Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mac scareware gang evades Apple's new anti-malware defenses

Gregg Keizer | June 1, 2011
Within hours of Apple's security fix, new fake security scam appears.

It seems that they've done the latter, which in James' eyes, wasn't that difficult.

"Apple's defense is signature-based," said James, talking about the antivirus tactic that relies on individual "fingerprints" of each piece of malware for detection. "Part of the new variant's code is the same, but part of it is different."

It's different enough that Apple's MacDefender signature wasn't able to spot the new version.

"This is why you need detection that's not based on a single method," James argued, as he pitched Intego's VirusBarrier X6 antivirus software, which like most security software uses generic signatures able to detect minor variations in malware code without requiring a new fingerprint.

The update that Apple pushed to Snow Leopard users Tuesday also increased the frequency with which the operating system checks for new definitions: By default Mac OS X 10.6 will now look for new malware signatures daily.

How fast Apple reacts to the new MacDefender will show the company's commitment to stamping out scareware, said James.

"We don't know how reactive Apple will be," said James. "This will be the real litmus test.... How long is it going to take Apple to update [Snow Leopard with] a new signature?"

The timing of the newest version's release suggested that Microsoft, which previously linked MacDefender with a group responsible for a fast-spreading Windows fake antivirus scam, was on the right track. Microsoft had pointed to evidence that the gang was based in Russia.

"It suggests that they're not in the States," said James, noting that Apple updated Snow Leopard around 6 p.m. ET Tuesday, or midnight in France, where Intego is headquartered, and about 2 a.m. Wednesday in Moscow.

"They would have had a full day to get this up," James said of the new version's appearance in the early evening today, Moscow time. "It makes more sense that they're on this side of the Atlantic."

Apple's update was offered only to customers running Snow Leopard; Macs powered by the older Mac OS X 10.5, known as Leopard, will not receive the same anti-MacDefender protections.

According to Web metrics company Net Applications, nearly a third of Mac users -- 31% to be exact -- run a version of Mac OS other than Snow Leopard.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.