The MacDefender Mac malware isn't a hoax

Winwebsec gang responsible for FakeMacdef?



We've noticed a few odd rogue security software applications recently—although this type of threat is nothing new, these samples are interesting because they target the Mac OS X operating system.

There have been several variants of a threat, which we detect as Rogue:MacOS_X/FakeMacdef, going around this month. As you would expect with any rogue antimalware product, it tries to trick users into thinking that they are infected with something which only it is able to remove… for a price.

The product, which calls itself MacDefender, is being distributed in much the same format as its Windows-based cousins: through an imitation scanner interface which runs within the browser, similar to that described in this blog post. It typically depicts a Windows XP system running through an anti-malware scan, however there have been reports of one that impersonates the Mac OS X finder. Malware is delivered to the user irrespective of whether they click through the UI, or click on the fake Cancel button. This distribution component reads the client's useragent in order to discern the operating system, and then serves up a malicious application designed for that operating system (that is, if you're running on Windows, the site will serve up Win32/Winwebsec, but if you're on a Mac you'll get MacOS_X/FakeMacdef).

Some Mac users have reported that the malware is automatically being downloaded and started when they land on the imitation scanner pages. This may be related to Safari's "open safe files", which we recommend you disable (click on the link for more information).

Upon closer examination, we found more connections between FakeMacdef and Winwebsec. The best example is that the URL format that FakeMacdef uses to call home is almost identical to that which we see in Winwebsec:

WinWebSec - http://x.x.x.x/i.php?affid=xxxxx&data=x&v=x
FakeMacdef - http://x.x.x.x/i.php?v=x&affid=xxxxx&data=x
The purchase pages are also similar:

Winwebsec - http://x.x.x.x/buy.php?affid=xxxxx&data=x&v=x
FakeMacdef - http://x.x.x.x/mac.php?v=x&affid=xxxxx&data=x


http://blogs.technet.com/b/mmpc/archive/2011/05/17/winwebsec-gang-responsible-for-fakemacdef.aspx

In contrast to its Windows-based cousin, FakeMacdef loads adult-oriented or pharmaceutical websites at random intervals. However, upon closer examination, we did not determine that these links were affiliated with the malware threat. Instead, we suspect that this may be a trick to try and convince users that they are truly infected with some malware, and that FakeMacdef may be able to help them rid their computer of it.

We also noticed that FakeMacdef contains most of its resources in a directory named "ru.lproj", as opposed to "en.lproj"- this strengthens our suspicion that the developer may be Russian.

Thus far this month, we've seen three distinct 'branding' flavors of this threat:

Mac Defender
Mac Protector
Mac Security

There are several ways that we are able to block and remove it, for example if we see it on a shared drive, or if you're using the Forefront Threat Management Gateway we'll block the ability for users to download it through the web proxy server. Bing will try to block search results which link to it, and we'll prevent it from being distributed through Windows Live Hotmail and some of our other web properties. If you run a Macintosh computer, we highly recommend that you find and install an anti-malware solution from a trustworthy vendor

if you had a PC, no problem. The last time I turned on my Mac Mini was over a month ago. I have little use for it.

Was I wrong?

a vulnerability of Windows 7 or Vista or XP, it could actually infect 1/4 or 1/7 or 2/5 of the computers out there. OSX has only about 7% of the market, so if you create a virus targeting OSX, it could actually infect 1/14 of the computers out there. Linux has under 2% of the market, so if you create a virus targeting Linux, it could actually infect 1/50 of the computers out there

In principle, none are invulnerable, but virus-writers will typically try to maximize their impact

This "MacDefender" seems to be just a mac version of a well-established scam: bogus pop-up warnings of an infection followed by offers to remove the phony infection for a price

... If you click in most areas, the trojan will be downloaded to Safari’s downloads folder. The download, named “BestMacAntivirus2011.mpkg.zip”, is a .mpkg installer file inside a .zip archive. And, on my everyday user account, where Safari is not set to open such files, that is as far as it goes. Unless I find that file later and decide to unzip it and run it, it will do no harm.

I then tested on a throwaway user account I created just for this purpose. With the default settings in Safari – both JavaScript and Open “safe” files after downloading turned on – clicking anywhere on the page shown above results in not only the trojan being downloaded, but also being automatically unzipped and the installer launched! This is a very serious security breach in Safari that Apple must address as soon as possible. I’m surprised it has never been an issue before.

From there, one must proceed through installation, in Apple’s own installer, so there’s nothing scary-looking about it. However, users should be on alert to installers that they did not intentionally launch! I stopped here, being unwilling to see what happened to my machine after clicking Install. From what I understand, though, from third-party sources, a password is required before the installation can commence.

It is important to point out that in the course of writing this, Safari has started displaying the following warning when I try to visit the malicious site: ...

MacDefender in action
Posted on May 3rd, 2011 at 7:40 AM EDT
http://www.reedcorner.net/news.php/?p=82

I was leaving my banking site and going to another banking site when it got really slow and then up jumped this thing saying Mac Security and I had viruses, etc. I knew it was a scam or virus and I tried to force quit Safari but it wouldn't let me. I then unplugged the computer and started over. I just now looked at my downloads and there are three files on a date that could have been that day, all loaded at the same time. Two say "Mac OS X downloads" and one says "Mac OS X hot downloads." I had some automatic updates around that time for Word or whatever. Could it be those?