Apple's security update may have already been bypassed by attackers.
Apple released an update to OS X Snow Leopard users to protect against the wave of Mac specific malware yesterday. But according to Chester Wisniewski, senior security advisor at Sophos Canada, the malware authors changed their methods again to bypass the updates.
The update to XProtect will mean that computers that have Apple update 2011-003 for Snow Leopard will now check for updates every 24 hours, but Wisniewski said that XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions.
Wisniewski said: “This approach may be successful as it will be easier for the malware authors to continually make small changes to the downloader program to evade detection while leaving the fake anti-virus program largely unchanged.
“Why is this important? Apple's XProtect is not a full anti-virus product with on-access scanning. XProtect only scans files that are marked by browsers and other tools as having been downloaded from the internet. If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program.”
Speaking to SC Magazine, Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab, said that the interesting thing about the new wave of Mac malware was its sudden arrival. He said: “There was a little bit in the last 12 months but at the beginning of last month there was no Mac malware and nothing was happening.
“Now one group has decided to give it another shot and with advances in search engine optimisation and with the proliferation of Apple devices out there, people are getting lucky. Apple has said that 30-50 per cent of helpdesk calls are now about MACDefender as a service problem.
“There is a question mark over how successful it is. To gauge how long it will last is difficult, if it is gone by mid or the end of June then it was not successful, if it runs for one and half or two years and then stops we will know, but it is hard to draw a connection. It mostly depends on how long the project will run.”
Commenting on the bypass of the update, Schouwenberg commented that Apple does not have a good track record of issuing security updates ‘as Safari is all about convenience and not about security'.
This week Avast and F-Secure have launched new Mac anti-virus software. Avast released a beta version of its free anti-virus for Mac that will eventually replace the current Avast for Mac Edition. It said that this comes with an on-demand scanner and three separate shields: mail, file system and web, which monitors and filters all HTTP traffic from the internet before sending it on to the browser.
F-Secure said that its anti-virus protection for Macs, aimed at both home and business users (as security-as-a-service), gives real-time protection against all Mac-based threats, automatically detecting and removing any malware.
It said that F-Secure Protection Service for Business is a complete ‘security as a service' solution specially designed for small and medium-sized companies.