Apple cracks down on MacDefender, prevents malware downloads with daily quarantine list

Apple cracks down on MacDefender, prevents malware downloads with daily quarantine list

Preconceptions aside, Apple products do occasionally spread viruses, and not just the biological kind, which is why Cupertino saw fit to equip Mac OS X 10.6 Snow Leopard with a quarantine function to safely set malware aside. This week, however, Apple's kicking those digital white blood cells into high gear, updating that quarantine list daily with a new background process. The company's primarily got its crosshairs on the recent MacDefender scare, of course, but on the off-chance malware starts coming out of the woodwork, it sounds like you won't have to wait for a formal security update to be forewarned of the dangers. If privacy's your primary concern, however, you can also opt-out -- take a gander at our source links to see how it's done.

(Org Source)

Summary

"Malware" is an abbreviated term for malicious software. Malware includes viruses, worms, trojan horses, and other types of software that can damage the software on your system or violate your privacy. Malware can be installed on your computer when you download content or applications from the Internet, via email, text messaging, or websites. Mac OS X v10.6 Snow Leopard checks for known malware and alerts you so that you do not accidentally install it on your system.



Products Affected

Mac OS X Server 10.6, Mac OS X 10.6, Product Security

Files downloaded via applications such as Safari, iChat, and Mail are checked for safety at the time that they are opened. If a file is identified as containing known malware, the system will display a dialog that alerts you to move it to the Trash. You should empty the Trash to finalize the removal of the file.

Apple maintains a list of known malicious software that is used during the safe download check to determine if a file contains malicious software. The list is stored locally, and with Security Update 2011-003 is updated daily by a background process.

If you do not wish to receive these updates, you can disable daily update by unchecking "Automatically update safe downloads list" in the Security pane, in System Preferences. This option appears in Security preferences after Security Update 2011-003 is installed.

Security Update 2011-003 provides additional protection by checking for the MacDefender malware and its known variants. If MacDefender malware is found, the system will quit this malware, delete any persistent files, and correct any modifications made to configuration or login files. After MacDefender is identified and removed, the message below will be displayed the next time an administrator account logs in.

**************************************************************************************************
NEW Story Development

New Variant of 'Mac Defender' Quickly Evades Apple's Security Update as Cat-and-Mouse Game Begins

Wednesday June 1, 2011 9:26 am PDT by Eric Slivka

As we noted yesterday, Apple released Security Update 2011-003 for Mac OS X Snow Leopard, a system update addressing the "Mac Defender" malware threat that has been running in the wild under several different variants for the past month. The update provides tools for automatically removing the malware, as well as protection against future infections. But as reported by ZDNet, a new variant of the malware capable of circumventing Apple's update has already appeared. popping up within hours of Apple's software release.
Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple's malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That's less than 8 hours after Apples security update was released.
Apple has prepared for this eventuality by including automatic daily updates of malware definitions with the software update, enabling it to quickly deploy protection as new variants and entirely different pieces of malware surface. Consequently, Apple should be able to respond to the new threat relatively quickly, although the speed with which the new variant appeared suggests that those responsible for the malware will not be going away easily.

****************************************************************************************************

Apple Responds Quickly to Evolving 'Mac Defender' Threat With Updated Malware Definitions

Thursday June 2, 2011 6:11 am PDT by Eric Slivka
Yesterday, we noted that the attackers behind the "Mac Defender" malware had moved quickly to combat Apple's new security update, within hours releasing a new variant of the malware that was capable of skirting around Apple's new protection.

Xprotect.plist before (left) and after (right) latest update to address new Mac Defender variant
Fortunately for users, Apple has moved almost as quickly as the attackers, quashing any potential fears that the company might be slow to respond to each new threat that appears. As reported by Italian site Spider-Mac [Google translation], Apple has already issued an update to detect the new variant, pushing out a new entry for "OSX.MacDefender.C" to the Xprotect.plist file that contains the signatures for identifying malware.

After the update, users are indeed presented with a warning if they begin to download the latest variant:


As part of the security update earlier this week, Apple included a system to automatically update the Xprotect.plist anti-malware definitions every 24 hours, giving the company the ability to quickly push out new protection for Mac OS X Snow Leopard users. While this is unlikely to be the end of the Mac Defender attackers' efforts, it does appear that Apple is committed to responding and issuing updates to its users as quickly as the attackers can churn out new variants.

OS X 10.6 showing high CPU usage after Security Update



Following the wave of scam "MacDefender" software and its variants, Apple recently released a security update for OS X 10.6 that updates the built-in "XProtect" feature to identify these threats; however, after installing the update, a number of people are finding the system is stuck with high CPU usage, resulting in the system being bogged down and running slowly. Upon checking Activity Monitor, a process called "MRT" is using a large percentage of CPU, and even with forcing the process to quit it will reappear and continue to use the CPU.
Apple's security update includes three components: an updated definitions file for XProtect, an automatic updater for XProtect, and a temporary system scanner called "MRT."
When you install the update, it replaces the XProtect definitions file and installs the XProtect updater application along with the updater's scheduler file that has it run on a daily basis (unless you turn this feature off in the new setting in the Security system preferences). In addition, the update installs and runs MRT (likely standing for "Malware Removal Tool"), which will scan your system for known malware and notify you that the malware has been removed if it has been located. The scanning process should take only a few minutes, but on some systems it appears to be getting stuck.
Generally forcing stuck processes to quit using Activity Monitor is all that's needed; however, the MRT process comes with a launch agent file that will tell the system to keep relaunching it to continue scanning your system. Normally the MRT process will run once and then self-destruct by removing its three components from the system when the scan is complete. But if the scan gets stuck and cannot complete, then it will not remove itself and will continually try to complete its initial scan.
If this happens to you, there are several approaches you can take, depending on whether you want to allow the MRT scanner to complete:
Permissions fix and general maintenance
If you want to have the scanner complete itself, try running a basic permissions fix on the hard drive using Disk Utility, and if that doesn't work then run a general maintenance routine to perform a more thorough cleaning. You can do these routines without any additional steps, but you can also do them by first disabling the MRT process, which may help it complete its scan properly. To do this, perform the following steps:

1. 
   First stop the MRT process by running the following command in the Terminal:
   sudo launchctl stop com.apple.mrt
2. 
   Run a permissions fix on the boot drive with Disk Utility, or run a full general maintenance routine.
3. 
   Restart the system (if you have not already done so) and if the MRT process does not automatically relaunch then run the following command in the Terminal:
   sudo launchctl start com.apple.mrt

Manually remove MRT
MRT is not necessary to provide ongoing protection of your system. The tool is a temporary scanner that will root out any current detectable malware installations on your system, but when it is done it will remove itself. If you are confident your system does not have malware on it, then you can remove the MRT program and its components to prevent it from running. To do this, perform the following steps:

1. 
   Disable MRT by opening the Terminal and running the following command:
   sudo launchctl remove com.apple.mrt
   You can also do this by going to the /System/Library/LaunchDaemons/ folder, deleting the file called "com.apple.mrt.plist," and then restarting your computer.
2. 
   With the process stopped, remove the MRT-related files by locating and deleting the following items from your system via the Finder (removing just the first and restarting will prevent MRT from running, but without it the other three files have no purpose):
   /System/Library/LaunchDaemons/com.apple.mrt.plist
   /System/Library/LaunchAgents/com.apple.mrt.uiagent.plist
   /System/Library/CoreServices/MRTAgent.app
   /usr/libexec/MRT
   The last file is in a hidden system directory, so to remove it you can either use the Finder's "Go to folder" option or the Terminal. To do this with the Finder, select the "Go to folder" command from the "Go" menu and enter "/usr/libexec" in the text field. Then locate and delete the "MRT" file (do not remove any other files). To use the Terminal, launch the Terminal and then run the following command:
   sudo rm /usr/libexec/MRT

If you decide to remove MRT without allowing it to complete its routine, be sure your system does not have any malware on it. If you have a third-party malware scanner that has been updated to identify these new malware threats, then be sure to use that to scan your system, or manually check for any installed malware on your system (see this article for locating and removing the recent MacDefender program).

Here is a simple utility to disable Apple MRT:
It is aptly named Malware Removal Tool removal tool.

Code:

Sorry you need to register/login to see these links!

PLB