Thursday, June 2, 2011

Apple to Malware Authors: Tag, you're It!

Via (Sophos) -

Last night the malware authors behind the Mac Guard fake anti-virus changed their methods again to bypass the updates Apple released yesterday afternoon to protect OS X Snow Leopard users. Apple fired back shortly after 2 p.m. Pacific Daylight Time today with a new update to XProtect. Computers that have Apple update 2011-003 for Snow Leopard now check for updates every 24 hours.

As the cat-and-mouse game continues it will be interesting to see how the attackers proceed. The major change to bypass Apple's detection yesterday was to use a small downloader program to do the initial infection, then have that program retrieve the actual malware payload.

This approach may be successful as it will be easier for the malware authors to continually make small changes to the downloader program to evade detection while leaving the fake anti-virus program largely unchanged.

Why is this important? Apple's XProtect is not a full anti-virus product with on-access scanning. XProtect only scans files that are marked by browsers and other tools as having been downloaded from the internet.

If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program. Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions.


These criminals behind the FakeAV scams are rapidly adapting in order to protect a real revenue stream, therefore it is highly unlikely they will walk away without a serious fight.

Apple is allowing itself to be pulled into a cat-and-mouse game of malicious whack-a-mole. A game which highlights the well-known weakness of pure signature-based detection. This is a lesson AV companies learned long long ago.

Apple's XProtect isn't up for the battle and in short order, updates every 24 hours won't be enough....a full-time scanning solution will be needed - enter on-access AV on Apple.

No comments:

Post a Comment