MacDefender Variant Out Hours After Apple Security Update

| News

Within hours of Apple releasing a security update designed to protect Mac OS X users from the MacDefender trojan horse application, a variant that sidesteps the company’s efforts hit the Web. The new variant, dubbed mdinstall.pkg, handles the MacDefender installation process, according to security research company Intego.

MacDefenderMacDefender tricks users into giving up credit card info

“The latest version comes in an installer package named mdinstall.pkg, and installs an application named MacGuard, which is the latest name that has been used for this malware,” the company said.

MacDefender, and it’s variants MacProtect, MacSecurity and MacGuard, pose as antivirus protection applications that, once installed, make it appear as if user’s Macs are infected with malware. The applications then prompt users to provide a credit card number to remove the viruses as a ruse to collect bank account information.

Apple released Security Update 2011-003 on Tuesday to protect Mac OS X 10.6 users from the malware threat. The identification database the update relies on, however, doesn’t recognize the signature the just released MacDefender installer.

The security update Apple released yesterday checks for malware definition updates daily, so it’s possible an updated threat database could be on the way soon.

Apple hasn’t commented on how quickly it plans to release a security update to address the new MacDefender variant.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

20 Comments Leave Your Own

Dean Lewis

Apple should simply put up a page telling people to not load software they didn’t click on to install, to not give out credit card information to anyone unless they initiated the transaction (and weren’t prompted to “act now!”), and to check out a list of security software providers if they really feel they can’t trust themselves.

ilikeimac

According to Intego’s post (and other news I’ve read) Apple’s definition list updates daily, not hourly. I’d love to know how to force an update though.

MOSiX Man

Apple should simply put up a page telling people to not load software they didn?t click on to install, to not give out credit card information to anyone unless they initiated the transaction (and weren?t prompted to ?act now!?), and to check out a list of security software providers if they really feel they can?t trust themselves.

So, what your saying is that Apple should put up a web page, explaining to people how to recognize and avoid trojan horses and other web scams? There are already LOTS of places online where people can go and find such information. The real problem is that most people are willfully ignorant of such warnings until they get caught in the snare.

A lot of this stuff could be totally avoided if people just stopped to think about what they’re seeing and applied a bit of common sense to how they respond. The problem, again, is that most people often don’t do that.

bad new world

Wonder if this’ll bring an iOS-style “walled garden” to the Mac, i.e. where you’ll only be able to install things that’ve been approved by Apple…

Jonathan

The irony with this MacDefender/MacGuard stuff is that the only malware for OS X is a trojan which feeds off people’s fear of malware, a fear which is fed by the majority of the tech media, who act as if the apocalypse had arrived.

MOSiX Man

What Apple really could do to prevent this from being any kind of issue is 1) Move the ‘Open “safe” files after downloading’ option under the security tab. This would make it hard for average users to find and mess with, and give people a hint to the fact that the setting has an affect on web security), and 2) Disable it by default. (I think it’s enabled by default, but I’m not 100% positive about that. With that option disabled, there is no way for the installer package to open without the user double-clicking on it.

MOSiX Man

Wonder if this?ll bring an iOS-style ?walled garden? to the Mac, i.e. where you?ll only be able to install things that?ve been approved by Apple?

Highly unlikely. Apple knows that people would not be even remotely as accepting of a ‘locked-down’ Mac as they are a ‘locked-down’ iPhone or iPad. The only reason that it’s generally considered acceptable on the iPhone is that people are used to having had even less (if any) control over what they could put onto their phones, before phones like the iPhone were introduced. The iPad and iPod touch mostly get a pass because they are largely viewed as variants of, or siblings to, the iPhone. If Apple tried to do the same thing, immediately, with the Mac, they would lose users in droves, and they know it.

bad new world

Highly unlikely.

Perhaps.

Problem is we’re already in a cat-and-mouse situation.  What happens when some SOB makes a utility that cranks out tens of thousands of new Mac Defenders per day?  How does Apple keep up with that?

If it would come down to that, a walled garden suddenly wouldn’t seem so bad….

MOSiX Man

@bad new world - Well, I’m sure we could come up with a million imaginary (if not necessarily realistic) scenarios that would make the ‘walled garden’ condition seem like a better alternative. However, even if/when somebody comes up with a real, damage causing and self-replicating virus for Mac OS X, I still don’t think that it would justify ‘locking down’ Macs in that way.

Maybe if somebody came up with a kind of malware that was unblockable, self-installing and which caused Macs to spontaneously combust, then it would be OK. : ) Then again, even if Apple locks down the Mac, some people will find a way to ‘unlock’ them, and then they could just build a routine into a trojan, that would unlock the Mac and allow for it to download.

The long and short of all this is that the only real solution is for people to keep their brains turned on when browsing the web, not download things from places they don’t know they can trust, and to not accept ANY downloads that they didn’t intentionally trigger.

Dean Lewis

So, what your saying is that Apple should put up a web page, explaining to people how to recognize and avoid trojan horses and other web scams? There are already LOTS of places online where people can go and find such information.

I didn’t say it would do any good. smile

But chasing the moving target isn’t going to do anything much, either. There isn’t much that can be done, since, like you say, the majority of people are just too eager to believe something that pops up on their computer and asks for their credit card…

Dean Lewis

I think it is funny that my “act now!” in the comment I first made now is linked by MacObserver’s pop-ups to Blackberry Playbook advertising. smile Talk about listening to pop-ups… heh.

Mikuro

I feel like Apple is already a step ahead of the game with the Mac App Store. Less-savvy users, who are at the highest risk for this type of attack, will already be part of Apple’s “walled garden” without being forced. They won’t download software from untrusted places.

So the problem is closing the security holes that allow this software to install without the user’s knowledge or interaction. This doesn’t require drastic measures like disallowing unsigned code. It requires making Safari less exploitable. Just like Internet Explorer was the prime attack vector on Windows for years, Safari is on OS X. Apple needs to take this more seriously. Safari should not under any circumstances automatically download and install software the way it’s been set to do by default for years.

Dave Hamilton

Will be interesting to see if we get a daily update from Apple to block this one, too. #catandmouse

Doug Petrosky

Apple is doing exactly what it needs to do, keep the mac looking like a no win target. Simple patches, downloaded regularly. The people behind this attack will not spend the time if they don’t make the money.

Lee Dronick

Now they are using links on Facebook to spread MacDefender

http://www.huffingtonpost.com/2011/06/01/facebook-malware-strauss-kahn-video_n_869576.html

mrkwst22

My daughter, who is a pretty tech-savvy graphics artist, acquired the MacGuard variant by clicking on a Google image file. The trojan loaded from that click. I’ve been doing Apple since 1978, and I find that a bit scary.

MOSiX Man

My daughter, who is a pretty tech-savvy graphics artist, acquired the MacGuard variant by clicking on a Google image file. The trojan loaded from that click. I?ve been doing Apple since 1978, and I find that a bit scary.

OK, but did she then click through the installer so that it could complete, or provide her credit card number when prompted for it? Without the user doing all of that, this malware is harmless to her.

amergin

Perhaps if Apple released an update that put up a LARGE and OBVIOUS window describing the trojan idea with a little tick box for ‘don’t show this again’ which appeared at the start of each day then they might actually educate ‘non tech savvy’ users.

gnasher729

No news about MacDefender for a few days - does that mean they have given up after Apple’s second update?

Lee Dronick

No news about MacDefender for a few days - does that mean they have given up after Apple?s second update?

I hope so, but I am afraid that they are rethinking their attack strategy.

Log-in to comment