MacDefender - or how to Apples Malware protection is tested in real-world

Written by Nick Blievers Friday, 03 June 2011 00:33

Another day, another security update… or is it? Apple has just released another security update for 10.6.7, Security Update 2011-003. What’s interesting about this update, is that it addresses one of the issues we raised in our earlier labs report.

But wait, let’s back up a bit, what are we talking about here? Apple included some rudimentary malware protection in MacOSX not so long ago (which we wrote about here), and in recent weeks, it has met with its first real challenge. There has been a spate of news articles talking about the “MacDefender” family of Trojans, so I wont go into much detail here, suffice to say it’s a reasonably straight forward Trojan that uses social engineering to trick the users into installing it, and then proceeds to try and extort money out of the user through the purchase of a fake “anti-virus solution”. Apple’s response to this has been to issue “Security Update 2011-003”, which we will look at in this brief report.

The changelog for this update (http://support.apple.com/kb/HT4657) sums up the three changes quite nicely:

1. Definition added for MacDefender
2. Automatically update the known malware definitions
3. Remove the MacDefender malware if detected

Of these, #3 isn’t very interesting; it’s a one-off, at update time check. But the other two could be interesting, so lets take a look. Checking the XProtect.plist file, we can see there are several new entries:

1. OSX.OpinionSpy
2. OSX.MacDefender.A
3. OSX.MacDefender.B
4. OSX.MacDefender.C

There isn’t anything new or particularly interesting with these definitions. The MacDefender entries are looking for installer or meta-installer packages matching certain signatures, in a method we have discussed previously. Still, its nice to see some updated definitions… which brings us to #2.

Apple’s documentation again (http://support.apple.com/kb/HT4651) does a nice job of explaining what this means from a user’s point of view. In short, we have a background daemon running that has a single related UI element, named a fairly innocuous “Automatically update safe downloads list”:

From a technical point of view, what does this mean? Well, we have a few extra elements of what Apple calls simply “File Quarantine” in its changelog. First, we now have XProtect.meta.plist:

Which shows the last time the definition update daemon ran.

The second, and more interesting part, is the daemon mentioned above, XProtectUpdater. Launchd handles the scheduling, and we see that an update is attempted every 86400 seconds (24 hours):

One thing that is curious with this update system, is that if the RunAtLoad fails, for example if your system is slow coming up and the network isn’t online when the updater runs, you may be unprotected for some period of time. For example, when I started my Mac Pro this morning, I saw this log entry:

XProtectUpdater[40]: NSURLConnection error: Error Domain=NSURLErrorDomain Code=-1009 UserInfo=0x102600690 "This computer’s Internet connection appears to be offline." Underlying Error=(Error Domain=kCFErrorDomainCFNetwork Code=-1009 UserInfo=0x102605320 "This computer’s Internet connection appears to be offline.")

Given there is no mechanism to retry until the timer interval is exhausted, if I shut my system down each night, its possible my definition would never get updated (at least until the next time a system update was performed). Note that this system is connected to a network via a cable, and it was simply the boot process ordering which caused this failure.

Aside from this issue, the updater appears simple and lightweight. It checks the configuration switch, and if a new definition is available. The definition is signed to avoid any issues with spoofing. A true unix-style tool!

Now, back to my original point. It’s nice to see that Apple has addressed one of the issues we raised in our earlier report. Any malware protection based on definitions lives and dies by its ability to update, and therefore respond quickly to new threats. Apple’s new updater tool fills this void nicely. Lets hope that Apple continue to evolve their “File Quarantine” tool, as the bad guys have been rapidly improving their MacOSX malware. Since the initial release of this update, a new version of MacDefender that wasn’t detected has been released, and caused the extra (OSX.MacDefender.C) definition to be added. And so the race begins.

UPDATE: It seems that the bad guys have figured out very quickly how to get around the signature based detection (see http://www.theregister.co.uk/2011/06/01/mac_osx_scareware_evasion/). This was actually an issue we raised in the private in-depth report from here)

Comments

Marty davide@totem-technology.com

0

 

 

Thanks for sharing. What a pealsure to read!

Friday 15 July 2011, 04:25

Post Reply

Name *
Email
Code   

Submit Comment

Cancel

Name *
Email
Code   

Submit Comment

TrustDefender Labs Report 1 (you will be directed to a contact form and we will send one out to you)

TrustDefender Labs Report 2 (you will be directed to a contact form and we will send one out to you)