Tuesday, May 10, 2011

MacDefender and its variants

MacDefender showed up on the radar last week, as the first fake Anti-Virus (AV) ScamWare for MacOSX. Currently, its distributed under a couple of different names (that all display the same functionality); MacDefender, MacProtector, and "Mac Security". In the Windows world this flavor of malware has existed for years, enticing unsuspecting users into installing bogus AV software under the guise of the client machine being infected. Then once it scares you into believing you're infected, it asks for your credit card information in order to purchase the application that will "fix" the infection. In the Security realm we see this all the time on Windows systems, but I'm guessing the Mac user community doesn't have much experience with this type of scam.

If you are one of the people that hasn't seen this type of scam before here is some technical information about how it works, what it does, and how to protect against it:
  1. “How did it find its way onto my machine?”
  2. MacDefender used a lot of SEO poisoning attacks to get their links in the top of various search engine's results. When you browse to one of these malicious sites a feature of Safari is used (the default browser on OSX) to automatically download the malware package containing this "MacDefender" software. This is possible, since the default configuration for Safari has "Open "safe" files after downloading" checked (by default) in their browser. This setting is under "Preferences" in Safari and is at the bottom of the "General" tab (the first tab). We recommend you uncheck this:
    uncheck tab
    Go ahead, we'll wait here.
  3. "Once it's downloaded"
  4. Like other pieces of "OSX malware" in the past, you have to open it (which the above checkbox will perform for you), then install it. This uses a normal looking OSX package installer, during which, you will have to type in your Admin credentials. Once you have done that it will install and initiate a fake antivirus scan of running processes and files on your system. It will then inform you that something is infected and needs to be cleaned up. So the basic scenario looks like this:
    • You use a search term in a web search engine (like Google or Bing)
    • You get your results, you click on one of the links in those results to read the information you are looking for
    • The webpage you landed on, unbeknownst to you, contains a link that downloads some malware and you are presented with the interface for an installer for some strange piece of software that you didn't intend to download, which requires your admin credentials to continue the installation
  5. "Now what?"
  6. Honestly, the GUI for this particular piece of malware looks very professional. The variants have different colored icons and such, but essentially, each version looks similar to this:
    It looks just like a genuine OSX application, because it is one, it was written using the same language and tools used by OSX developers all over the world. The purpose of course, unlike most applications, is nefarious. There aren't any telltale signs that it's actually malware. No words are misspelled, the grammar is acceptable to the casual reader. It makes use of proportionally spaced fonts, justified text and all the other niceties you would expect from a real product that has gone through a development, testing and QA cycle that genuine software is put through every day by software companies. Even some of the functionality you would expect from genuine AV software is replicated. For example, the scan window looks like it's going to do something productive:
    MacDefender scan
    In reality however, it doesn't actually scan your hard drive for anything. What it may do though, is open up "popup" windows in your browser to display some "interesting" NSFW web sites in order to make you think you are infected, and to further convince you to buy this program. (We didn't observe this functionality in our investigation though) The malware authors hope that this will scare you into purchasing the software. If you are sufficiently convinced, you take out your credit card, enter the information and are charged $79.95 for a "lifetime" protection. Given that most real AV packages for Windows normally charge between $20 and $50, this seems a little steep, but since the GUI looks good, it must do a good job and Mac users are used to spending a little more than their Windows counterparts for software, so I'm guessing the authors thought it would be a reasonable amount that a Mac user wouldn't mind paying.
    MacDefender cost
  7. "How can I remove it/prevent infection?"
    1. Uncheck "Open safe files", see #1 above.
    2. Open up "Activity Monitor" (this is in your Utilities folder within Applications)
    3. Find "MacDefender" (or whatever the malware is being called, MacProtector, Mac Security, etc)
    4. Highlight it then click "Quit Process" which looks like a big red stop sign at the top right of the Activity Monitor screen.
    5. Next, open System Preferences, and go to "Accounts". When it appears click on the "Login Items" button, select the program, and then click the "minus" button to remove it from Login Items.
    6. Next, navigate to your Applications folder, find the program, drag it to the trashcan, and then empty the trashcan. Yes. It's really that simple to remove.
Today's SEU and rule release contains rules to detect existing infections. So, if you have Macs on your network, turn on GID 1, SIDs 18942 and 18943. Look for events from these two rules and if you see them, have the owner of the machine call their credit card company immediately.

Also included in today's release is GID 1, SID 18944, which will generate events for network traffic that displays the characteristic signs of numerous known fake AV variants for both Windows and OSX. Let us know how that one works, we built that particular rule by analyzing more than 1000 samples of fake AV malware in our repository. The rule may generate some false positive events, so make sure to investigate your results carefully and send us the information. Use the form on snort.org here: https://www.snort.org/uploads to do so. (requires you to login with your snort.org account first)

We issued ClamAV signatures for MacDefender several days ago and we will continue to update those as new variants are discovered. They are named:
  • Trojan.OSX.MacDefender
  • Trojan.OSX.MacDefender.B
  • Trojan.OSX.MacDefender.C
The md5 sums for MacDefender and MacProtector:
  • 2f357b6037a957be9fbd35a49fb3ab72
  • a437eaafa5f90b15dbf98123e5dccf1c
Finally, we recommend that you only buy software from reputable places, not from popup windows in your browser, and not from some random website you are currently viewing. Websites and advertisements on them, have been claiming to detect the presence of malware on PCs for a long time. It is one of the oldest tricks in the book and many people still fall for it. The Internet is akin to the old strip in Las Vegas, confidence tricksters and scam artists on every block, all looking to take money from gullible tourists. Don't be fooled, educate yourselves and your users, learn to recognize the scams and how to deal with them.


Apple have now released information on how to remove this malware.
Instructions are available here KB Article HT4650
Add to Technorati Favorites Digg! This


Kate Hutchinson said...

From this article, it seems to be only exploiting Safari for Mac. Would it also affect a Mac if you were running Firefox or Chrome?

Joel Esler said...


Yes. It would simply require an extra step to open the package file. It's not an exploit against a browser in anyway, any browser with javascript turned on should download the file in the background. Safari just opens the package for you by default.

Slog6969 said...

Joel, I run an Untangle UTM and it has ClamAV at the gateway. Will these Mac sigs be in that feed and get updated?

Are you putting Mac sigs in EVERY possible Clamav sig pipline?



ksmith said...

Great piece, Joel.

Thanks for the screenshots, in particular. I've quoted your blog unabashedly (with attribution, of course!) in my own recent blog on MacDefender

Joel Esler said...

Slog6969 -- There is only one ClamAV pipeline. If your Untangle system is grabbing it's definitions using freshclam, from the Official ClamAV repository, yes, you should have had them -- before this post came out.