Apple strikes back at newest Mac scareware

Updates Snow Leopard to spot Wednesday's fake security software variant

Apple on Wednesday updated the malware engine included with Snow Leopard to detect the newest version of MacDefender, the fake antivirus program that's plagued users for the last month.

The update was the latest in what researchers have called a cat-and-mouse game between Apple and the cyber criminals shilling bogus security software.

Apple updated XProtect, the bare bones anti-malware tool tucked into Mac OS X 10.6, aka Snow Leopard, shortly after 2 p.m. PT Wednesday, to detect what the company tagged as "OSX.MacDefender.C."

Today, French security company Intego and U.K.-based Sophos confirmed that yesterday's update by Apple successfully warns users when they download the latest variant of MacDefender.

That variant appeared early Wednesday, Pacific time, when the gang responsible for MacDefender rushed out a new edition that evaded detection.

Apple initially updated Snow Leopard on Tuesday with signatures to sniff out two previous versions of the "scareware" and to provide users a tool that scrubbed infected Macs of the phony software.

Also called "rogueware," scareware is bogus security software that claims a computer is heavily infected with worms, viruses, Trojan horses and the like. Once installed, the worthless program nags users with pervasive pop-ups and fake alerts until they fork over a fee. MacDefender, the first scareware to target Macs, demands $60 to $80 to stop bothering victims.

Intego first reported MacDefender in early May, but since then several variants have appeared, all with different names but only minor code changes. The most recent title of the scare is "MacGuard," which is delivered via a downloader that installs without requiring a user's administrator password.

Researchers had wondered how quickly Apple would react to the new variant, and applauded Apple's pace. But one warned that Apple had a tough row to hoe.

"If the bad guys can continually mutate the download, XProtect will not detect it," Chet Wisniewski, a security researcher with Sophos, noted in a blog post today.

Wisniewski also said that the scareware group was outsourcing its attacks by paying criminal affiliates to distribute MacDefender and its ilk. [They're] recruit[ing] other people to perform black-hat SEO [search engine optimization], infect Web pages and post blog spam, and assign each one a unique affiliate ID," said Wisniewski. "This allows the criminals to track which affiliate referred the victim and pay them a commission upon purchase of the fake software, enabling the criminals to cast a much wider net."

Because Snow Leopard's XProtect component pings Apple's servers only once each day, and because not every Mac reaches out for signature updates simultaneously, some users may have received the MacDefender.C fingerprint while others have not.

To manually force an update, users can clear the box marked "Automatically update safe downloads list" in the Security section of their Mac's Preferences, then check the box again.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Tags sophosAppleMac OSsecuritysoftwareIntegooperating systemsMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?