A day after Apple released a security update for Mac OS X to address the “MAC Defender” malware, a new variant of the bogus antivirus software has been spotted in the wild.
As first reported by Ed Bott at ZDNet, the new variation of MAC Defender, named “Mdinstall.pkg,” has been crafted to bypass the new malware-blocking code made available by Apple. That update for Mac OS X, Security Update 2011-003, was released on Tuesday.
“The file has a date and time stamp from last night at 9:24PM Pacific time,” Bott wrote. That’s less than 8 hours after Apple’s security update was released. On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.
“As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple.”
Security Update 2011-003 included changes to the File Quarantine feature found in Mac OS X 10.6 Snow Leopard. It includes anti-malware definitions within the operating system itself, and examines external files downloaded within Mail, iChat, Safari, or other quarantine-aware applications.
The MACDefender malware first gained attention in early May, when it was spotted by an antivirus company. The program automatically downloads in Web browsers through JavaScript and originally required users to enter an administrator password, but a more recent variant does not ask for a password.
Some reports have suggested that the “MAC Defender” malware has spread quickly, with Bott earlier citing an anonymous AppleCare representative that apparently said the “overwhelming majority” of recent calls to Apple were related to the malware. Last week, Apple posted instructions on its site informing users on how to remove the malware.