Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Intego Security Memo – May 2, 2011 MAC Defender Fake Antivirus Program Targets Mac Users

May 2011 by Intego Security Alert

Malware: OSX/MacDefender.A

Risk: Low; in the wild, but not very widespread for now

Description: Intego has discovered a fake antivirus program called MAC Defender, which
targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search
engine optimization tricks to get malicious sites to appear at the top of search results).

When a user clicks on certain links after performing a search on a search engine such as
Google, they are sent to a web site that displays a fake Windows screen with an animated
image showing a malware scan; a window then tells the user that their computer is infected.

After this, JavaScript on the page automatically downloads a file. The file downloaded is a
compressed ZIP archive, which, if a specific option in a web browser is checked (“Open
‘safe’ files after downloading” in Safari, for example), will open. The file is decompressed,
and the installer it contains launches presenting a user with the following screen:

If the user continues through the installation process, and enters an administrator’s
password, the software will be installed.

VirusBarrier X6’s real-time scanner detects this installer when it is downloaded:
And VirusBarrier X6’s Web Threats protection detects pages that serve this installer:

After installation, a program called MAC Defender launches, displaying its interface, and
adding a menu item to the Mac OS X menubar (the small, orange shield icon in the image
below, which becomes red when the program “finds” viruses):
Intego Security Memo – May 2, 2011 www.intego.com
Upon installation, the application adds itself to the user’s Login Items, so it will relaunch
each time the user logs in or starts up their computer. The application itself cannot be quit
easily, as there is no Dock icon.
(One thing to point out is that, in the past, these types of sites—very common vectors of
Windows malware—only delivered Windows .exe applications. The fact that such a site is
providing a Mac rogue antivirus is new, and extremely rare. While the site itself still shows
a fake Windows screen, the rogue antivirus itself is a well-designed Mac application.)

This application is very well designed, and looks professional. There are a number of
different screens, and the grammar and spelling are correct, the buttons are attractive, and
the overall look and feel of the program give it a professional look. It will occasionally
display alerts, telling users that viruses are found:

MAC Defender also opens web pages for pornographic web sites in the user’s web browser
every few minutes. This is most likely to make users think that they are infected by a virus,
and that paying for MAC Defender will relieve them of the problem.

Clicking the Register button on the About screen takes users to a web page where they can
purchase a license for the program: either a 1-year, 2-year, or lifetime license. Users are
asked to provide a credit card number, and the web page used is not secure. The scam here
is to charge users for a program that doesn’t do anything; the virus warnings presented are
bogus, and after paying, they no longer display, so users think the program has done
something useful. It is also possible that these credit card numbers, given via an unsecure
web page, could be used for other purposes.
Intego Security Memo – May 2, 2011 www.intego.com
Means of protection: It is essential that users who unexpectedly see an installation screen,
as shown at the beginning of this security memo, do not go further and install the
application. This installation screen is the normal Mac OS X Installer screen, but this
should only display when you expect to install software.
Second, it is important to uncheck the “Open ‘Safe’ files after downloading” option in
Safari, or similar options in other browsers. If a browser asks you if you want to run an
installer when you did not expect to download an installer, always click the No or Cancel
button.

VirusBarrier X6 (www.intego.com/virusbarrier/) protects users from this malware with
malware definitions dated May 2, 2011 or later. VirusBarrier X6’s real-time scanner will
detect the file when it is downloaded, and its Web Threats protection blocks web pages
containing this malicious code. VirusBarrier Express and VirusBarrier Plus, available
exclusively from the Mac App Store, detect this malware with malware definitions dated
May 2, 2011 or later, but these programs do not have a real-time scanner, due to limitations
imposed by the Mac App Store; users should scan their Macs after they have updated to the
latest malware definitions.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts