The newly discovered KitM variants are all signed with the same Rajinder Kumar certificate. Apple revoked this Developer ID last week, after the first samples were discovered, but this won't immediately help existing victims, according to Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender.
"Gatekeeper uses the File Quarantine system, which holds the file in quarantine until it is first executed," Botezatu said Thursday via email. "If it passes Gatekeeper on first run, it will continue to run and never be queried by Gatekeeper again. So, malware samples that have been ran once while the developer ID used for signing them was valid will continue to run on the machines."
Apple could use another malware protection feature called XProtect to blacklist the known KitM binary files. However, other versions that haven't been discovered yet might exist.
In order to prevent the execution of any digitally signed malware file on their computers, Mac users could modify the Gatekeeper security settings to only allow applications downloaded from the Mac App Store to be installed, security researchers from F-Secure said.
However, this setting would be inconvenient for users in corporate environments, who need to run custom software developed in-house, Botezatu said. Such custom applications are intended for internal use only and are not published on the Mac App Store, so a more restrictive Gatekeeper setting would likely complicate their deployment process, he said.