Mac Defender variant sidesteps Apple’s security patch

A new variant of Mac Defender has been spotted in the wild. The latest iteration of the malware is apparently capable of neatly sidestepping a recently released OS X security update targeting the original Defender.

According to ZDNet’s Ed Bott, Mdinstall.pkg was “specifically” formulated to bypass Apple’s malware-blocking code.

“The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released,” he explained.

“On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required. This cat-and-mouse game can [obviously] go on indefinitely. Your move, Apple.”

Indeed, just yesterday, Cupertino pushed out security update 2011-003 to address the recent increase in malware plaguing Mac OS X.

2011-003 bolsters XProtect – an existing (integrated) OS X program coded to detect a number of malware/scareware variants, including MacDefender, Mac Guard and Mac Security. 


Upon installation, the update searches for and removes existing infections of known malware. XProtect also checks for updates to its list on a daily basis.

However, as Chester Wisniewski of Sophos Security correctly notes, while daily updates are a good start, it remains to be seen how frequently cyber criminals release new variants.

“If they start moving in a polymorphic direction similar to the one the Windows malware writers have gone, XProtect will [definitely] have issues…”

As it clearly does, only 8 hours later.