Jun 1, 2011

Apple's MacDefender Malware Patch Bypassed Already

Apple's battle against Mac malware has taken a predictable turn, as a new threat bypasses the MacDefender patch that Apple just issued.

On Tuesday, Apple issued a security update that was supposed to block the MacDefender malware and its variants. But according to Ed Bott at ZDNet, malware makers have already worked around Apple's defenses.
A new variant, with the file name mdinstall.pkg, was created specifically to bypass Apple's latest update.

MacDefender is a type of malware that surfaced in early May. When Mac users visit a contaminated site, it throws up a fake infection warning and downloads the malware installation file, which masquerades as anti-virus software. A variant, MacGuard, begins the installation process with no admin password required. If the user continues the installation, the software creates more fake virus warnings, loads pornographic websites and demands credit card information to eradicate non-existent viruses.

For these earlier variants, Apple's security update works, but not flawlessly. As Bott demonstrates, a new dialog box warns users about the harmful file and gives them a chance to move it directly to the trash. A better solution would be to block the download entirely, so the user doesn't have to discern real malware warning messages from the fake ones that are appearing on screen at the same time.

The new variant bypasses Apple's warning messages, but more importantly, it demonstrates that Apple can't make this problem go away with a single patch. Malware makers have discovered a new business in Macs, and they're not going to give up so easily.

To be clear, we're not talking about viruses. MacDefender is a scam aimed at gullible Mac users, not an infection that spreads through the user's computer. The removal process is fairly simple. But this wave of Mac malware is a problem, and Apple will have to keep working -- perhaps indefinitely -- to address it.

Source: techland.time.com