Apple makes late entry into whack-a-mole game

From Good Morning Silicon Valley.

After weeks of dodging the issue of a recent widespread malware outbreak, Apple has changed course and is addressing affected customers’ concerns.

On Tuesday, Apple finally posted instructions on its support site on how to avoid or remove the malicious program, and said an Mac OS X update in the coming days will remove it or block it from installing in the first place.

The MacDefender malware, one of the few to actually target Mac operating systems, is a phishing program that fools users into thinking they are downloading anti-virus protection when it’s actually going after credit-card information. ZDNet estimates between 60,000 and 125,000 Mac users have been affected in the past month, and in an eyebrow-raising report quoted an Apple tech support insider who said they were expressly forbidden from helping callers remove the malicious program. That supported leaked internal documents that Gizmodo published last week which, among other things, told customer service reps: “AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer’s Mac is infected or not.”

While support from Apple is a welcome development, the company’s initial reaction is disturbing from a customer-service standpoint. Just as disturbing to many Mac users is the realization that their OS’s, so long considered safe from most Internet viruses, are not immune after all.

This is beginning to look like a pattern. Remember the clueless way Apple handled the problem with the iPhone 4 antenna and then the controversy about the ‘bug’ which enabled iPhones to accumulate and store unencrypted location data on the devices? The problem Apple has is that its reputation for effortless design superiority now leads to corporate paralysis whenever events threaten to undermine the image.

And of course there is the problem that as the Mac becomes more and more successful, the juicier a target it presents for malware.

UPDATE: The Apple advisory note is already out of date.

Ed Bott says “File that memo under, ‘Too little, too late.'”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

A security researcher for Intego, the Mac-centric security company that identified the original Mac Defender, found the first example of this new code via a poisoned Google search very early this morning.

Several factors make this specimen different. For starters, it has a new name: MacGuard. That’s not surprising, given that the original program already had at least three names. But this one is divided into two separate parts.

The first part is a downloader. In the original version, this asked the user to enter his or her administrator password. The new version works on the assumption (generally correct) that most Macs are single-user machines –which means that the user has the requisite privileges and so the malware bypasses the admin-password dialogue. The software then installs an application named avRunner, which launches automatically and installs the second part, which is similar to the original Mac Defender. The installer then deletes itself from the user’s Mac, so no traces of the original installer are left behind.

So Apple is now embarked on the same game of whack-a-mole that Microsoft has had to play for years. The evidence so far suggests that Steve Jobs & Co aren’t experienced players. Maybe they need help from Redmond, where they know more about this than anybody else.