Apple’s Response to Malware

There’s been a lot of excitement over the least few weeks about the appearance of some mildly nasty malware, or more precisely, scareware, targeting Mac OS X. Going by names such as MacDefender, this bi of nastiness pretends to be an antivirus application, claims the victim’s machine is horribly infected, and offers to clean it up if the victim hands over their credit card details. This sort of thing has been endemic on Windows for quite a long time now, and those of us who work in IT are quite used to removing the stuff.

On Windows, machines can be generally automatically infected when the user visits a website that’s either been compromised, or that is actually being run by the malware creators. By using dodgy keyword and linking techniques, the sites can be found quite high in search engine listings (generally not when searching for “please infect my computer with something nasty”), which explains why so many people are affected.

The first variants of the Mac version were pretty crude: they actually required the user to:

  1. Agree to install the software
  2. Enter their password
  3. Click through the usual software installation dialogs

More recent variants show that the writers have done a bit more homework, and they now install in the user’s personal applications folder, rather than the system one, which means it can do its tricks without asking.

Removing these things on Windows can be interesting. At the very least you need to know where to look in the hideous mess known as the Registry[1], track down files with cryptic names and reboot several times to make sure you’ve really killed it. Tools like the excellent MalwareBytes make this a great deal easier, though.

The Mac version can be removed manually with less effort. After some delay, Apple posted an article describing how to remove MacDefender, which was a reasonable first attempt. They also announced that the next OS update would include code to block it – Mac OS X already deals with other known malware (not that there’s much of it so far).

This update was expected to be part of the next release – 10.6.8, due quite soon, but it seems that it’s been moved up, and a new security patch is now available from Software Update, or direct from the Apple site.

What this adds is not only the detection and removal of MacDefender, but automatic updates of malware signatures – see this AppleInsider post for details and screenshots.

Not as quick a response as some people would have liked, but that seems to be standard practice for Apple – say nothing, then do something quite decisive. Rather like the way they don’t announce new products until they’ve got an actual release date for something that works…

I’ve just installed the update and sure enough, there’s now an extra option in the Security preference pane:

Security options

Security options

[1] OK: a sort of database for all configuration stuff does make sense, but the implementation is painful. It’s OK for people who know what they’re working on, but intimidating and potentially dangerous for normal users who just want to, you know, use their computers.