New MacShield Variants Spotted in the Wild

Three new variants of the MacShield scareware were identified today, suggesting that Apple's efforts so far haven't discouraged Mac malware development.

"F-Secure Labs located three new samples today, and added detection for today's in-the-wild versions of MacShield," Sean Sullivan, security advisor at the Finnish antivirus vendor announced on Twitter.

The volume of new Mac scareware has increased and so has the number of distribution vectors.

At first, there were Google Images black hat search engine optimization campaigns. Then the malware distributors switched to Facebook.

It's not certain if the new variants bypass Apple's XProtect blacklist, but that that's a very likely possibility given the technology works by comparing hashes.

This goes to show that reactive solutions like XProtect, even if updated daily, are not enough to keep users safe.

Scareware applications ask users to acquire a license key in order to resolve fictitious problems on their computers, usually malware infections. In other words, they use scare tactics to achieve their goal.

In most cases, until Apple has a chance to update XProtect in order to deal with new variants, cyber criminals already have their victims' money.

Users need a full-featured security product that offers layered protection. For example, antivirus programs contain web filters that block users from accessing scareware distribution sites in the first place.

But if a site is very new and the web filter doesn't know about it, an antivirus product can still leverage heuristic signatures to identify new variants of a certain threat.

"Our original 'MacDefender' detection was generic enough to catch Friday's 'MacShield' variant w/out needing an update," said Sean Sullivan, referring to a variant that appeared last week.

"Although someone may say that MacDefender itself is not a dangerous threat, it's a good reminder about the need to keep attention to security matters - which a lot users have forgotten about.

"Definitely simple checksum matching, which Apple use, is not a full substitute for a quality AV product," Ondrej Vlcek, chief technology officer at AVAST Software said. His company is currently beta testing a free Mac antivirus product which is expected to ship soon, but there are already other free solutions on the market as well.