Mac OS Update Detects, Kills MacDefender Scareware

CWmike writes "Apple released an update for Snow Leopard on Tuesday that warns users that they've downloaded fake Mac security software and scrubs already-infected machines. Chet Wisniewski, a security researcher with Sophos, confirmed that the update alerts users when they try to download any of the bogus MacDefender antivirus software. Wisniewski had not yet tested the malware cleaning functionality of the update, but was confident that it would work. 'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.' The update, labeled 2011-003, adds a new definition to the rudimentary antivirus detection engine embedded in Mac OS X 10.6, aka Snow Leopard, and also increases the frequency with which the operating system checks for new definitions to daily."

So Mac Users should expect this?

[Flyerman]

So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.

'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'

Pity it won't always be that way, survival of the fittest applies to viruses too.

Re:So Mac Users should expect this?

More reason to use winodws - you get a more sophisticated malware for your money.

Re:So Mac Users should expect this?

[ninetyninebottles]

There have been some actual viruses in the wild for Mac, but the vulnerabilities are quickly patched, effectively preventing the viruses from spreading on any up-to-date system. http://www.scmagazineus.com/second-mac-virus-in-the-wild/article/32987/ [scmagazineus.com]

Despite the misleading claims in the article you cite, according to F-Secure, "Inqtana.A has not been met in the wild and has internal counter that prevents it's operation after 24. February 2006. So it is unlikely that this variant would be a threat to Mac Users." It was an academic proof of concept, not an in the wild spreading virus and I've seen no reports of it in the wild. Sadly, people writing articles parrot terms like "in the wild" "zero day" and "virus" without understanding what the terminology actually means.

Re:So Mac Users should expect this?

[node+3]

First off (and I only make this point because you seem to be trying to make this distinction), there are absolutely NO viruses for Mac OS X. None.

Second, there were plenty of viruses for classic Mac OS. This, however, has absolutely nothing to do with whether Mac OS X has viruses (for the rest of this post, I'm using a more broad term for virus, to include trojans and worms, and the like).

Third, there is a small handful of malware for the Mac, including (almost exclusively) trojans. No one is claiming otherwise, not even the people you are replying to.

Fourth, in White Hat conventions, *ALL* the systems fall. They tend to fall after certain restrictions have been removed. Macs often fall first (by mere seconds) because people want to win the Mac more than they want to win the PC.

Even knowing this I still don't use a virus scanner at present as I simply don't see a need. That said I am not foolish enough to believe that it will remain Virus free indefinitely.

Who is this imaginary person you think is saying that Macs will remain "virus free indefinitely"? This last line pretty much describes every single Mac user, from those that worry the Virus Armageddon is pending, and those that think they have nothing to worry about. No one claims this is a permanent state of things, just that it's how it is now, and tomorrow is another day.

Re:From no malware on Mac

[je+ne+sais+quoi]

Does the concept of "false equivalence" mean anything to you? Yes, macs have had trojans for awhile on pirated copies of software. Yes, this is an evolution of the malware on OS X since it attempts to trick the user into installing the software. Yes, it'll probably get more complicated than this, but come on -- are you really telling me that since OS X has gotten two instances of malware, after being in use for over a decade, is the same as what has happened with windows? Really?!?

Re:Honest question about security of unix systems

[Billly+Gates]

Windows was more insecure because Microsoft designed it to be be scriptable with com/dcom objects that apps can use to integrate into one another for app embedding. ActiveX are just objects that are designed from the ground up to be mix win32 applets inside IE. The whole object model is based upon using proprietary win32 code and api's so the programmers do not have to code as much. This was designed for lock in and accessibility everywhere with no security in mind.. Unfortunately, this meant I can write some VB 6 app to call win32 functions to wipe your hard drive and I can just copy the dll over as an activeX object in IE. If you have IE 5 or earlier all you would have to do is visit my webpage and it would run automatically on your computer and it would be trash. The iloveyou worm that hit it big in Outlook was a simple VBA script that copied the string and did a simply call to the user's address book. Most of the win32 api was designed for Windows95 built on Dos which had no concept of user rights. Only the security API for Windows NT had that modern concept. These api's were ported over to WindowsXP.

Buffer overflows are something else and poor memory management of Windows causes GP faults which everyone and their brother received back in the Win 9x days. Microsoft had trouble enforcing this because Dos and Windows 3.1 apps just took random memory addresses mostly and one would just take an address of something else and bluescreen and take down your system. So if you are a hacker and know when a ram address ends with a certain DLL (thanks to a debugger) you can put some code in that adress and WHAM instant execution. Windows also has no concept of data for execution vs data for storage. This is a flaw of x86 actually but you could put executable code in just a cookie or a temp file and it would not be hard to trick Windows when it is done executing a DLL to go to your program and it will totally bypass security. You can do this in Unix as well but this is very uncommon today as you need to be root and was a hack of the early 80s when coders wrote in assembly to gain performance tricks. This is frowned upon in the Unix world as there are excellent libraries that can obtain speeds close to assembly. Not to mention users do not want to log in as root. This same assembly calls stayed in Windows due to backwards compatibility as WindowsXP has the default user as an administrator. Doh

Anyway, this was why Windows was less secure and why MS wants you to switch to .NET. Less to do with marketshare but more to do with poor design decisions and the requirements to be backwards compatible. I am so sick of those saying Windows is great and it is marketshare or something else stupid.