On MovieTome: Why you didn't see Shatner in TREK
BNET Business Network:
BNET
TechRepublic
ZDNet

August 28th, 2009

Snow Leopard's malware protection only scans for two Trojans

Posted by Dancho Danchev @ 5:55 am

Categories: Anti Virus, Apple, Botnets, Browsers, Hackers, Malware, Passwords

Tags: Trojan Horse, Malware, Apple Inc., Spyware, Adware & Malware, Cyberthreats, Apple Mac OS X, Viruses And Worms, Security, Apple, Dancho Danchev

The much hyped built-in malware protection into Apple’s Snow Leopard upgrade appears to be nothing more than a XProtect.plist file containing five signatures for two of the most popular Mac OS X trojans - OSX.RSPlug and OSX.Iservice.

Intego, the company that originally reported the new feature, has just released a comparative review of their (commercial) antivirus solution next to Apple’s anti-malware function. Here are some of the highlights:

  • Apple’s anti-malware function only scans files downloaded with a handful of applications (Safari, Mail, iChat, Firefox, Entourage, and a few other web browsers) — therefore the disturbingly modest signatures base would be undermined if the user were to download the malware from a BitTorrent application
  • Apple’s anti-malware function currently only scans for two Trojan horses, as of the initial release of Snow Leopard — relying on such a modest set of signatures for malware variants of known OS X families, clearly indicates the premature release of the feature
  • Apple’s anti-malware function receives occasional updates via Apple’s Software Update — in respect to malware, even Mac OS X malware, every modified variant of a known malware family enjoys a decent life cycle until it gets detected through malware signatures. In its current form the reliance on occasional Apple Software Updates compared to regular/scheduled independent signatures update, clearly increases the life cycle of a known piece of malware

Go through related posts: New Mac OS X DNS changer spreads through social engineering; Mac OS X malware posing as fake video codec discovered; New Mac OS X email worm discovered; Trojan exploiting unpatched Mac OS X vulnerability in the wild

It its current form, Snow Leopard’s anti-malware feature offers nothing else but a false feeling of security. What do you think? Talkback.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 155 Talkback(s)
RE: Snow Leopard's malware protection only scans for two trojans
Over 300 patches and updates were issued in 2008 to patch
over 990 specific flaws and vulnerabilties in Mac OS-X
Leopard and Tiger? Not all of those patches were due to virus
vulnerabiliti... (Read the rest)
Posted by: powershaker Posted on: 09/22/09 You are currently: a Guest | | Terms of Use
Much hyped by whom?  msalzberg | 08/28/09
ZDNet Apple post have degenerated into a complete joke  Richard Flude | 08/28/09
Richard, Richard, Richard....  CrashPad | 08/28/09
Nobody's perfect  aj.redmond@... | 08/28/09
Malware is prevalent no matter...  CrashPad | 08/28/09
Re: Malware is prevalent no matter...  harrisharris | 08/28/09
RE: Re: Malware is prevalent no matter...  kurayaminokumo | 08/28/09
Totally agree  scorchgeek | 08/29/09
You stated it in your first sentence...  shadfurman | 09/02/09
Funny  rparker009 | 08/28/09
Are they each connected to their own Internet...  mrlinux | 08/31/09
How do you know?  alkanshel | 08/28/09
"What approach are you using to verify the pristine quality of your Macs? "  IT_Guy_z | 08/28/09
Pretty much  alkanshel | 08/28/09
exactly the point...  CrashPad | 08/28/09
But everyone knows  alkanshel | 08/28/09
What rootkit exists there for OSX....  arminw | 08/28/09
Ahh but there is....  CrashPad | 08/28/09
true, but...  shadfurman | 09/02/09
Why bring up "the pc"?  windozefreak | 08/28/09
The same holds true for PC users  goff256 | 09/01/09
And i've been usinf PCs for 25 years with no infections  kdjkdj@... | 08/28/09
@ everybody  aj.redmond@... | 08/28/09
not arrogant you are ignorant...  CrashPad | 08/28/09
RE: @ everybody  kurayaminokumo | 08/28/09
Define "considerable"....  Wolfie2K3 | 08/28/09
Unless you're using 56k  alkanshel | 08/28/09
@ everybody again  aj.redmond@... | 08/28/09
...Yeah, you really don't use a PC, do you?  alkanshel | 08/28/09
Oops, clicked early  alkanshel | 08/28/09
@ alkanshel  aj.redmond@... | 08/29/09
Seriously?  alkanshel | 08/30/09
alkanshel  aj.redmond@... | 08/31/09
@aj  kurayaminokumo | 08/31/09
@ AJ  shadfurman | 09/02/09
RE:Nobody's perfect  richdave | 08/28/09
Some people like having multiple computers  goff256 | 08/30/09
Its changing since Vista/Win 7 is becomming a hard target  bklooste | 08/28/09
They have no problem...  Richard Flude | 08/28/09
If you're so embarassed  tikigawd | 08/28/09
Well that's just not possible.  James T. Kirk | 08/28/09
Aw c'mon...  IT_Guy_z | 08/28/09
I asked my mom this weekend  tikigawd | 08/31/09
You're so right, Richard  murdock@... | 08/28/09
Completely missing the point  alkanshel | 08/28/09
and here we go with the...  CrashPad | 08/28/09
Re: complete joke  notsofast | 08/28/09
It' the 'much hyped' phrase  shis-ka-bob | 08/29/09
EXACTLY!  MC1171611 | 08/28/09
Apple does not look good....  CrashPad | 08/28/09
Exactly right...  Wolfie2K3 | 08/28/09
and I've read a slew of people saying  goff256 | 08/30/09
Egzackery...  His_Shadow | 08/29/09
If Macs are so secure then, the please tell me why......  Solid Jedi Knight | 08/30/09
Lies, Damn Lies and Statistics  HerbertH_02 | 08/30/09
Vulnerabilities? Useless word  goff256 | 08/30/09
hyped by whom?  xebrawerx | 08/31/09
...quietly added...  ChrisGnyc | 08/31/09
RE: Snow Leopard's malware protection only scans for two trojans  CrashPad | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  dheady@... | 08/28/09
and here is another....  CrashPad | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  Badgered | 08/28/09
Just 100000 macs affected by a botnet (nt)  NeoGeneration | 08/28/09
All who infected themselves  ChiperSoft | 08/28/09
Double standard  alkanshel | 08/28/09
RE: Double standard  RedVeg | 08/28/09
Snow Leopard - Snow Job  jdtwoseven | 08/28/09
I have  alkanshel | 08/28/09
his point is ....  CrashPad | 08/28/09
Well, to be fair,  alkanshel | 08/28/09
Wrong  notsofast | 08/28/09
With Windows all a user....  arminw | 08/28/09
You are full of it  davidhite | 08/28/09
call it what you will....  CrashPad | 08/28/09
RE: call it what you will  RedVeg | 08/28/09
Er, what?  alkanshel | 08/28/09
RE: Er, what?  RedVeg | 08/28/09
Fair enough  alkanshel | 08/28/09
Wrong assumption  Qbt | 08/28/09
RE: Wrong assumption  RedVeg | 08/28/09
Yes, you are correct... (although)  Qbt | 08/28/09
Redveg, do I detect a bit of hypocrisy?  mgp3 | 08/28/09
Keep up...  CrashPad | 08/28/09
RE: Keep up  RedVeg | 08/28/09
re: re: call it what you will  Badgered | 08/28/09
Indeed, but wasn`t Apple the one keeping people from  NeoGeneration | 08/28/09
?  macgroover | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  rbert16000 | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  johnnybmac | 08/28/09
arrogant  Jimster480 | 08/28/09
...and...?  bishofthedump | 08/28/09
you dodge your bullets, and we'll dodge ours  jpdemers@... | 08/28/09
But what about  alkanshel | 08/28/09
Note:  alkanshel | 08/28/09
Who knows...  zkiwi | 08/29/09
Well, yes.  alkanshel | 08/30/09
RE: Snow Leopard's malware protection only scans for two trojans  rparker009 | 08/28/09
true story  Jimster480 | 08/28/09
what ad?  doh123 | 08/29/09
If you take a commercial as gospel  goff256 | 08/30/09
RE: Snow Leopard's malware protection only scans for two trojans  Lunatic59 | 08/28/09
damn thats what this thread needs!!!!  CrashPad | 08/28/09
Yes, How can you know you have anything?  jscott418 | 08/28/09
The sad thing is that Apple could have learned from MS  NonZealot | 08/28/09
i can say it is not a mistake.  magallanes | 08/28/09
Well it probably won't matter anyway.  IT_Guy_z | 08/28/09
Same old story.  Lester Young | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  creep144 | 08/28/09
Did you update it?  alkanshel | 08/28/09
Wow  davidhite | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  SeveBC | 08/28/09
I love all the crystal balls....  arminw | 08/28/09
Er, no.  alkanshel | 08/28/09
Walt Mossberg reviews Snow Leopard  NonZealot | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  nfiertel | 08/28/09
You're forgetting about infestation of legitimate sites  alkanshel | 08/28/09
In fact...  alkanshel | 08/28/09
Is there really a rootkit...  arminw | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  jphines79 | 08/28/09
Wow  Qbt | 08/28/09
Cue a true Apple fan  honeymonster | 08/28/09
AMEN  zenotek | 08/28/09
You are the perfect example of what is wrong with Apple  Qbt | 08/28/09
And yet...  zkiwi | 08/29/09
yeah  davidhite | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  MC1171611 | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  MC1171611 | 08/28/09
See the above...  Qbt | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  phatkat | 08/28/09
EVERYONE READ THIS!!!!!  CrashPad | 08/28/09
PWNED!! Literally!! happy (nt)  NonZealot | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  kingtj | 08/28/09
Oh boy do we have a winner...  CrashPad | 08/28/09
He isn't talking about defender  goff256 | 08/30/09
RE: Snow Leopard's malware protection only scans for two trojans  korgo | 08/28/09
I fail to see the purpose of scanning for trojans  j.m.galvin | 08/28/09
Best not to go there Galvin  oncall | 08/28/09
Actually, I'd certainly like to scan for condoms  alkanshel | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  madeinhawaii@... | 08/28/09
RE: Snow Leopard's malware protection only scans for two trojans  Bilmekanikeren | 08/28/09
Rootkits are developed and posted....  CrashPad | 08/29/09
I wonder  LiquidLearner | 08/30/09
Here's Kaspersky's current list of OS X malware  mechBgon | 08/30/09
Clueless pratt  Macintoshtoffy | 08/29/09
Well...  zkiwi | 08/29/09
But it isn't all that complex  Macintoshtoffy | 08/29/09
The emperor's new clothes  tonymcs@... | 08/30/09
RE: Snow Leopard's malware protection only scans for two trojans  fletchoid | 08/31/09
RE: Snow Leopard's malware protection only scans for two trojans  friedcow | 08/31/09
RE: Snow Leopard's malware protection only scans for two trojans  raptorep@... | 08/31/09
So... how many trojans is it supposed to protect from?  Metronome49 | 08/31/09
RE: Snow Leopard's malware protection only scans for two trojans  JulesLt | 09/01/09
RE: Snow Leopard's malware protection only scans for two trojans  Mah | 09/01/09
trojans are more dangerous  max_wedge | 09/01/09
RE: Snow Leopard's malware protection only scans for two trojans  powershaker | 09/22/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here