OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Missing malware added to XProtect

Published March 14th, 2014 at 9:47 AM EDT , modified March 14th, 2014 at 9:47 AM EDT

Last week, I wrote about a number of malware samples I had discovered that were not detected by XProtect. Immediately after posting that article, I submitted those samples to Apple. Yesterday, they were finally added to XProtect, when XProtect was updated to version 2046. This, and other developments over the past week, are both encouraging and upsetting, for a variety of reasons.

First, although I gave Apple a pretty hard time in my article last week, this isn’t bad turnaround time for the stack of samples I sent them. Although I’d obviously like to see the signatures added even faster, I do realize that Apple’s product security team is busy and that I dropped a lot on them with very little warning.

CoinThief-ScreenflickIn addition, I definitely feel now that Apple’s product security team is definitely listening and responding. After pestering them about it, I was told that the older CoinThief sample I had sent was not being added because it wasn’t being seen in the wild and didn’t work with current Bitcoin wallets. I pointed out to them that, now that the newer variants were blocked by XProtect, there would be value for the hackers in going back to the older codebase that was not detected, so pre-emptively blocking the older variant would be beneficial.

Lo and behold, the XProtect update includes a signature for this older variant! Did they listen to, and act on, my advice? Or did they simply have an internal discussion on this and come to this conclusion on their own? I don’t know. It certainly feels like I may have been listened to, but even if not, at least we know that Apple’s product security team is thinking about these issues and is willing to re-evaluate decisions. Sometimes it’s hard to know what’s going on inside this infamously silent company, and this provides an encouraging glimpse behind the walls.

On the other hand, I’m still as disturbed as I was last week, but now in a very different way. Apple has shown more responsiveness to this than I had expected, which begs the question: why weren’t these items detected in the first place? Could it possibly be because most of them hadn’t actually been seen by Apple’s product security team before?

I have been submitting malware samples to Apple for some time now. Generally, I do this as soon as I get my hands on a sample, which is usually on the same day as the announcement (by a security company) of some new malware. XProtect is usually updated shortly thereafter. I’ve always assumed that I was merely one trickle in a flood of other submissions, but submitted anyway just in case. But now the possibility occurs to me: what if I’m one of the only ones submitting?

This is a bit frightening, but in hindsight, it makes sense. If I were in charge of a company making anti-virus software, would I be excited about submitting new samples to Apple? Not really. That would undercut my product, and thus my business, by reducing the need for anti-virus software. I’m not one of those notorious Apple fans who believes that all anti-virus companies are in the business of scamming Mac users, but even so, perhaps expecting them to help Apple build a more secure system is a bit unrealistic.

As far as independent security experts go, most of them don’t spend much thought on Mac issues. Those who do focus on the Mac, such as Rich Mogull, have a broader focus, and don’t spend much time investigating and collecting malware. Outside anti-virus firms, there are probably very few other people who are doing what I do.

Apple’s product security team should be able to find these new samples the same way that I do: by paying close attention to the announcements of security companies and searching sites like VirusTotal to find the samples. And by establishing contacts in the security industry who are willing to send you interesting new pieces of malware. And by paying close attention to user reports in forums like the Apple Support Communities. Among other things.

In all honesty, I should have fewer resources and contacts than Apple’s product security team, so they should be more capable than I of doing these things. The only resource I may have more of than they do is time. As a stay-at-home dad, I’ve got more time to spend on this than most people in the tech industry are likely to have. It does take a fairly significant time investment to do what I do, but in my opinion, that would be well worth the cost of a new hire at Apple, just to track down new samples. (Hint: if anyone at Apple is reading this and thinks that’s a good idea, I’ve got a résumé to send you!)

Tags: , ,

16 Comments

  • Chris says:

    Please fighting the good fight, Thomas! Many thanks!

  • Chris says:

    Please keep fighting the good fight, Thomas! Many thanks!

  • Mike says:

    Just discovered this great website. It’s a wealth of information not available anywhere else – well done.

  • Al says:

    I’ve submitted a couple, but it’s rare that I’m able to locate a sample before you since VirusTotal won’t give me access.

  • Darren Kehrer says:

    What are the current version of Xprotect for Lion and SL?

  • Bob says:

    You say ‘submitted to apple after posting the article’. Wouldn’t responsible disclosure be to do that in the reverse order?

    • Thomas says:

      Since writing this article and submitting the malware to Apple both happened within about an hour’s time, I don’t see how that would make a significant difference.

      Besides which, we’re not talking about a vulnerability here… I’m sure the authors of the malware in question already knew their malware wasn’t detected, so I wasn’t giving them information they didn’t already have. On the other hand, waiting for Apple to respond before publishing (as is responsible disclosure when it comes to vulnerabilities) alerted users to an issue they were not aware of, allowing them to exercise increased caution.

  • bentkitty100 says:

    Excellent article, Thomas, and Apple should be paying you for your submissions and help in general – I’m guessing your involvement on the ASC has kept tons of people using Apple products 😉

  • Maxim says:

    Yeah Apple just wasting money on xprotect team… Thomas alone can make it better – just hire him 🙂

    Thomas, btw – how many virus XPROTECT can detect?

    • Thomas says:

      It detects 37 different items, but some of those are different variants of the same thing. (For example, three of those signatures are OSX.CoinThief.A, OSX.CoinThief.B and OSX.CoinThief.C.) There are 24 different malware families represented.

      • Maxim says:

        Just 37? I mean that u do a test for antivirus (http://www.thesafemac.com/mac-anti-virus-testing-2014/) So the best one its virusbarrier with 187 samples detected. How many from those samples can xprotect detect?

        • Thomas says:

          Those are unrelated numbers. In that testing, 188 samples were used, but they represented 39 different malware families. XProtect contains definitions for 24 malware families at this time.

          Further, it’s not appropriate to try to compare XProtect with other anti-virus software, as it does not contain any definitions for malware that is no longer able to infect the OS in question, while anti-virus software does. Some of the items I used in my testing were things you couldn’t infect a modern Mac with if you tried.

        • Al says:

          I think an additional point needs to be made here. XProtect is only looking for malware when it first arrives on your hard drive. That generally means an installer or downloader and the object is to stop it before it has any chance of affecting your computer. In the Sophos example that you give, most of those samples are the result of an installation that has already taken place. XProtect can’t help with that, although GateKeeper can still prevent unsigned executables from opening unless you override it. And the Apple Malware Removal Tool will eliminate the “most common malware” that managed to get installed and runs with each Security or Java SE 6 update that you run. Unfortunately we don’t know what that common malware consists of. I know that it looks for fragments of MacProtector and Flashback from testing, but I’m not sure what else it can do.

This post is more than 90 days old and has been locked. No further comments are allowed.