We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Apple finally adds Icefog to XProtect

Published October 9th, 2013 at 3:28 PM EDT , modified October 9th, 2013 at 3:28 PM EDT

This morning at 7:52 AM EST, my computer downloaded an XProtect update. I’m told, by security researcher Ivan Sorokin, that this update adds Icefog to the XProtect definitions. And it must, since that’s the only Mac malware that has appeared in the last couple weeks. It’s not easy to tell, though, since Apple chose to call it something different than everyone else.

This update, coming two weeks after the initial Icefog announcement by Kaspersky, refers to the malware as OSX.Prxl.2. Why Prxl? I imagine it must have something to do with some string found in the code somewhere, but it’s odd that Apple chose a name different from all other security companies. That is the first time this has happened (unless you could a couple different adware trojans, lumped together under the name “AdPlugin”).

To date, most security companies are calling this malware something involving the name “Icefog,” such as Backdoor.OSX.Icefog.a or OSX/Icefog-A. ESET has broken from the pack with the name OSX/Fucobha.A, as has Symantec by calling it OSX.Hormesu. None of these bear any resemblance to the name “Prxl,” however.

Further puzzling, as Ivan Sorokin points out, is the “2” used in Apple’s name for Icefog. Such a number is typically used to indicate that this is the second distinct variant of a piece of malware, but we’re still on the first variant of Icefog on the Mac, and Apple doesn’t have a “1” variant anyway. In addition, this would seem to break with Apple’s previous variant naming strategy, which uses lowercase Roman numerals (eg, OSX.SMSSend.i and OSX.SMSSend.ii).

In any case, regardless of the confusing naming, this update does appear to address the issue. Testing with a malicious Icefog installer reveals that it is now blocked from opening, alerting the user that the file is malware. It’s too bad that it took two weeks for this to happen, though.

Tags: ,


  • Jay says:

    I expect the staff that handles these updates are not malware experts like the people you’d find working for an actual AV company. Maybe some knowledge of yara to get the right signature but I don’t expect much more.

    In the GM of Mavericks Xprotect has not been updated yet (last on October 4) and none of the utilities/scripts I have work as they can’t find the file or make sense of the file they do find. It’s in the exact same location and the same type so not sure what the problem is.

  • Jay says:

    Also, the updater usually located in usr/libexec/XProtectUpdater is no longer there. Be interesting to see where they moved it to or if it has been renamed. The plist shows it was updated on October 4th so the updater must be hiding somewhere.

  • Jay says:

    I grabbed the XProtectUpdater from another Mac and ran it. It tells me “XProtectUpdater[1429:507] Unable to write new signature meta plist”. The file is there and the folder/files have the same read/write permissions as it did in 10.8. I wonder if this means that anyone running the GM or previous versions are not protected from malware like IceFog. Guess we’ll see and compare once it’s officially out to the public but something to keep an eye on. Sorry for going off topic.

    • Al says:

      > I wonder if this means that anyone running the GM or previous versions are not protected from malware like IceFog.

      No, they are protected to to same level as Mountain Lion users at the present time.

  • Al says:

    Note that Prxl / Icefog was _not_ added to the OS X 10.6 (Snow Leopard) version of this XProtect update.

  • Paulo says:

    *Offtopic*: Ok, this is kind of worrying… Creating undetected malware for OS X:

    • Thomas says:

      I will probably write something about that in the next few days, when I get time. Any time the bad guys get a new trick, that’s bad, but in this case it’s not nearly as bad as it sounds. This is bad for anti-virus software, but doesn’t change the difficulty of getting around Gatekeeper in recent versions of Mac OS X.

  • Darren K says:

    why would Apple leave it out of 10.6?

    • Thomas says:

      That’s an excellent question… I have no idea.

    • Sid Cannon says:

      Because they are only interested in making money, and if your OS isn’t relatively new, they want you to buy a new OS, or more to the point, if your Mac can’t support the latest OSes, they want you to unnecessarily fork out a small fortune on new hardware.

      • Thomas says:

        They’ve been continuing to provide support for Snow Leopard for quite some time, which they certainly didn’t have to do. People have been expecting support for 10.6 to be dropped for at least a year, and have continued to have those expectations shattered by security updates released for 10.6. If support is finally being dropped now, it would not be surprising, given the imminent release of 10.9. They can’t continue to support an obsolete product forever.

        • Sid Cannon says:

          Snow Leopard has only been out just over 4 years. If Apple are to drop support for it soon, then that doesn’t look good to me for the lifespan of an OS. Not everybody wants to upgrade their OS every year or so, and for those with hardware that cannot run a newer OS, the problem is bigger still.

          I’ve gone from Snow Leopard to Lion and then to Mountain Lion, and I’m happy with Mountain Lion and sticking with it. Does that mean in 3 years it will be obsolete?

          • Thomas says:

            Keeping your system up-to-date is an extremely important part of keeping your computer secure. If you choose to stick with an older system, sooner or later it will become a security issue. Nobody can afford to keep a legacy system secure indefinitely.

          • Al says:

            I believe that’s that longest that any version of OS X has received continuous support and the first time that Apple has provided support for three major versions:
   . Snow Leopard had lots of faithful users and Lion never really caught on. I’m not sure they will ever be that generous again.

  • Al says:

    I asked Apple Product Security, but have received no response.

  • Darren Kehrer says:

    is it possible that it has been added by now? I”m still on SL and will probably upgade to Mav after at least one minor update (to work out those immediate) bugs. I think it will go a long way to now that it’s free.

    • Thomas says:

      Actually, it turns out that Icefog is incompatible with Snow Leopard, so Apple didn’t add it to the Snow Leopard definitions. So, even though Icefog is missing there, Snow Leopard is still safe from the possibility of an Icefog infection.

This post is more than 90 days old and has been locked. No further comments are allowed.