Apple finally adds Icefog to XProtect
Published October 9th, 2013 at 3:28 PM EDT , modified October 9th, 2013 at 3:28 PM EDT
This morning at 7:52 AM EST, my computer downloaded an XProtect update. I’m told, by security researcher Ivan Sorokin, that this update adds Icefog to the XProtect definitions. And it must, since that’s the only Mac malware that has appeared in the last couple weeks. It’s not easy to tell, though, since Apple chose to call it something different than everyone else.
This update, coming two weeks after the initial Icefog announcement by Kaspersky, refers to the malware as OSX.Prxl.2. Why Prxl? I imagine it must have something to do with some string found in the code somewhere, but it’s odd that Apple chose a name different from all other security companies. That is the first time this has happened (unless you could a couple different adware trojans, lumped together under the name “AdPlugin”).
To date, most security companies are calling this malware something involving the name “Icefog,” such as Backdoor.OSX.Icefog.a or OSX/Icefog-A. ESET has broken from the pack with the name OSX/Fucobha.A, as has Symantec by calling it OSX.Hormesu. None of these bear any resemblance to the name “Prxl,” however.
Further puzzling, as Ivan Sorokin points out, is the “2” used in Apple’s name for Icefog. Such a number is typically used to indicate that this is the second distinct variant of a piece of malware, but we’re still on the first variant of Icefog on the Mac, and Apple doesn’t have a “1” variant anyway. In addition, this would seem to break with Apple’s previous variant naming strategy, which uses lowercase Roman numerals (eg, OSX.SMSSend.i and OSX.SMSSend.ii).
In any case, regardless of the confusing naming, this update does appear to address the issue. Testing with a malicious Icefog installer reveals that it is now blocked from opening, alerting the user that the file is malware. It’s too bad that it took two weeks for this to happen, though.