The Latest in IT Security

What’s in Apple Security Update 2011-03?


The recently reported malware attacks against Mac users prompted Apple to release a security update. We did an initial analysis on both the FAKEAV for Macs as well as the latest Apple security update in our previous blog entry. I’ve extracted the version of XProtect.plist (Apple’s pattern file) to dig deeper what’s inside. The .PLIST (Property List) file type is an XML file using Apple’s plist DTD (document type definition.) .PLIST file types are a standard part of Apple’s OS X Core Foundation.

The update notes are stored in the file, XProtect.meta.plist.

Click for larger view

XProtect.plist is basically XML formatted and is easily read using Mac’s built-in Dashcode tool:

Click for larger view

For OSX.MacDefender.C, there are four hex string matches done based on file contents:

1. File =
Hex1 = 446F776E6C6F6164506963742E706E67 = DownloadPict.png

Click for larger view

2. File = Info.plist
Hex1: 434642756E646C654E616D653C2F6B65793E = CFBundleName
Hex2: 3C737472696E673E416E746976697275732053657475703C2F737472696E673E = Antivirus Setup

Click for larger view
Click for larger view

3. postinstall
<8bd19a1b fc1356fb 487da3ca 2cb3a186 da2fa720>

Based on XProtect.plist, it appears that Apple uses string matching on most of its patterns. Knowing the pattern Apple is implementing, malware writers can easily modify the malware to prevent detection. No matter what their antivirus software can do after the detection, it all depends on the pattern and how often it is updated so that the user is protected. Based on the recent history of FAKEAV Mac malware, we should expect the authors to release new slightly modified variants just enough to prevent detection to stay in the business.

The MacDefender sample spreading on Facebook is covered by the latest Apple Security Update, where the above files were referenced.

Upon further analysis of OSX_DEFMA.B — our detection for the said MacDefender variant — we found out that after the MacDefender fake screen, it will cause a browser download of The said archive contains mdInstall.pkg that includes all of the pre/post install items for the application. Moreover, Archive.pax.gz contains mdDownloader, which is the installer itself. When laid out flat the full contents are below:

Click for larger view

Now the Apple solution may have probably worked better if only they had encrypted the search strings. Unfortunately, all the bad guys had to do to circumvent this latest “security update” is change the strings and locations and once again continue to affect Mac users.

In fact, we tested if a Mac patched with the security update can detect a malware found in February (OSX_MUSMINIM.A), and found that it is not covered. Considering the weaknesses of Apple’s current strategy against malware, we recommend users to exercise extreme caution.

Leave a reply


MONDAY, JULY 04, 2022

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments