The OSX.MacDefender.A definition has been added to the OS X File Quarantine database, which means if a user downloads the malware, it will automatically pop up a dialog warning the user that the file will damage your computer, and provide an option to delete the file. The update also allows Apple to automatically update the known malware definitions list through daily updates. Users can opt out of this feature in Security Preferences, shown below.

The security update also automatically searches for and removes Mac Defender and its known variants upon install. If it detects the malware in your system, it will notify you once the update is installed.

It’s great to see Apple getting out ahead of this malware threat before it really gets out of hand, but as always, the first step to protecting your computer starts with you. Don’t ever install something when you’re not sure that it comes from trustworthy origins, and remember that if a website is telling you you’re infected without you having asked to begin with, it’s a safe bet that it’s not a genuine report.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The Case for Increased M&A in 2011: Actions and Outlooks
• The Structure 50: The Top 50 Cloud Innovators
• California’s New Energy Data Privacy Rules: Some Answers, Many Questions

Before the release of the support note yesterday, it was reported by ZDNet’s Ed Bott that Apple support staff on the phone were indicating that they couldn’t provide instructions for dealing with specific instances of malware. The fix is not overly complicated, but explaining it individually over the phone to every affected customer would tie up a lot of customer service agents, and it could set a dangerous precedent for the future treatment of such situations.

The article promises that “Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants,” and that the update will arrive “in the coming days.” Users will also receive an explicit warning notification if they happen to download this malware once the update is installed.

The step-by-step instructions for removing the Mac Defender malware involve using Activity Monitor to kill all running instances of the program and its equivalents (MacProtector, MacSecurity), then dragging the applications to the Trash, and finally, emptying the Trash. Apple also provides instructions for removing the malware’s login item, though the login item is no longer a threat once the application is removed from your system.

Glad to see Apple responding to the valid security concerns of its users. Let’s hope this isn’t the just beginning of the Mac’s serious malware woes.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The Structure 50: The Top 50 Cloud Innovators
• Connected Consumer Q1: The Over-the-Top vs. Pay TV Battle Heats Up
• Smart Grid Apps: Six Trends That Will Shape Grid Evolution

A partial screen from Mac Defender: Not something you want to see on your Mac.

Although there has been scattered mac malware in the past, most malware to date have been proofs of concept or have piggybacked on illegal downloads. New malware program Mac Defender is a brilliant piece of social engineering that plays on fear of viruses and convinces the owner to pay money for removal of non-existent problems. Although Microsoft and PC manufacturers will help owners with malware problems (sometimes for an additional charge), AppleCare techs and Geniuses are currently refusing to assist or even acknowledge the problem according to reports. There’s actually a very logical justification for this.

It’s not about denying that Mac malware exists altogether. Apple has never actually denied that Macs get malware, but it hasn’t ever really sounded the alarm bell, either. Apple did include a copy of the anti-virus app Virex with .Mac subscriptions up until June of 2005, however. Apple in the past has also suggested anti-malware software, but now touts the Mac’s immunity to PC-based malware thanks to Snow Leopard’s robust security, stating only that “antivirus software may offer additional protection.” They do include some protection each time an OS update comes out, by patching any exploits previous malware took advantage of.

Mac Defender’s (a.k.a. MacProtector, but not to be confused with MacKeeper, which is a legitimate program) attack vector is unique on the Mac platform. While Windows users are familiar with fake programs that claim your computer is infected and then offer to remove said infection, Mac Defender’s reach will grow exponentially because Mac users aren’t as used to that strategy. While Apple can build in protection against this in the next software update, the success of MacDefender will serve as an example for the next slew of threats on the Mac.

Yes, the technically savvy are unlikely to fall for such threats. However, a large number of Mac users aren’t always technically savvy enough to read blogs and support forums. These are the customers more likely to call AppleCare and Apple Geniuses when they have technical problems rather than solve it themselves. Since Mac Defender is extremely easy to remove, reps are spending more time explaining why they can’t help users with malware rather than just explaining how to remove it.

Apple’s blind eye in this case is less about resource allocation in the short-term, and more about promoting the App Store as a safe software distribution channel so as to avoid a compounding of the time cost problem in the future. There’s some evidence that in a few cases, the Mac App Store can actually make Macs more vulnerable to attack, but so far that only applies with Opera, which is a web browser, and therefore susceptible to unique vectors of attack.

If consumers fear the threat of rogue software infecting their Macs, they can either buy the line of anti-virus makers and install protection that they then have to manage and invest in themselves, or they can take refuge behind the protective walls of Apple’s Mac App Store. Independent developers who’d rather deal directly with customers than go through Apple’s marketplace may not like the idea, but customers who to take Mac security for granted will increasingly use the App Store to avoid headaches like those provided by Mac Defender.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The Structure 50: The Top 50 Cloud Innovators
• California’s New Energy Data Privacy Rules: Some Answers, Many Questions
• Players and Strategies for Real-Time In-Stream Advertising

The iPad has been a pretty big success so far, especially for a category-busting product. But investors and Apple users aren’t the only ones to have taken note of the product’s success. The iPad is now being used as scam bait to sucker in people who might not be that familiar with the warning signs of internet scams, which, not coincidentally, is just who the iPad seems directed at as a device.

So far, the scam only works on Windows PCs, but even if you’re a Mac-using iPad owner, make sure any friends and relatives using the other platform are aware of the ruse. Basically, you get an email telling you that iTunes needs to be updated in order to update your iPad device, and provides a link to the software in question.

Of course, instead of taking you to some kind of iTunes download, the link instead opens up a direct line to their sensitive information, if accessed via a PC. Specifically, the malware in question is Backdoor.Bifrose.AADY, which uses Internet Explorer to open a back door on your system and look around for software serial numbers and login data, including usernames and passwords for various sites.

People on Macs or other Apple platforms, like the iPad and iPhone, won’t be affected at all by following the link, but obviously it’s never a good idea to open suspicious links in emails in case that changes in future versions of the scam.

At least for now, the iPad itself hasn’t been a target for hackers and/or malicious code. Apple’s securely locked down content distribution system in the form of the App Store really helps things there, but it’s only a matter of time before it becomes a target in a big way, and this attack is the first sign of why that’s a dangerous prospect. You’ve no doubt seen the articles about people picking up the iPad as their first ever computer. That category of user is the ideal candidate for malicious software, since they’ve yet to experience the nasty side of the Internet and don’t have any built-in defenses against these types of scams.

The iPad is raising Apple’s profile, and that means trouble for those uneducated about Internet security risks. It could also mean problems for all Mac users in the long run, as the iPad draws more people to OS X in the same way the iPod and iPhone did before it. But for now, it’s still the most secure platform around, so enjoy it while it lasts.

It looks like we’re getting close to the official release of 10.6.3, the latest update to Mac OS X Snow Leopard — and, from what we’re hearing on the developer grapevine, it might prove to be the most extensive Snow Leopard update yet.

TUAW reported on Friday that the latest build of 10.6.3 (known as 10D572, for those of you paying obsessively-close attention) was seeded to developers only two days after a previous build. Typically, ever-shortening intervals between build seeds indicates imminent release to the public. TUAW describes the latest build as focusing on “Graphics Drivers, Quicktime, Images & Photos, Mail, and Security Certificates.”

Oh, what’s that? Want more details? OK, here’s the full rundown of features and fixes we can expect in 10.6.3;

• Compatibility issues with OpenGL-based applications
• Performance improvements for 64-bit Logic
• Changes to QuickTime X that increase reliability and improve compatibility and security
• Printing reliability and compatibility with third-party printers
• Issues resolved that prevented files from copying to Windows shares
• Issues resolved with recurring events in iCal when connected to an Exchange server
• Issues resolved that prevented files with the “#” or “&” symbols in their names from opening in Rosetta
• Issues addressed that caused background message colors to display incorrectly in Mail when scrolling
• Issue resolved that caused machines using BTMM and the Bonjour Sleep Proxy to wake unexpectedly

OK, as far as lists go, this one’s not not very exciting, I know. But, what if you fired-up Software Update and were offered the latest pre-release version of 10.6.3? Would that excite you?

Update Snafu

According to TUAW’s Michael Grothaus, this is exactly what happened to one Mac owner last week. They don’t name him, probably to save him the email-avalanche from other Mac owners — not to mention the inevitable Cease & Desist order from Apple (you just know Apple would bully the poor chap into silence, right?) but they do offer up this tantalizing screengrab of the autoupdate snafu:

Image courtesy of TUAW

Grothaus writes that the update “…weighs in at a whopping 1.19GB” and, at that size, I’m happy to wait until Apple has finished tweaking (and trimming) the code!

Security

But the thing I’m most interested in is whether 10.6.3 addresses the alleged boat-load of security exploits identified by hacker extraordinaire and security expert Charlie Miller. At this week’s CanSecWest security conference, Miller will discuss how he discovered them (all 20 of them) via a process known as ‘fuzzing’. His presentation is subtitled “An analysis of fuzzing 4 products with 5 lines of Python” and, according to security website h-online.com, those 4 products are all made by Apple;

In cracking competitions, it is regularly the Apple systems which are cracked first by attackers. Miller has argued for some time that Mac OS X is among the comparatively insecure operating systems. Apple users are currently “safer, but less secure.

“Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”

Miller said that the 20 exploits are all contained in closed-source Apple products, but pointed out that exploits could be found throughout Mac OS X due to bugs in many popular applications from different vendors;

OS X has a large attack surface consisting of open source components (i.e. webkit, libz, etc), closed source 3rd party components (Flash), and closed source Apple components (Preview, mdnsresponder, etc). Bugs in any of these types of components can lead to remote compromise.

Sooner, Not Later

It seems not a keynote goes by without Steve Jobs showing us one of his shareholder-and-media-friendly line charts illustrating Macintosh sales. You know the ones, always trending up-and-to-the-right. Apple is clearly proud the Mac is selling better than ever (in a conference call in late 2009, Apple announced that, for 19 out of the previous 20 quarters, the Mac grew faster than the rest of the market!)

Statements from Apple regarding sales are always kinda tricky; they’re usually vague enough to allow pretty much any positive interpretation but, for the most part, we can at least agree that the Mac has been enjoying fantastic growth. The old days of ‘security by obscurity’ are drawing to a close. Sooner, not later, Mac-specific malware will come. (You know, the real malware of Windows-exploit proportions!)

Miller says that “… in their minds, [Mac owners] don’t have a security problem until it affects their bottom line, which hasn’t been the case, yet.” And that ‘yet’ is the real issue here. Mac OS X 10.6.3 probably addresses some vulnerabilities — we can expect at least that much — but I wonder how obsessively Apple focuses on the security of its venerable OS, and, whatever its actual efforts, is it enough? Can Apple do what Microsoft still struggles to produce; a user-friendly, user-proof OS that isn’t riddled with vulnerabilities?

Every update to Mac OS X reminds me that the days of security-indifference amongst Mac owners are well and truly numbered.

Tell me I’m worried for no good reason, or scream at me and call me a moron for not already using security software, in the comments below.

Hopefully many heeded that warning, since now a new virus has surfaced that uses the same M.O. as ikee, but that has a much more malicious intent and effect. Specifically, the new malware mines personal data from your device, using the very same exploit ikee revealed earlier in the week.

The new worm, dubbed “iPhone/Privacy.A” by digital security firm Intego, affects only jailbroken iPhones, and grabs things from your device like address book contacts, text messages, photos, music, video, calendar entries and email messages. Basically, almost anywhere it can look for sensitive data, it will. The virus doesn’t seem to be able to access information stored by other applications on your iPhone, like password managers, but if you’re affected, the only safe course of action is a full wipe and restore.

Theoretically, according to iPhone security researcher Charlie Miller speaking to Computerworld, attacks based on the same exploit could do more than just mine data. Running up your phone bill, sending out bulk text messages and spamming your contacts are all well within the realm of possibility. Miller goes on to describe how easy it would be for a hacker to infect a device:

This could easily be installed on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network. Or a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the Wi-Fi network in search of data.

In order to secure your device against this kind of attack, there are a few options. First, change the default SSH password if you haven’t already. So far, that appears to be the easiest way to foil attempts to infiltrate your jailbroken device. The best way to prevent this and any kind of future attack along the same lines, however, is to not jailbreak your device in the first place, or to restore it to factory settings if you’ve already jailbroken. Of course, for many who use their devices with carriers who don’t officially offer the iPhone, that isn’t an option.

Miller suggested that Apple may want to consider re-engineering its security measures to account for jailbroken devices, but as that would mean tacitly acknowledging and even accepting a practice it stridently disapproves of, I think the best bet for jailbreakers is just to shut down all SSH access, if possible.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q4: All Eyes Were on Android, 4G and the Rising Tablet Tide
• Report: A Mobile Video Market Overview
• In Q3, the Tablet and 4G Were the Big Stories

ZDNet.com reports that a group called the “Partnerka,” which consists of Russian spam and malware affiliates, have begun to focus on the Mac. Their tactics involve using social engineering tricks (read: preying on human weakness) to install fake codecs and scareware programs (the kind that pressure you into installing and paying for bogus single purpose anti-malware software).

The plans and methods of the “Partnerka” were revealed at the Virus Bulletin Conference 2009, where Sophos Labs researcher Dmitry Samosseikko talked about a site called Mac-codec.com which has since been taken down, that offered a bounty of 43 cents for each successful installation of malicious software on a Mac computer. According to Samosseikko, that’s a high price, and indicates that the Mac malware game is becoming more attractive to online crime organizations.

Even though the site is gone, the threat is not. These malware schemes work because they offer something many Mac users might be looking for. Partnerka’s Mac-codec.com was offering video players and fake video codecs that attempt to draw in people trying to playback video they’ve downloaded somewhere on the web. Previous DNS-changing trojan malware attempts depended on porn video lures.

Focus on the Mac platform might be growing for online criminals, but most malware plots still require you to make the first move. To help protect yourself from fake and harmful codecs, use Perian and VLC, and if your video still won’t play back, just give up altogether. No video content is worth the theft of your private data, after all.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce
• What Google’s Honeycomb Means for Apple and Microsoft

Not that any TheAppleBlog readers would ever try to acquire software in a less-than-legal manner, but just in case you know someone who would, tell them to watch out for web sites claiming to bear Snow Leopard gifts.

Like the Adobe Photoshop CS4 and iWork ’09 before it, Snow Leopard now has a super-special malware edition floating around the web. It’s a classic software honeypot scheme: You find a site advertising a free Snow Leopard upgrade, download a disk image file (.DMG), and it unleashes its trojan payload.

Trend Micro is advising folks to avoid any and all sites advertising free Snow Leopard upgrades, since what you actually get is a new variant of the DNS charger trojan known as OSX_JAHLAV.K. The Apple-specific malware, once it makes itself at home on your computer, will redirect your Internet browser to phishing sites and malware-infected web sites. OSX_JAHLAV.K has a particularly nasty trick up its sleeve — it sends you to a site that advertises fake antivirus software that will notify you that you have an infection until you pay to register and have it removed.

Trend Micro’s advice is to pick up its Smart Surfing for Mac malicious URL-blocking software, which will cost you $50 a year in subscription fees. My advice is to think long and hard about how much you’re willing to pay down the road just to avoid spending $29 upfront for the 10.6 upgrade.

No doubt this will give antivirus companies cause to raise the red flags once more, and spout on about how the end is nigh for the days of OS X being the secure choice, but as before, smart browsing and downloading policies are still your best bet for a happy, safe Mac.

Photo courtesy of Flickr user Darcy McCarty.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce
• Content Farms: The Players, The Benefits, The Risks

The Knowledgebase Article makes it sound as potentially bad as it is.

Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution

Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue.

All iPhones were vulnerable to attack, regardless of OS version. The only defense from having your personality rewritten or being possessed by a ghost was to shut the phone off, which was hardly practicable. While it’s always nice to see Apple give credit to the those who discover an exploit, it’s unfortunate it took the researchers going public to get the company to move on this issue.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q4: All Eyes Were on Android, 4G and the Rising Tablet Tide
• Report: A Mobile Video Market Overview
• In Q3, the Tablet and 4G Were the Big Stories

Intego has come up with a creative solution to one of those two remaining problems with VirusBarrier X5 10.5.3, their award winning virus scanner for OS X 10.4 & 10.5. Virus barrier has all of the traditional, crunchy goodness of system virus scanners, including real-time/on-demand scanning, heuristic/behavioral analysis, quarantine & trusted zones, event-based & scriptable scanning and the ability to detect & eliminate Windows viruses (very handy for BootCamp users). VirusBarrier can also integrate with your e-mail workflow and scan mail before you send and/or as you receive messages. The product developers realized just how vulnerable users of the iPhone are and came up with a creative way for their product to protect these new mobile devices as well.

iPhone Scanning

NOTE: You can give this a try yourself via Intego’s free demo

After installing VirusBarrier X5, you can select a connected iPhone via the scan target chooser:

The scanner will connect to your phone and begin copying files to your local system (where the software can scan them):

A significant caveat is that your phone will reboot during this process, so pick a time when you can be incommunicato. The scanner worked quickly during my test, so this should not be a real problem.

I asked the Intego developers what prompted them to add the iPhone to the feature set of VirusBarrier and they said that with the new ability to install applications (that can then create or obtain files) the device is now open to attack and that “ddditionally, users ‘jailbreaking’ (unlocking) an iPhone can install even more applications, increasing this risk of malware and infected files.”

The developers also pointed out that “there are a number of known vulnerabilities for the iPhone,
which leave the device open to remote attack. We [Intego] do not publish a list of such vulnerabilities, but you can find some of them listed here.”

The Future Of Onboard Scanning

The iPhone SDK does not allow applications to be written that operate as background tasks nor does it allow access to protected areas of the filesystem. Applications can access the Documents folders of each other, and this means that the future of onboard virus scanning may be relegated to on-demand-only scheduling of third-party application areas. If Apple is serious about gaining a foothold in the enterprise, they should work closely with developers like Intego to find a way to provide a more robust interface for these types of services.

Win A Chance To Be Secure!

Intego has provided TAB with 20 copies of VirusBarrier X5 and 20 copies of Personal Backup X5 to give away to our readers. Just post a comment (with your real e-mail address) by midnight (PST) Wednesday (August 27) indicating which one you’d like (one comment per-person, per-product) and we’ll do a random drawing and announce the winners Thursday.

Also, if you are a VirusBarrier user, drop us a note in the comments with your experiences.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q4: All Eyes Were on Android, 4G and the Rising Tablet Tide
• Report: A Mobile Video Market Overview
• In Q3, the Tablet and 4G Were the Big Stories

To answer the “do we really need security tools for OS X?” question in a slightly different way than you’ve seen from many technology pundits, I’d like to turn your attention to utility called rkhunter or “rootkit hunter”. As most TAB readers should know by now, OS X has it’s origins in Unix (the “darwin” base comes from FreeBSD), and most folks believe *nix variants (linux, FreeBSD, Solaris, etc) to be extremely secure, free of the problems that plague those sad, sad Windows users. If you fall into that camp, please take a moment and browse the Secunia FreeBSD 5.x artchives. Secunia reports show over 91 vulnerabilities, with critical ones impacting core services such as file sharing and remote access. This should not be surprising since Unix systems have been favorite targets for hackers as they provide such a powerful base to launch further exploits. One of the more gnarly hacks is the installation of a rootkit – a program that can take surreptitious control of your system. And, guess what: your Mac OS X workstation/server is susceptible to rootkits just like any other Unix system, even with Leopeard’s enhanced security features. How can you fight something you can’t even see? You need a tool to help. Modern anti-virus products can and usually do cover rootkits, but the rkhunter tool may cover additional rootkits and may update rootkit signatures more frequently than a traditional vendor.

I wouldn’t recommend trying to get rkhunter installed on your Mac since it will require some enhanced Terminal-fu. Thankfully, Christian Hornung understood the need for such a tool and built a wrapper for it called (surprisingly enough), OS X Rootkit Hunter [dmg], complete with installer. After installing the package, navigate to Applications->OSXrkhnter and run the “Rootkit Hunter” app.

It’s good practice to update the rootkit database (similar to a virus engine DAT update) before each scan since there may be new rootkit signatures from new or altered exploits. When you start the scan, you will see a password dialog – just as you would with any operation that requires additional privileges to run – since OS X Rootkit Hunter needs to look in places your normal account user account cannot. You will also see Terminal windows displaying a running report of what rkhunter has or has not found (since this front-end does not free you from all the gory details of what lies beneath Aqua).

While you can download and run OS X Rootkit Hunter, I would strongly suggest that less technical users obtain one of the commercially available malware scanners since the output from OS X Rootkit Hunter can be a bit daunting. The presence and history of this tool should be enough justification for the need to run security software on your systems.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce
• Content Farms: The Players, The Benefits, The Risks

The software purports to be an Ad Aware-type application (that’s a Windows product) and manages to always find a problem on each scan. Freeing your system from those evil discoveries will cost you, though, and the software is almost impossible to remove. While long-time OS X users will probably not be enticed to run such software (since they “know Macs are so secure”…right), recent Windows converts are used to having to run these types of programs on almost a daily basis and are much more likely to fall prey to this attack vector.

Perhaps the saddest part of this discovery is what the F-Secure researcher heard when talking with a journalist:

“I visited the macsweeper.com website. I know I probably shouldn’t have but I used a Windows PC so I knew I wouldn’t get infected.”

Ouch.

Remember to always double-check the reputation of a company and a piece of software before downloading/installing and make sure you are running with some type of anti-virus program since we can expect more reports of these types of rogue Mac applications as the year progresses.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce
• Content Farms: The Players, The Benefits, The Risks