OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New NetWeird variants added to XProtect

Published March 28th, 2014 at 9:42 PM EDT , modified March 28th, 2014 at 9:42 PM EDT

Yesterday, I wrote about some new NetWeird trojans that were not detected by XProtect. Less than 36 hours later, XProtect has been updated to version 2047, and now blocks those samples.

NetWeird XProtectI have to give it to Apple’s product security crew this time – they sure moved fast! I’m impressed. However, I’m still intensely curious about how things are working behind the scenes at Apple. Since they were so quick to add a signature for these samples, that suggests that they have no questions about the maliciousness of these apps. In that case, though, why weren’t these added a while ago? After all, one of these samples was submitted to VirusTotal in July 2013, eight months ago.

This suggests that Apple is not searching out these samples on their own. They seem to be relying on others to submit samples to them, rather than taking a more active role. I could be wrong, of course, but certainly it would appear that, at a minimum, they’re not devoting sufficient resources to searching out new malware. I can’t imagine this is a choice being made by the security team; most likely, it’s due to policy or resource limitations imposed from higher up. Again, though, that’s purely speculation.

In any event, Mac users are now that much safer, and hopefully we won’t be seeing further NetWeird infections. For now, at least… as we all know, this is a constant battle between good and evil that is never entirely won, by either side.

Tags: , , ,

5 Comments

  • Derek Currie says:

    Apple is getting in sync with your great and persistent work Thomas!

    So throw him a bone Apple. You need this guy.

  • jonah says:

    Hi Thomas,

    I just came across you site. What a great site you have created, and some excellent work you are doing. I recently downloaded some new firmware updates and applications for my Huawei modem. I am a bit concerned as my late macbook pro 15″ running the latest mavericks warned against it. I am using a gsm 3g modem which I now realize is a security risk of its own. Any ways I am wondering if i do a clean install of mavericks, would the EFI, and Recovery partitioned also be erased? i am wondering if there are vunerabilities in these partitions that would let malware or viruses migrate to, in order to hibernate until after the clean install.? I just would like to learn more about this and if you think i am being overly paranoid. Also do you know where I would track down all the firmware and driver files this Huawei usb modem would install? It seems incredibly difficult to track down, which makes me worry more.

    • Al says:

      If you haven’t asked these questions on the Apple Support Community forum yet, give that a try
      https://discussions.apple.com/. Thomas and several others can probably give you the help you need easier there plus I don’t really see how your issues relate to either NetWeird or XProtect.

  • Darren Kehrer says:

    I’m assuming the SL version got a bump too ? I’m soon to be in Mavericks land, however, but it’s nice to know SL is still getting this.

    • Thomas says:

      Comparing the current version of XProtect to the one from Feb. 13, it looks like 6 new items were added during that time: NetWeird (2 different variants), GetShell, LaoShu, CoinThief and a new variant of FileSteal. So it does appear that Snow Leopard is still getting these XProtect updates… and they are still Snow Leopard-specific. There are differences between the Snow Leopard definitions and those for later systems, as some malware isn’t capable of running on either Snow Leopard (and earlier systems) or on all later systems.

This post is more than 90 days old and has been locked. No further comments are allowed.