It took only eight hours for the malware developers behind the MacDefender and its variants to come up with a way to bypass the security update pushed out by Apple.
According to Chester Wisniewski, a new variant of the malware has sprung up and it manages to infect the updated systems without asking for the administrative password.
How does it manage to bypass the protection Apple put in place? The malware developers have changed tack: a downloader program is installed first, and it then retrieves the actual malicious payload.
This way, they can make endless small changes to the downloader program and few to the actual malware – and still be successful. “If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program,” he explains. “Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions.”
Apple has also reacted quickly and has updated XProtect to detect the current downloader:
The 2011-003 update also makes systems check for new updates to the File Quarantine malware definitions every 24 hours. Let the cat-and-mouse games begin.