The recently reported malware attacks against Mac users prompted Apple to release a security update. We did initial analyses of both the FAKEAV for Macs as well as the latest Apple security update in our previous blog entry. I’ve extracted the version of XProtect.plist (Apple’s pattern file) to dig deeper into what’s inside it. The Property List (.PLIST) file type is an .XML file that uses Apple’s plist document type definition (DTD). .PLIST file types are standard parts of Apple’s Mac OS X Core Foundation.
The update notes are stored in the file XProtect.meta.plist.
XProtect.plist is basically XML formatted and is easily read using Mac’s built-in Dashcode tool.
For OSX.MacDefender.C, there are four hex string matches done based on file content:
1. File = Archive.bom
Hex1 = 446F776E6C6F6164506963742E706E67 = DownloadPict.png
2. File = Info.plist
Hex1: 434642756E646C654E616D653C2F6B65793E = CFBundleName
Hex2: 3C737472696E673E416E746976697275732053657475703C2F737472696E673E = Antivirus Setup
<8bd19a1b fc1356fb 487da3ca 2cb3a186 da2fa720>
Based on XProtect.plist, it appears that Apple uses string matching on most of its patterns. Knowing the pattern Apple implements, malware writers can easily modify malware to prevent detection. No matter what their antivirus software can do after the detection, it all depends on the pattern and how often it is updated so that the user is protected. Based on the recent history of FAKEAV Mac malware, we should expect the authors to release new slightly modified variants just enough to prevent detection to stay in the business.
The MacDefender sample spreading on Facebook is covered by the latest Apple Security Update where the above-mentioned files were referenced.
Upon further analysis of OSX_DEFMA.B—our detection for the said MacDefender variant—we found that after the MacDefender fake screen, it will cause a browser download of anti-malware.zip. The said archive contains mdInstall.pkg that includes all of the pre-/post-install items for the application. Moreover, Archive.pax.gz contains mdDownloader, which is the installer itself. When laid out flat, the full content is shown below.
Now, the Apple solution may have probably worked better if only the vendor encrypted the search strings. Unfortunately, all the bad guys had to do to circumvent this latest “security update” is to change the strings and locations and once again to continue to affect Mac users.
In fact, we tested if a Mac patched with the security update can detect a malware found in February (OSX_MUSMINIM.A) and found that it is not covered. Considering the weaknesses of Apple’s current strategy against malware, we recommend that users exercise extreme caution.