Apple updates OS X Lion, Snow Leopard malware definitions to address new trojan

Apple has updated “its malware definitions for Snow Leopard and Lion systems to allow them to recognize the trojan [OSX/Revir.A, OSX/Imuler.A],” Eric Slivka reports for MacRumors. “Apple updated its tools earlier this year in response to the MacDefender threat, and Snow Leopard and Lion system now automatically check for new malware definitions on a daily basis.”

“Apple’s battles with malware authors continue, however, as CNET discloses that another trojan horse, known as OSX/flashback.A, has been discovered,” Slivka reports. “Like a similar threat that surfaced early last month, the new trojan masquerades as a Flash Player installer to trick users into installing the package.”

Read more in the full article here.

MacDailyNews Take: Here’s our usual oft-repeated reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their Macs, should not be surprised to find their Macs are compromised.

Related articles:
New OS X trojan horse sends screenshots, files to remote servers – September 23, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Apple malware: 6 years of crying wolf – May 6, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011
Sophos details new Mac OS X Trojan – February 28, 2011
Warning: Mac users beware of yet another trojan masquerading as video codec – June 11, 2009
CNN blows it; gets all worked up about a Mac Trojan that isn’t the first nor is it the last – April 23, 2009
Mac trojan expands to affect pirated versions of Photoshop CS4 – January 26, 2009
Intego: Mac trojan horse found in pirated Apple iWork ‘09 – January 22, 2009
New Mac OS X Trojan horse identified – June 23, 2008
Mac OS X Scareware trojan ‘MacSweep from Imunizator’ tries to scam Mac users – March 29, 2008
Mac trojan makers churn out slightly modified versions to evade anti-malware detection – November 08, 2007
Mac DNS Changer Trojan [OSX/Puper] relatively simple; works like the Windows version – November 01, 2007
New Mac OS X Trojan warning – February 16, 2006
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004

27 Comments

      1. You can access the Xprotect.plist file containing the list of Apple’s malware definitions here:

        /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

        Open it in TextEdit. The definitions are added in chronological order. Search the file for “OSX.Revir.A” which will be near the bottom.

        XProtect automatically updates itself once a day over the Internet. It has no relationship to the Software Update application.

        Mac-Security Blog

        1. AND: If you would like to force an update of your XProtect malware definitions, you can run the XProtectUpdater process yourself in the Terminal. You will find XProtectUpdater here:

          /usr/libexec/XProtectUpdater

          Again note: The updater automatically runs once a day, as long as you are connected to the Internet. 😀

  1. It once was that you didn’t have to worry about these kinds if things on a Mac. But now were are at a point were every month we are getting a security update. It feels like we are getting closer and closer to a Microsoft update schedule, and as soon as that happens you will see the fastest insatll of ubuntu on all my machines!

    1. as a recent full on switcher let me just say that dude its nowhere near a MS update schedule. MS patches pretty much every darn Tuesday. I don’t get prompted for updates to OS X that often, and when I do its usually more than just “Security Patches”

      I still do not feel the urge to install anitvirus on my macs.

      1. ERROR: “MS patches pretty much every darn Tuesday.”

        NO. MS update on the second Tuesday of each month, well known as ‘Patch Tuesday’. It is rare for MS to post emergency updates.

        Patch Tuesday @ Wikipedia

        Also note that providing updates at predictable times is RIDICULOUS. Windows crackers prepare for Patch Tuesday and come out with malware THE NEXT DAY to break into unpatched PCs. This is well known as ‘Exploit Wednesday’. As you can imagine, extremely few people install Windows updates the day they are released, therefore day-after malware is frequently effective.

        The very best approach to patching security holes is to release patches at UNPREDICTABLE times ASAP after the security hole has been discovered.

        Windows IT dweebs say that Patch Tuesday makes their job easier so they know when to prepare for patches and set aside time to test them. This is an incredibly IGNORANT, LAZY, DETRIMENTAL and UNPROFESSIONAL approach to computer security. Tell them I said so. 😛

    2. It once was that you didn’t have to worry about these kinds if things on a Mac.

      Since when? What we never had to worry about on a Mac, and still don’t, were viruses, worms, and “drive-by downloads”. That’s still not a problem.

      Unfortunately for us Mac users, Microsoft has made great strides toward eliminating the problem on Windows as well. This has driven malware authors toward the old, reliable trojan, which is less efficient (has to be installed one computer at a time by the owner), but harder to defend against, because you’re really hacking the user, not the machine.

      No OS can ever be completely safe against trojans. If you agree to run a program on your computer, you’re at risk from whatever that program does.

      If it seems like Mac OS is under more threat these days, it’s because malware writers are writing trojans instead of viruses and worms.

      ——RM

    3. Nope. You’ve always had to worry..as anyone that knows how to plug in the sudo command into an AppleScript could do you harm. Of course…you would have to download, open, and enter an admin or user password for it to be a problem.

      This is no different. Don’t install programs from anywhere but the companies website…and you will not have issues.

      1. … problem for you if a) a malicious user/app gains access to your Mac AND b) you are foolish enough to have left an Admin account available for them. Like … you are SURFING from an Admin account (DOH!). Always create a “solid” password for your Admin account and use a User account for user functions – like SURFING!

  2. I know someone who has successfully run Windows XP without malware protection and without suffering because of it. It’s simple. First, he makes a virtual machine, then a copy of it. He does all his work in the virtual machine with his data on the host machine. When the virtual machine comes down with a virus or some other malware, he deletes it. Before he starts using the second virtual machine, he makes a copy. So he is always working in a virtual machine with an identical backup virtual. In effect, when the computer gets a virus, he throws it away like a ball point pen and changes to another one.

    That doesn’t sound simple, but the definition of “simple” is different in the land of Microsoftia.

    I use an even simpler solution. I switched to the Mac in 2005.

    1. Their script is a little out-of-date and can report an error that Safe Download isn’t installed on new systems even when it is. If that happens just go to:
      /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/
      and check the last modified dates on:
      XProtect.meta.plist    and    XProtect.plist

  3. If you enable trojan access through a “Flash Player installer,” the you deserve to be pwned. The real Flash software is close enough to a trojan all by itself. Very little “masquerading” is required.

  4. AND: If you would like to force an update of your XProtect malware definitions, you can run the XProtectUpdater process yourself in the Terminal. You will find XProtectUpdater here:

    /usr/libexec/XProtectUpdater

    Again note: The updater automatically runs once a day, as long as you are connected to the Internet.

  5. Do you hear that?
    those are the screams of the mac users that left javascript running and still use google

    html5 is here, it’s time to leave the 90s and it’s security threats behind

Leave a Reply to vanfruniken Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.