Apple fends off malware from Facebook

The cat-and-mouse game between Apple Inc. and authors of malware targeting Mac OS X devices continues, with Apple releasing this week a security update that protects against the notorious fake antivirus "MacDefender." Apple's latest security fix for OS X Snow Leopard will detect the malware and alert users to move it to the Trash bin, which users are then advised to empty. "Security Update 2011-003 provides additional protection by checking for the MacDefender malware and its known variants. If MacDefender malware is found, the system will quit this malware, delete any persistent files, and correct any modifications made to configuration or login files," it said. But malware authors may have gone one step further, using social networking site Facebook to spread malware by luring users with a link to a supposed rape video. The video claims to show a scandal involving controversial International Monetary Fund boss Dominique Strauss-Kahn. New security fix Apple said that, with its new security fix, files downloaded via applications such as Safari, iChat, and Mail are checked for safety at the time that they are opened. "If a file is identified as containing known malware, the system will display a dialog that alerts you to move it to the Trash. You should empty the Trash to finalize the removal of the file," the company said. Apple said that it maintains a list of known malicious software that is used during the safe download check to determine if a file contains malicious software. The list is stored locally, and with Security Update 2011-003 is updated daily by a background process. Users who do not wish to receive these daily updates can disable them by unchecking "Automatically update safe downloads list" in the Security pane, in System Preferences. Sophos' Chester Wisniewski said his tests showed the detection and removal functionality worked properly, but said there is much room for improvement. "My impressions? A good reaction from Apple in a short amount of time. They are making the best of what is available in the OS X platform at this time. Unfortunately it falls short in many respects," he said in a blog post. He said that the biggest problem is the lack of an on-access scanning component. "While LSQuarantine works to protect against downloads in most browsers, it doesn't prevent infections through USB drives, BitTorrent downloads and other applications," he said. "Daily updates are a good start, but it remains to be seen how frequently the criminals may release new variants. If they start moving in a polymorphic direction similar to the one the Windows malware writers have gone, XProtect will have issues," he added. Also, he said the update only applies to OS X 10.6 "Snow Leopard," so older Mac users are left unprotected. Mac malware spreads via Facebook As if malicious websites are not enough, social networking site Facebook is now being used to spread a malware affecting Apple Inc.'s Mac OS X computers. Online security firm Sophos said the malware is spreading virally across Facebook, claiming to be a video of controversial IMF boss Dominique Strauss-Kahn. "The fake anti-virus attack first appears in your timeline as a message apparently posted by one of your friends," Sophos senior technology consultant Graham Cluley said in a blog post. A screenshot of such a Facebook message on Cluley's blog post read, "oh s***, one more really freaky video O_O ... IMF boss Dominique Strauss-Kahn Exclusive Rape Video - Black lady under attack!" Cluley said that the message is a reference to International Monetary Fund chief Dominique Strauss-Kahn, who is facing charges in New York over charges that he tried to rape a hotel maid. "In terms of sick headlines to entrap users, this one ranks right up there. It's been, of course, a very big news story - and many people have been following the case with interest. And that probably explains why the hackers have used the promise of a video as bait," he said. He said clicking on the link takes a victim to a webpage, which appears to consist of a still from a sex movie. But he said that when he visited the page using his Mac, "I was rapidly redirected to a 'Mac Defender'-style fake anti-virus attack, written specifically with the intention of infecting my computer," he said. Cluley said Sophos' Anti-Virus for Mac software intercepted the attack as OSX/FakeAVZp-C. He said what is interesting is that until now, most fake anti-virus attacks target Mac users by poisoning search engine results. "But now we are seeing them being distributed by viral Facebook spam campaigns as well," he said. Cluley said it may not be "too difficult" to fool a Mac user who knows he or she is possibly about to watch a seedy video, then face a screen warning of numerous security threats. He said this was "a genius piece of social engineering to frighten unsuspecting Mac users into installing the software and handing over their credit card details." "It's just a shame that Facebook's own security systems are currently failing to stop these links from spreading," he added. Cluley said Mac users can download Sophos's free anti-virus for Mac home users, which he said is automatically updated. Another step is to change the default settings on Mac's default Safari browser. "It's not a complete defense, but it can help a little," he said. — TJD, GMA News