We recently reported about a blackhat search engine optimization (SEO) campaign that targeted not only Windows but Mac users as well. It has just been a few weeks since the role of Mac users as potential victims in the threat landscape has been increasingly established but more and more threats targeting Mac users are being found.
FAKEAV for Mac
The first case that got the attention of the security industry was a rogue antivirus called MacDefender, which is detected as OSX_FAKEDEF.M. The said malware reportedly affected a large number of Mac users.
Other variants of rogue antivirus software made especially for Macs followed, bearing different names such as MacSecurity (detected as OSX_FAKEAV.A) and MacProtector.
In a recent development, we found a fake Mac antivirus variant spreading through Facebook (detected as OSX_DEFMA.B).
MacDefender and its variants aren’t the first rogue antivirus seen targeting Mac users. In 2008, scareware applications called MacSweeper and iMunizator were seen, both of which had the same standard rogue antivirus routines.
This time around, however, it seems that the number of variants are exponentially increasing and are affecting more and more users. As a course of action, Apple issued an update to its OSs to prevent MacDefender from executing.
According to Trend Micro senior threat researcher Joey Costoya, the solution Apple provided is not limited to MacDefender but also covers Mac malware starting from 2009. From what he gathered from the vendor’s “pattern file,” it includes detections for other popular Mac malware such as OSX_RSPLUG, OSX_KROWI, and OSX_OPINIONSPY.A.
So it appears that although Apple marketed the “update” to solve only the Mac Defender FAKEAV issue, the update actually checks for other known Mac malware.
This gives us some points to ponder, the first one having already been raised by others—the bad guys have now actively circumvented Mac’s solution, turning this into a cat-and-mouse game.
The second point is, is Apple planning to turn its updates into a full-featured security software? Will Apple provide a built-in antivirus solution ala Microsoft?
As we have learned in the past, the “scanning technology” Apple implemented can be easily circumvented, leaving it with the hard choice of either continuously updating its pattern file to cover the latest rogue antivirus affecting Mac or of admitting the fact that its products are now constantly being targeted by rogue antivirus, that Macs are not as secure as before, and that Apple product users are now reliant on traditional security vendors for security.
A large number of variants of this rogue antivirus was found in just a short period of time and this trend is predicted to continue. Macs are not malware proof, not only from FAKEAV but also from backdoor applications like OSX_MUSMINIM.A. As my colleague Rik Ferguson commented, the Apple user base is largely unprepared and their systems are largely unprotected. This chain of events put a large task for Apple to take on, as the “invulnerability” of its systems is being put to the test, along with the security of their users.
Updated June 2, 9:30 PM PST: Added more details in the solution strategy analysis.