There is a serious game of back-and-forth going on between the security team over at Apple and the developers of the Macdefender malware.
As reported by Threatpost, Apple deployed a patch to remedy the troubling fake AV, then shortly after that, the developers of Macdefender altered their methods a bit and updated the trojan to circumvent Apple’s patch.
Now Apple has pushed back again with an update to XProtect that allegedly resolved the issue, according to a report from NakedSecurity.
In their subversion of the Cupertino computer giant, Macdefender developers implemented a downloader, which after installation, was programmed to retrieve the malware payload from elsewhere, according to the report from NakedSecurity. The report claims this is an especially effective method, because XProtect isn’t a full anti-virus product with malware scanning functions. Instead, it merely scans items that have been downloaded from the internet. Therefore the Macdefender authors need only make small alterations to the downloader as the need arises while making little or no changes to the malware itself.
NakedSecurity also claims that Macdefender is using the classic affiliate distribution method whereby hackers are hired to perform black-hat SEO to infect Web pages and blogs with uniquely identifiable payloads, for which they can later be paid. This allows the malware writers to infect users on a much larger scale.
XProtect is supposed to update every day, but if people on the Macdefender side keep their game up, then they will combat every update with a slight change to their downloader. Running proper anti-virus software will likely provide a more competent defense than relying on XProtect’s updates.
It has been prophesized for years that Mac user’s castle of malware invulnerability would eventually crumble. And it appears that that day may have arrived in early May when Macdefender emerged and prompted a surprise move from Apple, who now intends on releasing new malware definitions on a daily basis.