Missing malware added to XProtect
Published March 14th, 2014 at 9:47 AM EDT , modified March 14th, 2014 at 9:47 AM EDT
Last week, I wrote about a number of malware samples I had discovered that were not detected by XProtect. Immediately after posting that article, I submitted those samples to Apple. Yesterday, they were finally added to XProtect, when XProtect was updated to version 2046. This, and other developments over the past week, are both encouraging and upsetting, for a variety of reasons.
First, although I gave Apple a pretty hard time in my article last week, this isn’t bad turnaround time for the stack of samples I sent them. Although I’d obviously like to see the signatures added even faster, I do realize that Apple’s product security team is busy and that I dropped a lot on them with very little warning.
In addition, I definitely feel now that Apple’s product security team is definitely listening and responding. After pestering them about it, I was told that the older CoinThief sample I had sent was not being added because it wasn’t being seen in the wild and didn’t work with current Bitcoin wallets. I pointed out to them that, now that the newer variants were blocked by XProtect, there would be value for the hackers in going back to the older codebase that was not detected, so pre-emptively blocking the older variant would be beneficial.
Lo and behold, the XProtect update includes a signature for this older variant! Did they listen to, and act on, my advice? Or did they simply have an internal discussion on this and come to this conclusion on their own? I don’t know. It certainly feels like I may have been listened to, but even if not, at least we know that Apple’s product security team is thinking about these issues and is willing to re-evaluate decisions. Sometimes it’s hard to know what’s going on inside this infamously silent company, and this provides an encouraging glimpse behind the walls.
On the other hand, I’m still as disturbed as I was last week, but now in a very different way. Apple has shown more responsiveness to this than I had expected, which begs the question: why weren’t these items detected in the first place? Could it possibly be because most of them hadn’t actually been seen by Apple’s product security team before?
I have been submitting malware samples to Apple for some time now. Generally, I do this as soon as I get my hands on a sample, which is usually on the same day as the announcement (by a security company) of some new malware. XProtect is usually updated shortly thereafter. I’ve always assumed that I was merely one trickle in a flood of other submissions, but submitted anyway just in case. But now the possibility occurs to me: what if I’m one of the only ones submitting?
This is a bit frightening, but in hindsight, it makes sense. If I were in charge of a company making anti-virus software, would I be excited about submitting new samples to Apple? Not really. That would undercut my product, and thus my business, by reducing the need for anti-virus software. I’m not one of those notorious Apple fans who believes that all anti-virus companies are in the business of scamming Mac users, but even so, perhaps expecting them to help Apple build a more secure system is a bit unrealistic.
As far as independent security experts go, most of them don’t spend much thought on Mac issues. Those who do focus on the Mac, such as Rich Mogull, have a broader focus, and don’t spend much time investigating and collecting malware. Outside anti-virus firms, there are probably very few other people who are doing what I do.
Apple’s product security team should be able to find these new samples the same way that I do: by paying close attention to the announcements of security companies and searching sites like VirusTotal to find the samples. And by establishing contacts in the security industry who are willing to send you interesting new pieces of malware. And by paying close attention to user reports in forums like the Apple Support Communities. Among other things.
In all honesty, I should have fewer resources and contacts than Apple’s product security team, so they should be more capable than I of doing these things. The only resource I may have more of than they do is time. As a stay-at-home dad, I’ve got more time to spend on this than most people in the tech industry are likely to have. It does take a fairly significant time investment to do what I do, but in my opinion, that would be well worth the cost of a new hire at Apple, just to track down new samples. (Hint: if anyone at Apple is reading this and thinks that’s a good idea, I’ve got a résumé to send you!)