Apple’s new Antivirus signatures bypassed

After a month-long Mac Defender/Mac Guard malware attack, Apple yesterday finally released the security update it promised last week. The update took Apple one step closer to turning an obscure security feature into something very close to full-fledged antivirus software.

Security Update 2011-003 included changes to the File Quarantine feature, which beginning with Snow Leopard also includes antimalware checkssoftware. This update included definitions for Mac Defender and its known variants, as well as an automated removal tool. It worked only with the most recent version of Snow Leopard, 10.6.7. Earlier versions of OS X are apparently not included.

However, the bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released.

On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

As PC virus experts know, this cat-and-mouse game can go on indefinitely.

MAC owners have been very smug about how their machines are safe from viruses, and encouraged by Apple's advertising, presume it is because MAC is better protected against malware than Windows.

But in truth (and Apple's advertising people know this) the reality is that until recently, there just were not enough MACs around to make cyber crime pay off the way it does in the target-rich Windows environment. There are now enough MACs to make crime pay, especially when you consider that demographically, people who owns MACs have more money than people using Windows, so the "pickings" are greater.

So now malware is flooding into the MACs as I predicted it would. The cyber-criminals are finding MACs to be wide open compared to Windows, and the naive MAC users are realizing they are just sitting ducks, babes-in-the-woods, compared to their battle-hardened Windows brethren.

Maybe the MAC users will finally wise up and decide that the solution to the virus problem was never to "Get a MAC", but to treat all computer criminals the way the US Army treats Arabs wearing cheap Casio wristwatches!

Posted by siva on 2:44 AM. Filed under technology . You can follow any responses to this entry through the RSS 2.0. Feel free to leave a response