Apple to malware authors: Tag, you’re It!

Apple XLast night the malware authors behind the Mac Guard fake anti-virus changed their methods again to bypass the updates Apple released yesterday afternoon to protect OS X Snow Leopard users.

Apple fired back shortly after 2 p.m. Pacific Daylight Time today with a new update to XProtect. Computers that have Apple update 2011-003 for Snow Leopard now check for updates every 24 hours.

XProtect update stamp

As the cat-and-mouse game continues it will be interesting to see how the attackers proceed. The major change to bypass Apple’s detection yesterday was to use a small downloader program to do the initial infection, then have that program retrieve the actual malware payload.

This approach may be successful as it will be easier for the malware authors to continually make small changes to the downloader program to evade detection while leaving the fake anti-virus program largely unchanged.

Why is this important? Apple’s XProtect is not a full anti-virus product with on-access scanning. XProtect only scans files that are marked by browsers and other tools as having been downloaded from the internet.

If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program. Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions.

Apple now detects this malware as OSX.MacDefender.C. Sophos Anti-Virus for Mac detects individual components of this malware as OSX/FakeAV-DWK, OSX/FakeAV-DWN, OSX/FakeAvDl-A and OSX/FakeAVZp-C.

OSX.MacDefender.C detection

It also appears that this malware is using the tried-and-true affiliate distribution method. The writers recruit other people to perform black-hat SEO, infect web pages and post blog spam and assign each one a unique affiliate ID to use in the URL for their traffic.

This allows the criminals to track which affiliate referred the victim and pay them a commission upon purchase of the fake software, enabling the criminals to cast a much wider net by sharing a portion of the profits with their “affiliates.”

Considering that XProtect only updates once a day, and only on OS X 10.6 Snow Leopard, I recommend users install a proper anti-virus tool. If you want to make sure Apple’s solution is up to date you can open a terminal on your Mac and type the following command:


Even if I didn’t work for a security company, I would install a proper anti-virus tool rather than hope that Apple provides an update every time a new threat appears. We make our Sophos Anti-Virus for Mac Home Edition available absolutely free. No registrations, no email, just free protection.

Thank you to Naked Security reader Patrick Fergus for the tip about Apple’s update to XProtect and Mrs. W. for carving our delicious apple with a perfect X.

SSCC 61 – Sony, Honda, Mac Defender and best practices on securing your organization

Sophos Security Chet Chat logoOn this week’s Chet Chat I interview one of our most experienced technical support account managers and discuss why “we’re doing it wrong”. Paul has worked as a security architect and defended against a slew of targeted attacks in very large environments.

Security is a process not a purchase… Many of us have acquired state-of-the-art high quality tools and yet we fall victim to everyday threats. Paul shares his philosophy on the techniques you can use to get the most out of your security investments.

As usual I also cover the week’s news including the latest attacks on Sony, the data loss event at Honda Canada and the evolution of the fake anti-virus threat facing Apple Mac OS X users.

If you prefer a news summary for the week in text format, visit the Sophos Security News and Trends for the latest selected hot topics or subscribe to our weekly newsletter, Sophos eNews.

(27 May 2011, duration 21:20 minutes, size 8.5MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 61 or subscribe to our RSS.

Dear Apple: Welcome to team anti-malware

TrojanIt was brought to my attention today that you’ve now published a knowledge base article explaining how to remove the prolific MacDefender fake security software and it’s various iterations.

While I cannot speak on behalf of an entire industry, I think all of us welcome you with open arms to the team tasked with helping the computer using community stay safe online.

I have to admit though, I am a bit confused by your terminology.

You state in your article:

“A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus.”

In our business phishing has a very specific definition. According to Wikipedia the agreed upon definition of phishing is:

phish·ing /ˈfiSHiNG/
Noun: The fraudulent practice of sending e-mails purporting to be from legitimate companies in order to induce individuals to reveal personal information, such as credit-card numbers, online.

We have observed that most users are being infected through malicious web pages that are turning up in Google Image searches. The malicious web pages display a fake security scanner convincing the victim to load a program that is in fact malware.

While I can see how you might consider this to be a phishing attack, we usually use that term when the attack is purely social and is trying to acquire your credentials. If it involves social engineering and malicious code we call it a Trojan.

Wikipedia defines a Trojan as:

“A Trojan horse, or Trojan, is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but (perhaps in addition to the expected function) steals information or harms the system.”

It is also a bit strange that you don’t recommend people to run an anti-virus program when they have been infected or attacked by malicious code. Perhaps it might be prudent to refer people encountering malware on their Macs to your documentation?

It’s great to have you as a partner in our fight against cybercrime, and we hope you continue your commitment to keeping your customers safe online.

Be cautious, question everything and enjoy your internet experience.

Update: As happens, I didn’t consider that Wikipedia is a moving target, so choosing them for definitions wasn’t the smartest thing I’ve done. The quotes above were true at the time of writing.

Apple support to infected Mac users: "You cannot show the customer how to stop the process"

Mac Defender fake security popupsZDNet writer Ed Bott has posted the latest instructions to Apple tech support personnel regarding users calling in with active fake anti-virus “MacDefender” infections.

Bott says he acquired the documents by talking with two anonymous Apple support representatives about how Apple is coping with the first widespread attack against OS X users. According to his sources Apple has received an estimated 60,000 tech support calls related to the infections.

It has been encouraging that many Apple customers have been taking this attack seriously and taking preventative measures like installing our free anti-virus program for OS X.

Apple is apparently telling support reps to tell customers:

“Apple’s [sic] doesn’t recommend or guarantee any specific third part [sic] anti-virus protection over another. However I can suggest several third party virus protection programs that you may want to consider researching to find the best one for your needs.”

But they still have their heads buried in the sand when it comes to assisting their customers. The memo, acquired from an outsourced support company, says:

Screenshot of leaked Apple memo

“Things you must never do according to the client [Apple].”

  • You cannot show the customer how to force quit Safari on a Mac Defender call

  • You cannot show the customer how to remove from the Login items.
  • You cannot show the customer how to stop the process of Mac Defender in their Activity Monitor.
  • You cannot refer the customer to ANY forums or discussions [sic] boards for resolution (this includes the forums)

Apple’s famous PR savvy apparently doesn’t apply to handling security incidents. It is genuinely tragic that such a large number of OS X users are falling victim to this scam, and Apple’s response is less than helpful.

You could argue that Apple created this false sense of security through their marketing and advertisements suggesting Apple users are immune to security threats. Now that some of their flock are affected, it would be good of them to at least point people in the right direction.

Many journalists have asked me in the last few weeks whether this is being hyped by the anti-virus business. Are real people being impacted? Judge for yourself… Apple’s reaction says more about the problem than I can possibly explain.

Regardless of platform we all need to be safe with the choices we make on our computing devices, whether we use tablets, Linux, Windows, OS X, or Android. When enough people let their guard down they are easy targets and criminals will take advantage of the lowest hanging fruit.

Until next time… Stay secure.