New Malware Variant Jukes Apple's Bug Fix
Jun 1, 2011 11:43 AM PT
As promised, Apple on Tuesday released a security update to combat MacDefender, a type of fake antivirus malware that had targeted the Mac OS X platform over the last few weeks. On Wednesday, however, hackers apparently managed to figure out an end-run around its solution.
Apple's fix updates its malware definition list daily, and it searches for and removes known variants of the MacDefender malware.
However, a new variant that the security update can't detect was released just hours after Apple issued its fix, according to security firm Intego.
Is Apple doing enough to protect users? Should it do more? Will it issue another security update?
Apple did not respond to requests for comment by press time.
Cupertino Takes On the MacDefender Tribe
Several variants of the MacDefender malware have been released over the past month. In chronological order, they are MacDefender, MacProtect, MacSecurity and MacGuard, Intego stated.
All of them essentially redirect victims from legitimate websites to fake sites that purport to scan victims' computers, then claim the computers are infected. The malware then urges victims to purchase and download fake antivirus software.
May saw a spike in malware for the Mac, Craig Schmugar, senior threat researcher at McAfee Labs, told MacNewsWorld.
Apple's fix consists of three parts. First, Cupertino has added a definition to the malware check within File Quarantine. Second, OS X Leopard will check daily for updates to the File Quarantine malware definition list. Third, the security update will search for and remove known variants of the MacDefender malware, and notify the Mac's owner.
Intego points out that the security update only protects users of Mac OS X 10.6 because the malware check in the File Quarantine system doesn't exist in older versions of the operating system.
The update is 2.1 megabytes and doesn't require Mac users to restart their computers after installation, Intego said.
Hackers Beat Mac Security Again
The problem with Apple's security update is that it makes no provision for new variants. Within hours, a new variant was released that made an end-run around the update, Intego said.
This version comes in an installer package named "mdinstall.pkg" and installs an application named "MacGuard," which is the same name as the previous version detected by Apple's security update, Intego stated.
Should Apple have made provision for new variants coming down the line? Or could it have done so?
"Malware is constantly evolving, but this is the approach most antivirus products take," Charlie Miller, principal research consultant at Accuvant, told MacNewsWorld.
It's possible but not really practical for Apple to take a broader approach because "they are trying to provide a minimum level of protection, and that is what they do," Miller pointed out.
"It's a balancing act," said Dave Marcus, director of security research and communications at McAfee Labs.
"Apple probably doesn't want to get into the antivirus business directly but needs to be seen making some moves towards protection," Marcus told MacNewsWorld.
Is Apple Doing Enough?
Apple's response is "a good basic start," Marcus said.
However, given that multiple variants of MacDefender hit Mac users in May, couldn't Apple have done more?
"Considering the low risk of malware right now, this solution is pretty good," Accuvant's Miller opined.
"Also, compare this to Windows or Linux, where there is no antivirus built-in," Miller said. "Getting something for free is a pretty good deal, even if it is not perfect.
"Apple has been taking security more seriously lately," he added.
Apple's approach to security has been to insist that Mac OS is secure and to issue security updates occasionally, but the wave of MacDefender attacks may usher in a change.
"This is the beginning of some tough questions Apple have to answer," McAfee Labs' Marcus stated. "I hope they step up."
It's possible that in the future, Apple may follow Microsoft's lead in issuing regular security updates, Marcus speculated.
"When the next piece of Mac OS X malware comes along, it'll be interesting to see how long it takes for Apple to push out a signature for it," Accuvant's Miller said.
With the latest fix-defying variant of MacDefender, that next piece of malware is arguably here already, and many will be watching for Apple's response.