Apple sneaks anti-malware update into Snow Leopard

Gregg Keizer
21 June, 2010
View more articles fromthe author

Ten months after it debuted rudimentary malware scanning in Snow Leopard, Apple quietly added a signature for a third piece of malware, security researchers have discovered.

According to UK-based antivirus vendor Sophos and US Mac security company Intego, Mac OS X 10.6.4, which Apple released last week, includes an update to XProtect.

Dubbed that because the malware signatures are contained within Snow Leopard’s “XProtect.plist” file, the feature debuted in August 2009 with the launch of Mac OS X 10.6. At the time, Apple included detection for only two pieces of malware, Trojan horses named “RSPlug.a” and “Iservice” by Symantec.

The 10.6.4 update added a scanning signature for another Trojan, which Symantec has labeled as “HellRTS”.

According to Sophos, which calls the same Trojan “OSX/Pinhead-B”, and like Symantec has had protection in place since April, hackers have disguised the threat as iPhoto, the photo management software that ships with new Macs. The masquerade is meant to dupe users into installing the backdoor malware.

Apple did not note the change to XProtect’s signature list in the release notes for Mac OS X 10.6.4, a fact that Sophos’ Graham Cluley found curious.

“You have to wonder whether they’re keeping quiet about an anti-malware security update like this … for marketing reasons,” speculated Cluley, a Sophos senior technology consultant, in a post to a company blog. “Shh! Don’t tell folks that we have to protect against malware on Mac OS X!”

Not surprisingly, both Sophos and Intego — each sells Mac security software — dismissed the update.

“Although I welcome Apple doing something to reduce the malware problem on Mac OS X, I don’t consider it a replacement for real anti-virus software,” Cluley asserted.

“So Apple’s anti-malware feature now protects against three types of malware,” said Intego on its website. “Intego’s VirusBarrier X6 protects against all known Mac malware.”

Leave a Comment

Please keep your comments friendly on the topic.

Contact us