Apple Updates MacDefender Malware Definitions

| News

Apple released a security update on Tuesday that helps protect users from the MacDefender trojan horse malware application, and by Wednesday reports were circulating that hackers had already released a variant that worked around Apple’s security efforts. By Thursday morning, however, Apple had already released a new definition update that recognizes this latest trojan variant.

The new definition set was fist spotted by Spider-Mac (translation) in the XProtect plist file that’s part of Apple’s Security Update 2011-003. The update watches for downloads that match the MacDefender trojan horse, and alerts users if the installer is detected.

MacDefender trojan horse applicationThe MacDefender trojan horse looks like a legit Mac app

Assuming users run the installer, an application that appears to be a virus detection and protection utility displays bogus warnings that it found malware on user’s computers. It then tries to trick users into giving up credit card account information by promising to remove the malware it claimed to locate.

MacDefender’s real purpose is to steal credit card accounts from victims, hence its classification as a trojan horse application.

Apple’s security update auto-checks for updated malware definitions daily, so users don’t need to take any action to get and install the definitions file.

Comments

Lee Dronick

I have it set to automatically download the list, but how do I determine that it actually happened? I searched for files by date modified to see which one was change, I searched for “XProtect plist” and couldn’t find anything.

Spellman

“I have it set to automatically download the list, but how do I determine that it actually happened?”

I don’t think you can, easily, because Apple doesn’t think you should need to worry about it (which should be true for most users). The files being updated are in hidden directories that you can’t see or search for unless you use something like TinkerTool to view hidden files. (For example, XProtectUpdater is in /usr/libexec/ but that’s a hidden directory, and mucking around in it could screw your computer up fast.)

JonGl

I have it set to automatically download the list, but how do I determine that it actually happened? I searched for files by date modified to see which one was change, I searched for ?XProtect plist? and couldn?t find anything.

If you think about it, they would want this stuff as hard to get at as possible. I’m sure it’s in one of the hidden top-level folders (/private/var most likely). In fact, there’s locked folder there I don’t remember seeing before. In fact, I’m not being able to get in using my normal methods… interesting.

I do wish there was a way to tell if one has the latest already…

-Ion

mouring

There are programs like LittleSnitch that you can watch for network activity and even a version that supports watching and restricting access to locations on your harddrive.

That would be the easiest way to track this.  I noticed LittleSnitch whined when XProtect was installed and proceeded to update itself.

Lee Dronick

I figured that the update would be hidden, but I also figure that anyone with the chops to create the MacDefender would know how to find hidden files. Anyway, it would be nice to see a note in the preference file or someplace when the list was updated.

iphonzie

The XProtect.plist file is located in /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

Mine has a modification date of 5/31/2011, so it hasn’t been updated yet. My file includes definitions for “OSX.MacDefender.A” and “OSX.MacDefender.B”, the latest version on Apple’s servers defines “OSX.MacDefender.C” - this should be automatically downloaded and installed at whatever time your Mac is internally scheduled to check for updates.

References:

Ars Technica

Cult of Mac

pecosbill

In my opinion, a major clue is they call it MAC Defender. It’s Mac, not MAC. It’s high time I find it and play with it.

Lee Dronick

Thanks iphonzie.

Other than needing to show package contents the files are not hidden. Though the casual user may not know how to open a package/bundle

Mine was modified today at 4:00 AM

Lee Dronick

Mine has a modification date of 5/31/2011, so it hasn?t been updated yet.

You can force an update.

I did an experiment. My MacBook Pro wasn’t yet updated when I look at the plist. So I unchecked the “Automatically update the safe downloads list” preference and rechecked it. In a fraction of a second I saw the modification date and time on the plist file update.

Mike

There is already a new variant named “MacShield” (I collect them for my in-house anti-malware .) Is there a way to report malware to Apple?

Just Zis Guy

Apple has just pushed a new update covering today’s variation, OSX.MacDefender.D

Log-in to comment