Here’s the story so far. In May, Intego and other Mac security vendors uncovered a rogue (fake AV) that targeted Macs. The rogue initially used the name MacDefender, then it used other names, such as MacSecurity and MacProtector. Then a variant called MacGuard showed up, variant that no longer asked the user for a password when it installed itself.

That’s the story so far in the MacDefender camp. Let’s switch to Apple’s camp and see what happened so far. After the rogue started spreading, call volumes at AppleCare increased 4 to 5 times. Apple employees tried to help users as much as possible, even though Apple told them not to. Then Apple officially responded to the MacDefender threat and said it would release an update that would present the user with an explicit warning if he tries to download the MacDefender rogue or any of its variants and would automatically find and remove the MacDefender rogue and its variants from compromised machines.

A couple of days ago Apple released the security update mentioned above. Security Update 2011-003 went live for Mac OS X users on Tuesday, the 31st of May. The update adds file quarantine and built-in removal of the MacDefender rogue and its variants. It also checks for updates to the File Quarantine malware definition list on a daily basis.

The people with malicious intent behind the MacDefender rogue responded by releasing a new variant that bypassed Apple’s malware detection system. The new variant was released just hours after Apple released the security update meant to protect users from the MacDefender rogue and its variants.

But remember the “checks for updates on a daily basis” part mentioned above? Yesterday, the 2nd of June, Apple updated its Xprotect malware definitions to include the new MacDefender variant that bypassed the malware detection system.

To quote Intego, “the cat and mouse game has begun”.