows 7) controls over 80% of the market. That means that besides smaller proof-of-concept exploits programed for fun, there is still very limited utility for mac malware in the wild.

All I'm saying is that getting from 2% to 8% market share will be much easier than getting from 8% to 32% and now that they're getting to almost an 8% market share, the first signs of malware are popping up.

I'd also like to say that while the 2nd MacDefender is indeed much more of a social engineering hack than anything, the first version did exploit a major bug which allowed root access without any additional permissions. Mac vulnerabilities are out there - and that one was a huge one so it was exploited, but look at the numbers - right now to get similar processing power or informational exploit pools, you'd have to have a hack that's literally 10 times as rampant on Mac than on PC.

It is and always will be a numbers game.

Re:Mac users, start crying from nostalgia

[jimicus]

We know it's not a virus. But whether you like it or not, the word has become a generic term meaning "malware" to the layman.

Traditional, self-replicating, can-spread-through-no-other-means file-infector viruses on Windows are not particularly common these days. They exist, and there's generally one or two in the "top 10 things to watch for" at any given point in time but pure viruses don't represent the majority of malware and haven't done in some time. Typically, you'll find they also act as trojans and worms.

This doesn't stop such things causing harm.

Re:Apple has to step up their game.

[0123456]

All I'm saying is that getting from 2% to 8% market share will be much easier than getting from 8% to 32% and now that they're getting to almost an 8% market share, the first signs of malware are popping up.

But by this defintiion of malware, Unix had malware when it had a 0.001% market share.

echo 'Hey, dude, forward this email to everyone you know, then type sudo rm -rf /' | mail bozo@idiotsrus.com

By the definition being used here, that's not just unix malware, it's a unix virus. Yet no-one in their right mind would be worried about it.

Re:Obligatory Clarification

[maccodemonkey]

Okay, maccodemonkey, here's the thing: if the malware detection which is built into the system, invisible, automatic, and self updating is defeated within hours of it being release, we are no longer at "It just works." What part of "It doesn't work anymore" sounds like "It just works" to you?!?

Because the user experience hasn't changed. The user neither notices the viruses, or the antivirus.

To a user, nothing has changed since before MacDefender.

Mac OS X and Linux have a root user that protects the system against rogue processes causing too much damage. Do we call that a fault in the system because it has to exist, or do we call that a solution?

No system is immune to trojans. Especially when users hand the trojan their root password, like what was done with MacDefender.

Re:Obligatory Clarification

[maccodemonkey]

And Windows has "Administrator" - what's the difference?

The difference is the type of people who seem to consider administrator or root a "feature" are calling an invisible tool that checks code against code signing and profiles... well... things other than a feature.

If Apple was suggesting everyone go out and pick up a copy of Nortons at their own cost to fix this, I'd be crying foul. But they fixed this at an operating system level quietly and transparently.