Apple cracks down on adware

Apple has used the XProtect anti-malware protection in Mac OS X to block a few pieces of adware in the past. Yesterday, they cracked down on adware again, adding a slew of new items to XProtect’s signatures, used for identifying and blocking malicious apps. Three are updated signatures, while one is for adware never before blocked by XProtect.

For the first time now, Apple has taken a stance against the long-time adware pest Genieo, adding a signature called OSX.Genieo.A to XProtect. I’m a bit unclear as to which specific variant of Genieo this blocks, though… testing against the current version of Genieo available directly from the Genieo website shows that it is not blocked. Still, it’s encouraging to see Apple finally deciding that Genieo is worthy of an XProtect signature.

The new OpinionSpy variant I wrote about on Monday has also been added. OSX.OpinionSpy was already found in XProtect’s signatures, and had been for some time, but it has now been joined by a new OSX.OpinionSpy.B entry. Testing the variant of OpinionSpy that I submitted to Apple on Monday shows that it is, as I would expect, prevented from opening.

The other changes are the renaming of OSX.Downlite.A to OSX.VSearch.A and renaming of OSX.FlashImitator.A to OSX.InstallImitator.A, along with the addition of a number of new signatures for these two entries. All of these new signatures are based on an application name plus a hash of the application (ie, a large number calculated from the application itself, that can be used to uniquely identify that particular application).

This means that these new definitions are for specific adware install apps, and that the coverage is a bit hit-and-miss. I have samples that are prevented from opening by each of these new entries, and other samples of the same adware that are not. So, although it’s definitely a very positive step to see Apple taking this kind of action, coverage is not at all complete.

If your system is set to automatically install these security updates, which is the default, you should get the XProtect update soon, if you don’t have it already. Mountain Lion and above should have version 2058 of the XProtect signatures. Lion should be updated to version 1068 and Snow Leopard to version 83.

You can see what version of XProtect you have by executing the following command in the Terminal:

defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta Version

If your system seems to be sluggish to update, you can force it to update. On Mac OS X 10.9 (Mavericks) or later, enter the following command in the Terminal:

sudo softwareupdate --background-critical

This must be done from an admin account. You will be asked for your password, and should be aware that nothing will appear when you type.

For older systems, go to the Security preference pane in System Preferences. Uncheck the box reading “Automatically update safe downloads list” and then check it again. (You may need to click the lock icon in the lower left corner of the System Preferences window to unlock it in order to make this change.)

Tags: adware, Downlite, Genieo, Mac OS X, OpinionSpy, XProtect