MacDefender evolves, cat-and-mouse security comes to Mac

Even if MacDefender goes away, it has changed the Apple security game forever.

Mac users and those who offer administration and support to them find themselves in the security rat race for the first time, as MacDefender scareware has rapidly adapted to avoid Apple's detection.

On Tuesday afternoon, Apple released a long-awaited security update for Mac OS X 10.6 Snow Leopard, designed to detect and eliminate known versions of the malware, which has been making the rounds for a month now.

Mac users installed the update, which didn't even require a reboot, then breathed a collective sign of relief, and went about their business, thinking their machines about as secure as prior to the outbreak.

That peace of mind lasted, potentially, about eight hours, as malware developers released a new version designed to side-step Apple's updated malware definitions. Under normal conditions, MacDefender was back in business, installing itself unnoticed and going about its business.

Fortunately for Mac users, Apple seemingly predicted this kind of a shell game in designing the security update (and why not, since this kind of game has been the norm in PC malware design and prevention for years). Then it redesigned its anti-malware system to check for new signatures on startup or every 24 hours. By Thursday morning, Apple had returned the malware creator's volley, detecting the new version of MacDefender and eliminating it. Mac users now wait for the bad guys to respond. Wash, rinse, repeat. Ad infinitum.

Of course, there's still a lot small businesses can do to make sure they're protected beyond relying on Apple's nightly signature updates. Along with keeping software as up-to-date as possible, common sense goes a long way. Educating users not to fall for a scareware attack like MacDefender is a great first step, and is particularly important with Mac users, many of whom have been taught by the community, experience and Apple's marketing department that they are impervious to malware. Some other common-sense steps will help keep users clear of MacDefender and its ilk of attacks as well, and PCWorld has a full survival guide for Mac users concerned with MacDefender.

Here's one quibble with how Apple deals with malware detection. Upon detection of MacDefender or any other known bit of malware, OS X pops up a box, telling users the file they've just downloaded "will damage your computer. You should move it to the Trash." It then provides details of when and where the file was downloaded, and with what it is infected. Users then have the option to move the file to the trash (the default selected option), cancel, or open. Wait...what? Open?

Coming from a company that, if given a choice, will opt for a unified user experience at the expense of user options every time, it seems odd that OS X will perfectly happily allow you the chance to infect yourself knowingly if you so choose. If there's any time for a platform to get tyrannical with its users, this is it. Especially for a community that is largely unaccustomed to the day-to-day issues of dealing with malware, "The file you have downloaded contains malware. It has been deleted," would have been an appropriate and welcome response here.

For now, though, the Mac world awaits MacDefender's next move. Will new versions continue to pop up daily, prompting daily updates of Apple's detection signatures? Will its developers get tired of the grind and move on to the next target? Will the high profile of MacDefender signal a new opportunity for other hackers and cyber-criminals to go after?

Nobody knows for sure at this point. What we do know is that Mac users are now in on the security arms race that has dominated the Windows lifestyle for years, and there's no going back.

Join the CSO newsletter!

Error: Please check your email address.

Tags MacApplespamvirusessecurityhardware systemsdesktop pcsphishing

More about AppleMacs

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Dutt

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place