Responding to a widespread fake antivirus program targeted at Macs, Apple released Tuesday an update that will warn users and remove the threat. The update is available for Macs running Snow Leopard Mac OS X 10.6, as well as Mac OS X Server 10.6.
In its Security Update 2011-003, Apple said the update, available via Software Update or from Apple Downloads, refreshes the malware definition on File Quarantine to include MAC Defender, the fake antivirus malware, and provides for automatic, daily updating of known definitions. Automatic updating can be disabled by the user. The update also removes MAC Defender and known variants if the malware has already been installed, and an alert will notify the user of that action.
Reports on the web Wednesday indicated that malware makers have already circumvented Apple's update by changing the name of the malware file to mdinstall.pkg. The move could be short-lived if Apple adds the file name to its new daily update of malware definitions.
'Give Apple Credit'
Apple said files downloaded via Safari, iChat or Mail are checked against a list of known malware that includes viruses, worms, Trojan horses, and other malicious software. If a file is found to be on the list, the Mac OS X update displays a dialog prompting the user to move it to the trash. The list is stored on the computer and, with the update, refreshed daily.
For years, Macs have enjoyed the reputation that they weren't susceptible to the many kinds of malicious software that have plagued Windows machines, because of the inherent strength of Mac OS X. Many observers have also argued that, because the installed base of Macs was so small, it wasn't worth the effort for a self-respecting hacker.
Chris Christensen, an analyst with IDC, said the myth of the Mac's invulnerability to hacking attacks "still largely stands in public perception," although they were "never technically invulnerable." Rather, he said, it was because their installed base was too small, but now the Mac's usage, transactional functions, and larger installed base present a tempting target to attackers.
Christensen added that he has to "give Apple credit" for its quick response to this vulnerability.
According to Mac security firm Intego, MAC Defender targets Mac users primarily through "SEO poisoning attacks," in which web sites with malicious code use search-optimization tricks to rank at the top of search results. A user who clicks on a malicious search result is sent to a web site that shows a fake screen and a fake malware scan, after which it tells the user that the computer is infected.
A Variant: MacGuard
If the user proceeds with installation, MAC Defender launches. Intego describes the application as "very well designed," with a professional look, a number of different screens, attractive buttons, and correct spelling.
Once installed, MAC Defender indicates the computer is infected and opens web pages for pornographic sites every few minutes. To counter the "virus," the user is prompted to buy MAC Defender's "antivirus" protection service.
After a credit-card number has been entered into a license-purchasing page, the virus warnings stop. But there is no service, and the user has just given the malware authors his or her credit-card information.
Intego recommends not installing the application to begin with, of course, and to uncheck the "open safe" option in Safari or other browsers.
A variant of MAC Defender, called MacGuard, has also been reported. It's placed in a user's Applications folder -- which doesn't require an administrator's password -- instead of the normal location in the system-level folder.
If a user has set Safari to automatically launch downloaded files -- the "open safe after downloading" option -- the malware's installer will launch. If not, users will see a downloaded ZIP archive and may double-click on it to find what's in it, which leads to the installer.
Mike Kent also contributed to this story.