Apple strikes back at newest Mac scareware
- — 03 June, 2011 06:21
Apple on Wednesday updated the malware engine included with Snow Leopard to detect the newest version of MacDefender, the fake antivirus program that's plagued users for the last month.
The update was the latest in what researchers have called a cat-and-mouse game between Apple and the cyber criminals shilling bogus security software.
Apple updated XProtect, the bare bones anti-malware tool tucked into Mac OS X 10.6, aka Snow Leopard, shortly after 2 p.m. PT Wednesday, to detect what the company tagged as "OSX.MacDefender.C."
Today, French security company Intego and U.K.-based Sophos confirmed that yesterday's update by Apple successfully warns users when they download the latest variant of MacDefender.
That variant appeared early Wednesday, Pacific time, when the gang responsible for MacDefender rushed out a new edition that evaded detection.
Apple initially updated Snow Leopard on Tuesday with signatures to sniff out two previous versions of the "scareware" and to provide users a tool that scrubbed infected Macs of the phony software.
Also called "rogueware," scareware is bogus security software that claims a computer is heavily infected with worms, viruses, Trojan horses and the like. Once installed, the worthless program nags users with pervasive pop-ups and fake alerts until they fork over a fee. MacDefender, the first scareware to target Macs, demands $60 to $80 to stop bothering victims.
Intego first reported MacDefender in early May, but since then several variants have appeared, all with different names but only minor code changes. The most recent title of the scare is "MacGuard," which is delivered via a downloader that installs without requiring a user's administrator password.
Researchers had wondered how quickly Apple would react to the new variant, and applauded Apple's pace. But one warned that Apple had a tough row to hoe.
"If the bad guys can continually mutate the download, XProtect will not detect it," Chet Wisniewski, a security researcher with Sophos, noted in a blog post today.
Wisniewski also said that the scareware group was outsourcing its attacks by paying criminal affiliates to distribute MacDefender and its ilk. [They're] recruit[ing] other people to perform black-hat SEO [search engine optimization], infect Web pages and post blog spam, and assign each one a unique affiliate ID," said Wisniewski. "This allows the criminals to track which affiliate referred the victim and pay them a commission upon purchase of the fake software, enabling the criminals to cast a much wider net."
Because Snow Leopard's XProtect component pings Apple's servers only once each day, and because not every Mac reaches out for signature updates simultaneously, some users may have received the MacDefender.C fingerprint while others have not.
To manually force an update, users can clear the box marked "Automatically update safe downloads list" in the Security section of their Mac's Preferences, then check the box again.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is email@example.com.
Read more about security in Computerworld's Security Topic Center.