Apple "Mac Defender" malware fix busted in 8 hours

From CNET: "Less than a day after Apple tackled the malware threats in OS X with an updated implementation of its malware detection technologies, the MacDefender malware developers have issued another variant that bypasses Apple's definitions to root out and remove the malware."

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE: security • Technology

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

Anonymous

Again the tired old argument of “finally enough Macs to get noticed by the malware people”. Read it enough times on CNET and it must be true, right?

The other thing I see in this comment thread is the pattern of Mac users disparage PC’s but the PC lovers disparage Mac users. Hating a computer platform is one thing, hating people because of your perceived “smugness”, that’s a bit much. Don’t ya think?
aelfscine

I like how a lot of the Apple apologists’ answers to this basically make the point that a virus on an Apple is unnecessary –

Apple ITSELF already roots around in your computer, changing files without your knowledge and sniffing around! What more would a virus have to do, really? It’d be like sending a ground force in to invade post-bomb Hiroshima.
- Cowicide
  
  Apple ITSELF already roots around in your computer, changing files without your knowledge and sniffing around! What more would a virus have to do, really? It’d be like sending a ground force in to invade post-bomb Hiroshima.
  
  That’s funny, I run Little Snitch and fseventer (among other things) so I happened to know you’re pretty much full of shit.
  
  The FUD sho’ is thick ’round here…
grimatongueworm

Therefore, Send not to know for whom the bell tolls…
holtt

As a Mac owner, I somehow feel like I’ve arrived.
- PaulR
  
  Yes, welcome to the grown-ups’ playground, to the deep end of the pool, to the ‘live-ammunition’ target range. Mind the gap.
  - Cowicide
    
    Yes, welcome to the grown-ups’ playground, to the deep end of the pool
    
    [Paul screams this as he desperately struggles to barely stay afloat as his Windows machine gets hacked by merely looking at a website without any user interaction; Meanwhile, Cow merely throws away a zip file that didn't do shit and swims a leisurely backstroke over to Paul and slyly asks if he "needs any help?"]
    - PaulR
      
      Which life would you rather have lived, Cowicide, Malcom Reynolds’s or Dr. Simon Tam’s?
      
      /Would rather have the scars to prove it.
- Anonymous
  
  It’s a sign there are officially enough macs for people to give a damn now.
  
  Soon all those turgid half-finished novels that you’re going to get round to finishing some day, abandoned screen plays about quirky hipsters having their lives shaken up by a woman suspiciously resembling the girl who works at the coffee shop and student film projects will be in the hands of the wicked geniuses behind the Mac Defender!
Anonymous

The real problem lies with all those web servers that are easily hacked into and poisoned to run the fake “your machine has been infected” script. Fix those and all of the variations of Mac Defender will find it much harder to find a mark.

Apple has a much better solution coming. The one Apple just distributed is more designed to force the malware player to innovate than anything else.
angryhippo

This Mac vs. Windows stuff is tiresome. From my perspective the biggest issue with this is that Mac users have been so insulated from the issues PC users have had to deal with that there’s a sense of invulnerability that has them clicking on “ok” or entering their admin password when prompted without thinking “why am I being asked?”
Anonymous

welcome to the party, mac!
- Anonymous
  
  What party? Trojans have been around for OSX for a while. Or are you trying to peddle that old “Security through Obscurity” myth B.S.?
Anonymous

Welcome to my world, the wonderful world of Windows! Please allow me to show you around. Over here we have a suite of Anti-Virus software, over here is a pile of patches, way over there, that’s the power button, you’ll use that a lot, it’s how you “Reboot” when there’s a failure…
- Anonymous
  
  Oh hey, I remember the power button! It’s that thing I desperately used to slam when my iMac would freeze up in OS9 before eventually yanking the power cable. Hi power button, remember me?!
Anonymous

Disingenuous reporting (not unlike the WHO cell phone thing). Apple’s security fix updates the signature database daily be default, so it’s no more “busted” than any anti-virus software is until new signature updates happen. CNET’s article sucks for making it sound like this daily update is off by default, when it is actually enabled by default.

Apple didn’t just push out a one-time malware scraper, they put a little more thought than that into it. Meanwhile Microsoft still issues monthly (not daily) “malicious software removal tool” updates.
Anonymous

Mac’s don’t get viruses. This is heresy.
cratermoon

This is nothing more than proof that Apple has finally broken the Microsoft Windows monopoly on the desktop … of users who are possibly fatally naive and gullible, along the lines of http://boingboing.net/2011/04/28/police-play-doctor-t.html
teapot

I thought it was the sound of the world’s tiniest violin, but it was actually fanboys crying in harmony.
Anonymous

All programmers need Macs for web app testing. You can’t just test the most popular platforms; you need to test against the least popular platform too. If it doesn’t work in Safari, you are giving up the pretentious hipster trade!
teapot

Perhaps it’s the years of dealing with security issues on your Win machine has made you a little numb to the differences between viruses, trojans, adware, spyware etc

Perhaps it’s your years of using Mac that autmatically smugifies your forum comments and inflates your sense of superiority?

“Unlike a worm, a virus cannot infect other computers without assistance. It is propagated by vectors such as humans trading programs with their friends”
So, where exactly is the problem with my comment?

I love Mac user’s assumptions that if you are a Win user you are either:
*cheap
*a noob
*constantly battling computer problems
*simply don’t know how good Macs are compared to PCs

I can work an OSX machine better than most mac users. I studied video production at university (where they had macs). I am a designer. I would still choose a high-end Win machine over a high-end mac. Any. Day. Of. The. Week.

To me, the battle between Mac & Win is just stupid. Both computers do exactly the same shit and the efficiency and production they are capable of is only limited by the person driving it.

In any case, I find it funny that the fanboys are desperately grasping to the point that this is not a virus. Personally (and you might see this as technically wrong, but I don’t care) I group any kind of application designed for malicious intent under the title of “virus”. You may wish to separate them out into cute little groups, but in my view they all live in one group. Did you even hear the word “malware” in the 90s? Does this mean no software that lives in the malware category existed in the 90s? No, it’s just because all these terms people dreamed up for different types of malicious software used to be defined under one word. Citation needed?

http://ngrams.googlelabs.com/graph?content=computer+virus&year_start=1880&year_end=2008&corpus=0&smoothing=1

http://ngrams.googlelabs.com/graph?content=malware&year_start=1880&year_end=2008&corpus=0&smoothing=1
- Anonymous
  
  That is some serious convoluted logic. By that standard anyone with any kind of mental illness is basically insane, because we didn’t use to have all these, whaddayacallem, definitions!
- Anonymous
  
  Well, Teapot, it’s not really global warming.
  
  Well, OK, but it’s not really anthropogenic global warming.
  
  Well, OK, but it’s going to be good for crops!
  
  Well, look, who are you going to believe? Me, or your lyin’ eyes?
teapot

It’s malicious code run by the user’s permission that implements a [__________].
^Like the large majority of viruses

Provided you know what you’re doing it’s quite hard to screw up. I’ve not had a single issue with viruses on any Win machine I use in years, running nothing but free antivirus software.
- xian
  
  Perhaps it’s the years of dealing with security issues on your Win machine has made you a little numb to the differences between viruses, trojans, adware, spyware etc., but let me tell you this is definitely not a virus. Viruses spread without any user interaction, and that is very, very bad. I actually don’t think there are many (any for that matter?) real viruses for Windows Vista / 7 either, but there is a shit ton of other malware similar to this one as you are probably aware.
  
  And it will probably get worse with time for the Mac, unless Apple decides to go the route of distributing software exclusively through the App Store, vetting anything that could be installed on a users machine. Obviously most people would find this to be a terrible idea, but it may be a good default for new systems, something that could be overridden by power users that are smart enough to not install crap like this.
Anonymous

It’s worth noting that this is not a virus, and it doesn’t break any existing security. It’s malicious code run by the user’s permission that implements a phishing scam. So, good for Apple for putting all this investment into trying to assist users, but it’s a shame that it gets lumped into the category of “system vulnerability.”
- SKR
  
  The most vulnerable part of any computer system is the user.
spriggan

It doesn’t matter how tightly you lock the gates, eventually the Red Death will come to your party.
xian

I really hesitate to keep this shit going, but what the hell…

Perhaps it’s your years of using Mac that autmatically smugifies your forum comments and inflates your sense of superiority?

Pot calling the kettle black much? (and yes I just refrained from using a really bad pun, thank you)
Your first comment in this thread is about as smug as they come.

“Unlike a worm, a virus cannot infect other computers without assistance. It is propagated by vectors such as humans trading programs with their friends”
So, where exactly is the problem with my comment?

“A computer virus is a computer program that can copy itself[1] and infect a computer.”
I imagine we can trade links defining the term virus to suit our argument all day, so let’s call this one a draw.

I love Mac user’s assumptions that if you are a Win user you are either:
*cheap
*a noob
*constantly battling computer problems
*simply don’t know how good Macs are compared to PCs

I can play this game too! And a PC user thinks fanboys, I mean Mac guys:
*throw money away like it’s going out of style
*are noobs
*are fanboys
*are smug hipsters
*can’t handle the sheer awesomeness that is Windows (ok, that was a bit smug)
*have no kewl games
*would buy a literal turd from Steve Jobs if it had the letter i in front of it
*are fanboys

I can work an OSX machine better than most mac users. I studied video production at university (where they had macs). I am a designer. I would still choose a high-end Win machine over a high-end mac. Any. Day. Of. The. Week.

Oh god, I would have hated to have been next to you in class. “WHERE’S THE RIGHT MOUSE BUTTON? WHY IS IT CMD-C TO COPY AND NOT CNTRL-C LIKE EVERY OTHER OS IN THE WORLD? I THOUGHT THESE THINGS WERE JUST SUPPOSED TO WORK AND THAT THING I JUST DID DIDN’T WORK!”.

To me, the battle between Mac & Win is just stupid. Both computers do exactly the same shit and the efficiency and production they are capable of is only limited by the person driving it.

I could not agree with you more!

In any case, I find it funny that the fanboys are desperately grasping to the point that this is not a virus. Personally (and you might see this as technically wrong, but I don’t care) I group any kind of application designed for malicious intent under the title of “virus”. You may wish to separate them out into cute little groups, but in my view they all live in one group. Did you even hear the word “malware” in the 90s? Does this mean no software that lives in the malware category existed in the 90s? No, it’s just because all these terms people dreamed up for different types of malicious software used to be defined under one word.

I’m not sure if “desperately grasping” is the way I would put it, just trying to point out that this malware, virus, trojan – whatever the hell you want to call it – needs to be explicitly installed by the end user. It’s simply a trick that relies on the end user doing something stupid. And what’s wrong with terms evolving as things grow more complex and branch in different directions? I’m glad medical science now differentiates between little things like schizophrenia and witchcraft.

Anyway, I think the first poster in this thread nailed it – it’s really a sign of the times that the Mac has arrived. And I’m sure we’ll be seeing more of this in the future. And we’ll probably see a post from you each time it happens. And the sun will rise in the east and set in the west.
- teapot
  
  That is some serious convoluted logic.
  Yeah it is, when you misrepresent my point. It seems you need more clarification: Malware is a modern subset of what used to be defined as a virus. Malware may be a more specific definition, but its existence as a word does not change the previously established definition. A sniper rifle is still a gun despite having a specific name for it.
  
  @#35: Um, what?
  
  I really hesitate to keep this shit going, but what the hell…
  I like you!
  
  (and yes I just refrained from using a really bad pun, thank you)
  I tend to have that effect on people.
  
  Your first comment in this thread is about as smug as they come.
  Agreed, but it was at least directed at a smaller group than “all mac/win users”. “fanboy” is a label for a type of mac owner. A type the undeniably exists and is undenyably annoying. As I said, I’m a designer yet I regularly have to endure people who don’t work in my field recommend and endorse one brand’s products (guess which one!?).
  
  I imagine we can trade links defining the term virus to suit our argument all day, so let’s call this one a draw.
  Deal.
  
  I can play this game too! And a PC user thinks fanboys, I mean Mac guys
  I did not group all mac owners under the definition of “fanboy”. Nor did I convey any of those opinions in my comment.
  
  Oh god, I would have hated to have been next to you in class.
  My golden rule is never to ask anything that can be easily Googled. lmgtfm!
  
  I could not agree with you more!
  Why are we arguing? Most BB regulars who choose mac are probably not the type who annoy people about things such as tool choice anyway. The Anon floaters in the thread? Those are probably the insufferable fanboys.
  
  I’m not sure if “desperately grasping” is the way I would put it, just trying to point out that this malware, virus, trojan – whatever the hell you want to call it – needs to be explicitly installed by the end user.
  
  While many Win users certainly do consider the words “fanboy” and “mac user” as the same group, I do not. I’m sorry if my use of the word struck a nerve but I most certainly was not implying that you were the fanboy-type to which I was referring in my comment.
  
  Peace out, computer fan.
Equalizer

Smug Mac users did not install Mac Defender. The truly smug would not have installed it, thinking there’d be no reason to. No, the people who installed Mac Defender thought they were doing the Right Thing. They trusted the Bozos. You see? The road to hell, paved with good intentions visited by those with inflatable shoes.
Anonymous

Whether or not you care about the accuracy of the term ‘virus’, what I’d like to know is, who is behind this action, and why are they doing this? Is it someone holding a grudge and just trying to screw Apple? Is it some Luddite type protest against technology? A prankster just in it for the lulz? Someone trying to collect user info? Or just some jerk who gets his jollies by bothering people?

Any ideas?
- Cowicide
  
  Whether or not you care about the accuracy of the term ‘virus’, what I’d like to know is, who is behind this action, and why are they doing this? Is it someone holding a grudge and just trying to screw Apple? Is it some Luddite type protest against technology? A prankster just in it for the lulz? Someone trying to collect user info? Or just some jerk who gets his jollies by bothering people? Any ideas?
  
  It’s apparently Russians trying to make some money. Nothing too outlandish.
- xian
  
  You forgot security companies trying to drum up some new business.
  
  =0
von Bobo

a friend’s mac routinely sends out body part enlargement emails, complete with hyperlinks and attachments, to everyone in her contact list.

It’s been going on for over a year now- not surprising that mac users have zero mac problem solving skills, considering they never have problems with their machines.
- xian
  
  That sounds like it most likely has to do with your friends email password being compromised, and nothing to do with what computer platform they use. Assuming they are able to log in to their email account, they need to change their password immediately.
Anonymous

Of course, the Apple update also included a preference (on by default, but you can turn it off) to allow Apple to silently update their malware definitions. So Apple can now fix whenever they want, and without the need for people to install an update.
Anonymous

The problem is that this is not a virus, but a program the user is installing. It is the same principle as if someone when to Adobe’s website and clicked the link to download Flash. They will get the popup to type in their password to install it and it installs.

The issue here is someone maliciously created a Flash ad for a website or has a mouseover event for an image that runs code to make the computer think the user was wanting to download a file…one that then scares the user with a “your computer infected” alert and tricks the user into “click here to clean it”. The user then enters their password thinking it is what they are supposed to do, but in reality, they are installing this malware.

Windows side has been fighting with the fake antivirus malware for about 4 or 5 years at least. And on that side, as with the Macs now…the term we use is PEBKAC. Problem Exists Between Keyboard And Chair. The user is the weak link here. Apple cannot prevent the user from clicking the “YES” or “OK” button. Apple cannot prevent the user from entering their password to install the malware. What Apple could probably do is talk with a company like Malwarebytes and work with them to make a a product for Macs that will clean up the mess when it does happen.
Garst

Maybe if Apple spent the money it wasted on the “Macs don’t get viruses” ads, it could pay someone to implement a real solution to the problem.
hostile17

I know I shoudln’t be like this, but I find it funny.

I think it’s years of pent up anger at Smug people.

“I’m having an issue with my browser…”
Smug resposne: “Get a Mac”

“My monitor is rather bright…”
Smug resposne: “Get a Mac”

“I had a BSOD”
Smug resposne: “Get a Mac”

“War has broken out in Iraq”.
Smug resposne: “Get a Mac”

So yeah, for all those years… taste your smugness Mac owners.
- Cowicide
  
  Your green glow of jealously of our superior platform is showing more than ever by your statements.
  
  The solution for you, hostile?
  
  Get a Mac. Get a Mac. Get a Mac. Get a Mac. Get a Mac. Get a Mac.
  - Ito Kagehisa
    
    Crush him with your mighty gestures, Cow!
    - Cowicide
      
      Crush him with your mighty gestures, Cow!
      
      It was a one finger gesture.
- Baldhead
  
  less smug than “your computer doesn’t work because of poor design? huh. I don’t have that problem.” But seriously, this is just evidence that someone felt that there were enough macs to bother with this sort of thing. Ways to fix it? well for starters never trust a freaking website that tells you you have a virus. Not that I’ve seen the PC version of these pages since installing adblock….
phisrow

From the (still full of petty sniping but slightly more technical) slashdot thread, somebody dug up the definition file URL:

http://configuration.apple.com/configurations/macosx/xprotect/1/clientConfiguration.plist

As you can see on inspection, it’s 13k of XML which appears to contain instructions for a series of simple string checks to detect the presence of the following named malwares: OSX.RSPlug.A, OSX.Iservice, OSX.HellRTS, OSX.OpinionSpy,OSX.MacDefender A, B, and C. Unfortunately, such string checking is about the simplest possible sort of inspection, and (if suitably motivated) I suspect that we’ll see the number of computationally-equivalent-but-differently-padded-or-otherwise-obfuscated variants balloon enormously. Up to and including fully automated generation of slight variants per download. On the plus side, such string checking should be quite lightweight.

Architecturally, it is apparently incorporated into the existing quarantine mechanism that placed a warning flag on files originating from the internet.

It will be interesting to see where the arms race goes from here: this naive approach will stop stale malware from claiming further victims(mostly); and won’t bog things down(runtime cost nearly zero, download cost under 100k, compared to the 40-50MB you might see in a windows AV package update, with hefty IO and CPU penalties); but, unless it has hidden depths, it will be utterly, utterly, useless against even modestly competent automated permutations or script-kiddie repackage jobs.

Should things get to that point, Apple will either adopt(natively or through 3rd parties) the heavy-handed game of whack-a-mole that is Windows AV, or they will get all iDevice on OSX and set themselves up as the gatekeeper: validating cryptographic signatures sure is easier than enumerating all badness on the internet…
Equalizer

Malware is a modern subset of what used to be defined as a virus.
Equalizer

Malware is a modern subset of what used to be defined as a virus.

No. The reverse is true: A virus is a type of malware. (See http://en.wikipedia.org/wiki/Malware) Mac Defender is a Trojan Horse, another type of malware that is invited on to the computer by the user. In this case, the person is tricked into installing the software that will supposedly protect them from non-existent viruses.