Latest Mac malware

On 19/10/2011, in Security, by Norman Dean

http://www.geek.com/articles/apple/latest-mac-malware-disables-apples-xprotect-anti-malware-engine-updates-20111019/

2011 has been an interesting year for the Mac ecosystem. There’s been a marked increase in the number of Mac-specific malware in the wild, most of which lurk in the shadows disguised as legitimate applications like the Flash plug-in — only to spring their booby traps on unsuspecting users following an ill-fated mouse click.

Early versions were fairly unsophisticated, and they were easily neutralized by simply not entering an admin password when the installer requested. Malware authors are a cunning bunch, however, and they’re usually quick to iterate. That’s precisely what happened with the MacDefender trojan, which quickly learned how to install itself without that pesky password getting in the way.

Apple acted quickly to mitigate the threat, offering up XProtect, a built-in anti-malware engine. With updateable definitions just like a full-fledged security app, XProtect handled its first few malware tests with aplomb. But now things are going to get a little trickier for Apple and XProtect alike.

F-Secure has now found malware (Trojan-Downloader:OSX/Flashback.C) that can disable the XProtect updater, leaving users vulnerable to threats that would have been stopped in their tracks by refreshed definitions. The XProtect engine will continue working, its defenses just won’t be totally up to date. Things won’t get really dangerous until malware authors figure out how to completely kneecap XProtect.

Minimizing the risk is easy enough if you’re an OS X user. For starters, grab yourself some free anti-malware protection — both Sophos and ClamXav offer solid security software for Mac. The next step is to exercise good judgement when you’re downloading software from the web. Don’t download the Flash plug-in from anyone except Adobe, for example, and stay away from sites that try to convince you they’re offering paid Mac apps for free.

 

Comments are closed.