MacDefender
Latest
Russian raid suggests tie between MacDefender and ChronoPay
When the MacDefender malware made the rounds a few months ago, it sparked a frenzy of pundits claiming OS X's free ride in the malware scene was over (and as our research shows, they were wrong. Again). At the same time, we all wondered who was behind MacDefender in the first place. After a recent raid in Russia, it appears that question may have been answered. Russian law enforcement raided the offices of ChronoPay, and according to Ars Technica, the police found "mountains of evidence" that ChronoPay was providing tech support for MacDefender's bogus antivirus software. ChronoPay had earlier denied any involvement with MacDefender, but the evidence linking them to the malware program seems convincing. Like many pieces of malware for Windows, MacDefender worked by exploiting user fears of virus infection. A popup message would claim a user's Mac had been infected by a virus that only MacDefender could remove, and users who installed the software would be pestered for credit card info to purchase the software. Once users entered said info, the party behind MacDefender would then run up fraudulent charges. ChronoPay's CEO has been arrested, but Ars notes that this doesn't end the threat of MacDefender or other bits of malware. Meanwhile, although the predicted "explosion" of malware for the Mac still hasn't happened, it's still a good idea to remain vigilant against malware like MacDefender.
Mac malware 'explosion' missing in action
The appearance of the MacDefender trojan back in May provoked a lot of back-and-forth between various tech writers (including your humble correspondent). Was this a sign that the good times were ending? That the Mac platform would come under ever-fiercer attack from malware authors? That soon we'd all be running resource-sucking virus scanners and a-fearing every link we clicked? Well, in a word: no. It wasn't. And I've got some science to prove it. A primer on "malware definitions" If you're unfamiliar with the concepts at work here, it'll help to understand my results if you know exactly what a "malware signature" is. The primary way a malware scanner works is to examine files on your computer -- sometimes all files (the so-called "deep scan" approach, which usually takes hours) and sometimes only specific files that are known to be targeted by viruses, trojans, and other malware. Scanners also usually stay running in the background and scan each and every file you open and program you run right as they load, as an extra level of always-on protection. This last mode is what often causes computers to feel sluggish after you install anti-malware software. So what does this "scan" thing entail, exactly? Glossing over a lot of technical details, the scanner will run the file it is examining through a hash function of some kind. This is a sort of ultra-strong fingerprinting algorithm that creates a unique identifier for the file (a 'hash') that can definitively match data or code segments. The malware definitions list is a catalog of hashes that have been generated from known malicious files; if a file on your system matches one in the list, then boom, You've Got Malware. An example of XProtect's signatures for MacDefender. For this setup to have any value at all, it's crucial that the definitions list is kept up-to-date. Things can move fast in the malware world; new threats emerge suddenly and (even more insidiously) malware authors tweak their existing programs to have a different signature, making them undetectable by the scanner. These "variants," as they are called, result in a rapid cat-and-mouse game between developers of malware software and developers of malware scanners. This is what happened to Apple back in early June. The MacDefender trojan prompted Apple to start aggressively pushing out updates to its own in-house malware scanner, XProtect. This, in turn, prompted hackers to start releasing new variants of MacDefender that bypassed the new check, then another new check from Apple, another new version of MacDefender, and so on. Many commentators wrote long posts with varying degrees of pessimism and optimism about how this would end. Would the hackers win and Apple be overwhelmed, or would they be defeated by Apple's vigilance? My methodology Two months ago, I tried to come up with a way that we could answer that question definitively. I wrote a small script to download Apple's malware definitions file every hour and permanently store each unique version. I started this script running on June 2nd, capturing version 2 of the file; since then there have been 22 further versions, each adding new malware definition signatures to the scanner. I now have all that data at my fingertips. Before I show you what I've discovered, let's consider what this script hasn't taken into account. It's not really measuring how much malware exists for the Mac, of course. It's measuring how much malware Apple has identified -- whether MacDefender related or not (there is other malware listed in the file, like OSX.HellRTS.) However, I think that's not too useless a metric: we know that Apple put considerable effort into staying on top of the situation with MacDefender, sometimes releasing updates to the definitions file just hours apart. We can also assume that Apple, with its world-wide support staff, can do a better job than anyone else at keeping its ear to the ground for new threats. It seems reasonable to assume that the state of that XProtect definition file is a good proxy for the state of Mac malware in general. Results The following and graph shows the number of unique malware variants listed in the file as each new version was released. There are two occurrences where the graph goes down, i.e. a new version of the file lists fewer definitions than the older version. This happened when Apple found two new variants, wrote signatures for them both, then later found a single signature that covered both variants. My script records this as a variant "disappearing" because there are fewer signatures overall. It doesn't mean that protection actually decreased. Analysis For a period of several weeks, we see the rapid cat-and-mouse game predicted by people like Ed Bott. Variants of MacDefender appear at the rate of about one a day, and we see a corresponding update of the XProtect definitions file once or even twice a day also. This keeps going until we reach the 21st version of the definitions file, which detects 15 distinct variants of MacDefender (labelled OSX.MacDefender.A through to OSX.MacDefender.O) using 12 different detection signatures. And then... nothing. No new updates to the file since the 23rd of June. There are two ways to look at this. It's possible that the malware kept coming, and Apple either failed to notice it, or just gave up trying to keep up. If that were true, though, we'd expect to still be hearing about it, both in the general press and from TUAW's contacts throughout the Mac ecosystem of developers and support staff. But we've heard nothing. The other option, then, is that the malware has stopped evolving. The MacDefender authors gave up trying to issue new variants, and nobody else has (so far) taken their place. The Mac malware scene is... well, if not dead, then asleep. Stunned. Pining for the fjords. I stand by my earlier cautionary note. There's no magical protection against malware in OS X -- there's solid engineering, but that's not infallible. All computer users, regardless of OS, should remain vigilant: don't run software from untrusted sources, don't fall for web browser popups screaming that you have viruses, think twice before entering your iTunes or online banking or email password into an unfamiliar website. Still, for now, I think Mac users who were worried about MacDefender can partly relax. The wolf is still not at our door. Footnote: regarding Lion's version of XProtect The recent release of Mac OS X 10.7, Lion, appears to have brought some changes to XProtect as well as overall enhancements to OS security. The URL that is probed for new malware definitions has moved (from here in Snow Leopard to here in Lion) and the file itself contains quite different signatures -- there are signatures in each version of the file that do not appear in the other. Furthermore, although the Snow Leopard version lists MacDefender.A through to .O (15 variants in all), the Lion version only lists .A and .B. The .B definition list, however, contains many more signatures. It doesn't necessarily mean that XProtect doesn't detect as much malware as it did before. My guess would be that the new OS has brought with it internal modifications to how XProtect works that has caused these changes. Again, however, I do not feel that this invalidates my results. Snow Leopard remains a supported OS that will still have a large install base for some time to come, and (we can assume) Apple will continue to release security updates for it in as timely a manner as it ever did -- including XProtect updates.
Avast! Free Antivirus for Mac beta now available
Apple released Security Update 2011-003 yesterday with protection from the MacDefender malware and its variants, but some of our readers might want to do more to protect their Macs from malware. Avast has been a longtime supplier of a free (for non-commercial use) antivirus package for Windows that is unobtrusive and fast, so it was with a great deal of interest that I read a PR blast from the company this morning. The company has just released a beta of avast! Free Antivirus for Mac for download and testing, and like the Windows version of the software, it looks pretty good. The company previously had a download for Mac, but as noted in the user forums on the Avast site, "The current popularity of Apple products also makes them more interesting for the bad guys so we thought it would be good to prepare for the battle sooner rather than later." The result is a product that is much more on par with the Windows product. To install the downloaded beta app, you simply drag the application icon to the Applications folder and double-click to launch. The app uses Growl notification, so it helps if you have Growl pre-installed. The app has three shields that are in operation at all times: the File Shield, which scans the binaries of launched apps and all files that are being modified, the Web Shield, which monitors and filters all HTTP traffic coming from websites, and the Mail Shield, which monitors and filters all POP3 and IMAP traffic. In addition, avast! Free Antivirus for Mac can do on-demand scanning of the whole file system, network volumes, or mounted removable volumes. The scanning engine is updated automatically -- I'm just happy that it doesn't speak "virus database has been updated" the way the Windows version does because that has a tendency to startle me. Unfortunately, the app does seem to slow down page loading in Safari, and I'm sure it would do the same with Firefox and Chrome. Of course, this is beta-ware, so the Avast team will most likely work on optimizing their code as the product gets closer to general release. If you're considering antivirus software for Mac for yourself, relatives, or employees, you might want to take a look at the avast! Free Antivirus for Mac beta.
Hours after security update, new MacDefender variant evades it
And the cycle continues. Yes, just hours after Apple released a security update designed to smack down the recently-prevalent MacDefender malware, ZDnet's Ed Bott reports that a new variant of the bogus 'security' software has been released into the wild. This version is called "Mdinstall.pkg" and it works exactly as before, installing itself on Safari without any approval needed (as long as the default "Open 'safe' files after downloading" setting is on, which we recommend you disable). The timestamp on the file reportedly shows that it was put together as recently as last night, which means that these hackers are actively working against any defenses Apple put in place yesterday. The security update from Apple -- so far only available for Snow Leopard 10.6.7 users, meaning that 10.5 Leopard users (not to mention 10.4 Tiger) are still vulnerable -- adds a new option in the Security preference pane, seen here. The anti-malware tool apparently checks in with Apple's servers periodically to update its definitions suite, just as you would expect it to. So what's the solution here? Short of Apple simply removing the ability of Safari to open up files like this at all (which would of course hamper that functionality for folks who use it), the only real solution is to do what you've got to do on all computer systems subject to attacks: practice constant vigilance. It'll be interesting to see if Apple steps back up again on this one with another update (which would then incur another variant of the malware), but until then, users have to be educated and careful about what they click on in the browser. If you're already fighting off an installation of the Mac Defender malware, be sure to check out our handy removal guide.
Responding to Security Update 2011-003 in verse
What is it about viruses and security concerns that automatically lend themselves to verse? TUAW doesn't analyze these things. It merely moves with the flow. Here is our "Burma Shave" style overview of the Mac Defender/Apple Security Update crisis. When those Macs caught 'la grippe' Apple responded; its bud they nipped Security Update waits for you Bid MacDefender an unfond 'adieu' ...Burma Shave Think you can do better? Leave your rhymes in the comments.
Mac Security Update 2011-003 now hunting MacDefender
Mac Security Update 2011-003 has appeared in Software Update and is available for immediate download and installation. According to KB article HT4657, the update provides a File Quarantine definition for the OSX.MacDefender.A malware and Mac OS X 10.6.7 will now automatically update the definitions on a daily basis. The update will also search for and remove MacDefender and its known variants. If you prefer to defuse your malware manually, be sure to refer to our guide. The update will be available later directly from Apple Downloads, and we'll update this post with a direct link at that time.
Another Mac OS X 10.6.8 build seeded to developers
Sources have told us that another build -- 10K531 -- of Mac OS X 10.6.8 Snow Leopard is now available for download by developers. The developer seed became available late yesterday, and focuses on AirPort, Networking, Graphics Drivers, the Mac App Store, QuickTime, and VPN. As usual, Apple has requested that developers file bug reports if any quirks are found. There are no known issues with this seed of Mac OS X 10.6.8, which may point to a release of the updated operating system in the near future. As reported earlier, it is expected that 10.6.8 will include a way to block the MacDefender malware and its variants.
Upcoming MacDefender patch is not the first AV tweak to Mac OS X
This upcoming MacDefender patch is not the first time Apple has tweaked Mac OS X in response to a malware threat. Many people forgot that recent versions of OS X were designed with a built-in malware detection system. Mac OS X 10.4 and 10.5 Leopard had a validation system called File Quarantine. In Leopard, it triggered a warning dialog box when you opened a file that was downloaded from your browser, email client or iChat. OS X 10.6 Snow Leopard improved upon File Quarantine by adding a system to check files against known malware definitions. These definitions were stored in the XProtect.plist file. Just last year, the 10.6.4 release of Snow Leopard contained a malware tweak to detect a backdoor Trojan horse. This fix was not mentioned in the OS X documentation, but security firm Sophos noticed a new entry in the XProtect.plist file for the Pinhead-B threat. This Trojan horse was distributed as a ripped copy of iPhoto. If you installed the fake program, hackers could use your Mac to send spam, take screenshots or snoop through your files. Unlike the MacDefender threat, the iPhoto Trojan horse was dismissed by the Mac community. Infected people were pirating software and brought this upon themselves. MacDefender, though, is a whole new ballgame. People encounter it while innocently browsing the Web and are easily duped into believing the Apple Security Center is real. It's not the apocalypse, but it's definitely a wake up call. [Via Sophos and Macworld]
In a MacDefender world, practice constant vigilance
A week ago, I did my public service duties and linked the MacDefender protection and removal guide that Steve Sande wrote to my Facebook wall. Then I braced for the comments. Luckily, none of the taunts I expected about Macs now being subject to malware came to light. What I did get was general surprise that Mac users had to be aware of such a thing. "I thought Macs couldn't get viruses and such," one commenter said. Sadly, it's not the case any longer. As fast as we're educating people on how to fight MacDefender, and Apple is developing a patch to fight it, the malware is morphing and coming up with different methods of worming into your system -- including now being able to install sans password. It's a battle that Windows users have long grown tired of, but Mac users are still blinking their eyes and not quite believing that it's our turn. Macworld published an excellent piece on what MacDefender really means to the Mac community. As Macworld says, even though this is the monster under the bed that Mac users have evaded until now, it doesn't mean a malware apocalypse is upon us.
Apple: Mac OS X update coming to block MacDefender malware
Tipster TJ just pointed us to a new Apple Support knowledge base article that describes how to avoid and remove the MacDefender malware. It's largely the same information that we have in our removal guide, but it's good to see that Apple is now making the instructions available for everyone. (Sample tip: "If any notifications about viruses or security software appear, quit Safari or any other browser that you are using.") One of the more interesting points from the knowledge base post is seen in the graphic above: Apple says that a Mac OS X software update is coming soon that will automatically find and remove MacDefender and its known variants, as well as giving users a warning if the malware is downloaded to the Mac. According to our developer friends, Apple also sent out a Developer Seed Notice on May 20 to Mac developers regarding Mac OS X 10.6.8 Build 10K524, which became available for download and testing on that date. We have reason to believe that this security/malware patch will be rolled into Mac OS X 10.6.8, which means it's coming pretty soon.
MacDefender malware protection and removal guide
Screenshot thanks to @jaythenerd The MacDefender malware has been causing trouble for Mac users all over the world; people are calling Apple Support in a panic, spending time visiting their local Apple Store Genius, and getting all stressed out about it. What's worse: the malware is mostly harmless to your computer. It's a scam trying to rip off your credit card number, not hurt your Mac (not that the theft of your credit info is a good thing). The attack, which displays a message stating that your machine has been infected with viruses that only a "MacDefender" app can remove, has been spreading rapidly -- most of the folks encountering it are coming across it via Google image searches, where results have been 'poisoned' with the malware download. MacDefender doesn't infect Macs with a virus, nor does it run a keylogger as a background process on your machine. It's simply trying to scare users into providing credit card information by registering an unneeded piece of software. MacSecurity and MacProtector are the same scam software, differing in name only. It's been reported by ZDNet's Ed Bott that Apple is telling support reps not to assist with removing this malware. You're on your own, but TUAW is here to help you. Read more to find out how to protect yourself from MacDefender, what a MacDefender attack looks like, and how to remove the app if it is installed on your Mac.
MacDefender malware targeting Mac users, instructions for removal
Mac owners usually have little to worry about in terms of computer viruses and spyware, but a new malware attack seems to be causing issues for some users. According to a report on The Next Web, a specialized malware attack targeting Mac users is making the rounds. Users seem to be targeted as they are browsing Google Images, with one victim reporting that he suddenly received a message stating that his machine had been infected with viruses that only a "MacDefender" application could remove. There is a MacDefender website that highlights a few shareware apps that a dedicated geocacher has written, and the site's owner is warning people to not download the malware app. The malware appears to be targeting Safari. The browser can be configured so that it will automatically open trusted software, and that appears to be the route of attack that's being used. While the MacDefender malware isn't infecting Macs with a virus or running a keylogger in the background, the author seems to be trying to scare users into providing credit card information by buying the software. The Next Web provided some useful hints on how to protect yourself from the malware and to remove the pesky app if it is downloaded onto your Mac. If you aren't seeing MacDefender in your Applications folder, you can protect yourself from possible infiltration by unchecking the "Open 'safe' files after downloading" box at the bottom of Safari > Preferences > General (see the area outlined in red in the image above). If MacDefender is already on your Mac, check out the next page for tips on how to remove it.
