PCs

MAC Defender malware hoopla proves old adage

Although most business Mac users will not fall for the MAC Defender malware, the fake antivirus application is a reminder that Mac users still need education about Web-based security threats.

P.T. Barnum is widely quoted as having said "there's a sucker born every minute." Some victims of the MAC Defender malware, unfortunately, are apparently proving the adage true.

While many media outlets scramble to announce one of the first fake antivirus efforts targeting Macs, the potential for misinformation exists. Some news sites are reporting that the MAC Defender has been "discovered in the wild" and the attack is turning into a "scourge."

Innocent users are certainly being affected, but Macs have never been immune from viruses, just better protected. Does the latest MAC Defender announcement mean the days of Mac security superiority are over? Hardly. Never let the facts get in the way of a good story, right?

The fake antivirus application can only infect a Mac if the user clicks on a poisoned SEO link with Mac spelled wrong (MAC vs. Mac), falls for a fake infection window, has Safari set to open "safe" files after downloading (the setting is in the Safari Preferences General section and is typically checked by default), walks through the malware program's installation routine, and enters the system administrator password to enable the installation. Users essentially must install this infection intentionally. I think educated Mac users will reason that it's a little different than having thousands of self-replicating viruses in the wild.

The MAC Defender infection reportedly doesn't do much more than load a handful of adult-oriented Web sites and generate a few reminder alerts. Identity theft doesn't look to be a threat unless victims take the additional step of supplying their credit card information within the malware program as an act of registration. The security firm Intego classifies MAC Defender as a low risk.

That said, the hoopla surrounding the MAC Defender infection isn't totally unfounded. It's a sign that, as Mac market share increases, the platform will increasingly prove attractive to hackers. Mac users need to keep that in mind and remember that just because Mac OS X typically proves more secure than Windows, it's not foolproof. In the case of MAC Defender, removal is fairly straightforward. CNET lists the steps for removing MAC Defender.

Business Mac users aren't likely to fall for MAC Defender. Regardless, the episode should serve as a reminder that even Mac users require constant education about Web-based security threats. Just as Windows users should avoid haphazardly clicking on links and loading software from unknown sources, so too should Mac users.

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

8 comments
rsopublic
rsopublic

We posted a draft of our breakdown of macDefender and macProtector at http://goo.gl/GXV7z which is the direct PDF to the Draft. You can tell by this class that both selects files to consider infected at random // Not exported @interface AntiVirus : NSObject { } + (id)sharedAntivirus; // IMP=0x0000000100008c1b - (id)init; // IMP=0x0000000100008c5d - (void)dealloc; // IMP=0x0000000100008c87 - (int)GetRndNum:(int)arg1:(int)arg2; // IMP=0x0000000100008cdf - (void)setTimeIntervalForFirstVirAppearing; // IMP=0x0000000100008cb1 - (void)ScanningProcessStarted; // IMP=0x0000000100008e46 - (int)IsFileInfected:(id)arg1; // IMP=0x0000000100008d4b - (void)PauseScanning; // IMP=0x0000000100008d38 - (void)ResumeScanning; // IMP=0x0000000100008d15 @end . // Now checkout the difference between the RegWindow : NSWindowController.. /* You will notice that MacProtector uses WedKit Frame works and cookies during the Auth process. This is to hide the IP of the site MacProtector connects to. 91 213 217 30 (DO NOT VISIT) The serial numbers are still in plain text but not the IP, and he cookie check may be to ensure you give your CC to the FAKE SITE. (We are still working on understanding how it works. */ //MacDefender No REG COOKIE opens fake purchase page in Safari/Default browser. // Not exported @interface RegWindow : NSWindowController { NSTextField *m_strTextSN; // 116888 = 0x1c898 NSTextField *m_strTextWrongSN; // 116896 = 0x1c8a0 MyButton *m_btnOk; // 116904 = 0x1c8a8 MyButton *m_btnBuy; // 116912 = 0x1c8b0 NSTimer *m_Timer; // 116920 = 0x1c8b8 } + (BOOL)PlaySuccessSound; // IMP=0x0000000100009844 + (BOOL)Registration; // IMP=0x00000001000098ce - (void)awakeFromNib; // IMP=0x0000000100009ae3 - (void)OnChangeTextOpacity; // IMP=0x0000000100009bef - (void)ok:(id)arg1; // IMP=0x0000000100009c7e - (void)OnBuy:(id)arg1; // IMP=0x0000000100009dfb - (BOOL)windowShouldClose:(id)arg1; // IMP=0x0000000100009e2a - (void)controlTextDidChange:(id)arg1; // IMP=0x0000000100009e4e // Remaining properties @property(retain, nonatomic) NSTimer *m_Timer; @end //MAC PROTECTOR REG COOKIE using WebKit @interface RegWindow : NSWindowController { NSTextField *m_strTextSN; // 127984 = 0x1f3f0 NSTextField *m_strTextWrongSN; // 127992 = 0x1f3f8 MyButton *m_btnOk; // 128000 = 0x1f400 MyButton *m_btnBuy; // 128008 = 0x1f408 NSTimer *m_TimerCheckCookie; // 128016 = 0x1f410 BOOL m_bNeedCleanUp; // 128024 = 0x1f418 NSURL *m_SetCookieSerialNumberServerURL; // 128032 = 0x1f420 NSString *m_strRightSerialNumber; // 128040 = 0x1f428 } + (BOOL)PlaySuccessSound; // IMP=0x00000001000096fa + (void)showPayForm; // IMP=0x0000000100009784 + (BOOL)Registration:(BOOL)arg1; // IMP=0x000000010000a058 - (void)setNeedCleanUp:(BOOL)arg1; // IMP=0x00000001000097d5 - (void)awakeFromNib; // IMP=0x00000001000097e5 - (void)createURLForSerialNumberCookieSearch; // IMP=0x0000000100009917 - (void)OnCheckCookieForRegkey; // IMP=0x0000000100009dfa COOKIE - (void)OnChangeTextOpacity; // IMP=0x0000000100009999 - (void)showRegisterSuccessWindow; // IMP=0x00000001000099f4 - (void)sayToMainWndAboutProgramIsRegistered; // IMP=0x0000000100009b20 - (void)ok:(id)arg1; // IMP=0x0000000100009b97 - (void)OnBuy:(id)arg1; // IMP=0x0000000100009d71 - (BOOL)windowShouldClose:(id)arg1; // IMP=0x0000000100009d8e - (void)controlTextDidChange:(id)arg1; // IMP=0x0000000100009da4 // Remaining properties @property(retain, nonatomic) NSTimer *m_Timer; @end The SN still in Plain Text MacDefender SN MacProtector SN 1837-4164-2913 1837-4164-2913 2073-2182-0724 2073-2182-0724 8334-8928-9153 8334-8928-9153 6241-9412-3024 6241-9412-3024 9738-3426-1840 9738-3426-1840 3248-2425-5577 3248-2425-5577 5435-2648-4232 5435-2648-4232 1515-8434-7756 1515-8434-7756 Some Other points... Both installers have the "ru.lproj" indicating the developer spoke Russian. Localizations for .nib files set to English. Localizations for application set to English. Xcode build for both was 10M2518, Xcode 3.2.6 / iOS SDK 4.3 gm which include Russian and English. The build machine which created both was running OSX seed 10J869, 10.6.7. Minimum system version is 10.5. Both use ???df -lg|awk??? to get disk space information. Both create and then write the output to a file named dmem.txt in the users ~/home folder Both use ???ps -e|awk??? to get process information. Both create and then write the output to a file named proc.txt in the users ~/home folder.

JCitizen
JCitizen

who don't know this already, should change the "default" Safari settings for downloads. It would at least give one piece of mind, even if it causes a few extra steps on downloading files.

Who Am I Really
Who Am I Really

simple as that I run Firefox on winders with the following add-ons: - NoScript - FlashBlock - AdBlock plus and I have yet to ever see on my screen one of these "Scripted" drive by DL

rsopublic
rsopublic

That is great, I like also Click to Flash in Safari and Flash Block works in Google. There is also a nasty Crimeware kit, BlackHole RaT which criminals are trying to perfect to attack the MAC. Also make sure to turn off JAVA if you do not need it or really restrict it using JavaPrefences.app in the utilities folder. I like a custom seat-belt file as well when running any java applet but that is very advanced and not for general user (sandbox). Seems criminals can do code reuse better then any programmer I know...

Editor's Picks