GMA News Online

Hackers quickly bypass Apple's malware defenses

June 2, 2011 7:25pm
While it took nearly a month for Apple Inc. to release a security update against the MacDefender malware, the malware's authors needed mere hours to turn the tables.

Technology writer Ed Bott noted the "bad guys" wasted no time in thwarting Apple's initial security update with a new variation of MacDefender.

"The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code," Bott said in his blog.

He said that the file has a date and time stamp "less than eight hours after Apple’s security update was released."

On a test system using Apple's Safari browser with default settings, it behaved exactly as before, beginning the installation process with no password required.

"As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple," he said.

Bott also said he captured a video that shows Apple's File Quarantine feature successfully blocking an attempt to automatically install the MacGuard malware.

Earlier, Apple had released Security Update 2011-003, which includes changes to the File Quarantine feature.

The feature includes antimalware checks for files downloaded through web browsers, e-mail, and other common paths.

This update includes definitions for Mac Defender and its known variants, as well as an automated removal tool. It works only with the most recent version of Snow Leopard, 10.6.7.

However, Bott noted the MacGuard fake antivirus program can go from a seemingly innocent Google search result to a full install in just three clicks, with no password required.

Worse, he said the May 31 release of MacDefender's Mdinstall.pkg is not detected by the 2011-003 update and signature files.

"It will be interesting to see how widely Apple publicizes this notice. It will be even more interesting to see how the authors of MacDefender and its variants respond," he said. — TJD, GMA News
Go to comments

We welcome healthy discussions and friendly debate! Please click Flag to alert us of a comment that may be abusive or threatening. Read our full comment policy here.
Comments Powered by Disqus