The Mac Defender Trojan Horse phishing scam was back in the news this week. Twice.
First, a more virulent variation of the malware was detected. In this latest iteration, the phony program is named MacGuard. The new wrinkle is that it doesn’t require an administrator’s password to install. This means that any user on a Mac has the authority to install the malware. Of course, unless said user also had a credit card number to offer, this does not significantly alter the risk.
Second, a new Apple support article revealed that Apple is working on an update to Mac OS X (presumably 10.6.8) that will “automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.”
The support article went on to offer recommendations on how to remove the malware if you inadvertently fall victim to this scam prior to the release of 10.6.8.
Meanwhile, a prior report (unconfirmed by Apple) cited an internal Apple memo advising AppleCare employees not to “confirm or deny whether the customer’s Mac is infected (by the malware) or not.” Not surprisingly, critics jumped all over this. For example, Infoworld’s Robert X. Cringely lamented that this was yet another example of Apple being “arrogant beyond belief and helpful only when forced into a corner.”
My view is more benign. While I wish Apple had been more helpful out-of-the-gate, I can understand Apple’s reluctance to offer advice over the phone—potentially leading to making a bad situation worse if instructions are not correctly followed—before Apple fully understood what they were dealing with. In a worst case scenario, I could see Apple exposed to a lawsuit, with users seeking to recover damages incurred by Apple’s supposed “bad” advice. Regardless, Apple has apparently concluded its investigation and has responded in an appropriate manner.
How will Apple’s update work?
I was especially intrigued by the promised specificity of Apple’s upcoming fix. It is one of the very few times that Apple has included code in Mac OS X that is targeted at a specific security threat. In fact, the only other targeting (of which I am aware) is the XProtect.plist file of malware definitions included in Mac OS X 10.6. The protection offered here remains limited. Back in 2009, the file included only two definitions: one each for RSPlug.A and iService. As of the current Mac OS X 10.6.7, the file has added definitions to protect against two further attacks: HellRTS and OpinionSpy.
Sign up for Computerworld eNewsletters.